8.1 Internal Control Structure

Internal control

An effective internal control structure includes a company’s plan of organization and all the procedures and actions it takes to:

  • Protect its assets against theft and waste.
  • Ensure compliance with company policies and federal law.
  • Evaluate the performance of all personnel to promote efficient operations.
  • Ensure accurate and reliable operating data and accounting reports.

As you study the basic procedures and actions of an effective internal control structure, remember that even small companies can benefit from using some internal control measures. Preventing theft and waste is only a part of internal control.

In general terms, the purpose of internal control is to ensure the efficient operations of a business, thus enabling the business to effectively reach its goals.

Companies protect their assets by (1) segregating employee duties, (2) assigning specific duties to each employee, (3) rotating employee job assignments, and (4) using mechanical devices.

Segregation of employee duties Segregation of duties requires that someone other than the employee responsible for safeguarding an asset must maintain the accounting records for that asset. Also, employees share responsibility for related transactions so that one employee’s work serves as a check on the work of other employees.

When a company segregates the duties of employees, it minimizes the probability of an employee being able to steal assets and cover up the theft. For example, an employee could not steal cash from a company and have the theft go undetected unless someone changes the cash records to cover the shortage. To change the records, the employee stealing the cash must also maintain the cash records or be in collusion with the employee who maintains the cash records.

Assignment of specific duties to each employee When the responsibility for a particular work function is assigned to one employee, that employee is accountable for specific tasks. Should a problem occur, the company can quickly identify the responsible employee.

When a company gives each employee specific duties, it can trace lost documents or determine how a particular transaction was recorded. Also, the employee responsible for a given task can provide information about that task. Being responsible for specific duties gives people a sense of pride and importance that usually makes them want to perform to the best of their ability.

Rotation of employee job assignments Some companies rotate job assignments to discourage employees from engaging in long-term schemes to steal from them. Employees realize that if they steal from the company, the next employees assigned to their positions may discover the theft.

Frequently, companies have the policy that all employees must take an annual vacation. This policy also discourages theft because many dishonest schemes collapse when the employee does not attend to the scheme on a daily basis.

Use of mechanical devices Companies use several mechanical devices to help protect their assets. Check protectors (machines that perforate the check amount into the check), cash registers, and time clocks make it difficult for employees to alter certain company documents and records.

Record Keeping. Companies should maintain complete and accurate accounting records. One or more business documents support most accounting transactions. These source documents are an integral part of the internal control structure. For optimal control, source documents should be serially numbered.

The best method to ensure such accounting records is to hire and train competent and honest individuals. Periodically, supervisors evaluate an employee’s performance to make sure the employee is following company policies. Inaccurate or inadequate accounting records serve as an invitation to theft by dishonest employees because theft can be concealed more easily.

Employees. Internal control policies are effective only when employees follow them. To ensure that they carry out its internal control policies, a company must hire competent and trustworthy employees. Thus, the execution of effective internal control begins with the time and effort a company expends in hiring employees. Once the company hires the employees, it must train those employees and clearly communicate to them company policies, such as obtaining proper authorization before making a cash disbursement. Frequently, written job descriptions establish the responsibilities and duties of employees. The initial training of employees should include a clear explanation of their duties and how to perform them.

Companies should carry adequate casualty insurance on assets. This insurance reimburses the company for loss of a nonmonetary asset such as specialized equipment. Companies should also have fidelity bonds on employees handling cash and other negotiable instruments. These bonds ensure that a company is reimbursed for losses due to theft of cash and other monetary assets. With both casualty insurance on assets and fidelity bonds on employees, a company can recover at least a portion of any loss that occurs

Legal requirements. In publicly held corporations, the company’s internal control structure must satisfy the requirements of federal law. In December 1977, Congress enacted the Foreign Corrupt Practices Act (FCPA). This law requires a publicly held corporation to devise and maintain an effective internal control structure and to keep accurate accounting records. This law came about partly because company accounting records covered up bribes and kickbacks made to foreign governments or government officials. The FCPA made this specific type of bribery illegal.  The Sarbanes-Oxley Act came about in 2002 after scandals involving Enron, World Com and a CPA firm Arthur Anderson.   This video was from a few years ago, but will give you a fun summary of Sarbanes-Oxley and the Enron scandal.

According to the Committee of Sponsoring Organizations of the Treadway Commission, there are five components of an internal control structure. When these components are linked to the organization’s operations, they can quickly respond to shifting conditions. The components are:

  1. Control environment. The control environment is the basis for all other elements of the internal control structure. The control environment includes many factors such as ethical values, management’s philosophy, the integrity of the employees of the corporation, and the guidance provided by management or the board of directors.
  2. Risk assessment. After the entity sets objectives, the risks (such as theft and waste of assets) from external and internal sources must be assessed. Examining the risks associated with each objective allows management to develop the means to control these risks.
  3. Control activities. To address the risks associated with each objective, management establishes control activities. These activities include procedures that employees must follow. Examples include procedures to protect the assets through segregation of employee duties and the other means we discussed earlier.
  4. Information and communication. Information relevant to decision making must be collected and reported in a timely manner. The events that yield these data may come from internal or external sources. Communication throughout the entity is important to achieve management’s goals. Employees must understand what is expected of them and how their responsibilities relate to the work of others. Communication with external parties such as suppliers and shareholders is also important.
  5. Monitoring. After the internal control structure is in place, the firm should monitor its effectiveness so that it can make changes before serious problems arise. In testing components of the internal control structure, companies base their thoroughness on the risk assigned to those components.

To evaluate how well employees are doing their jobs, many companies use an internal auditing staff. Internal auditing consists of investigating and evaluating employees’ compliance with the company’s policies and procedures. Companies employ internal auditors to perform these audits. Trained in company policies and internal auditing duties, internal auditors periodically test the effectiveness of controls and procedures throughout the company.

Internal auditors encourage operating efficiency throughout the company and are alert for breakdowns in the company’s internal control structure. In addition, internal auditors make recommendations for the improvement of the company’s internal control structure. All companies and nonprofit organizations can benefit from internal auditing. However, internal auditing is especially necessary in large organizations because the owners (stockholders) cannot be involved personally with all aspects of the business.

Internal control is the general responsibility of all members in an organization.  Unfortunately, even though a company implements all of these features in its internal control structure, theft may still occur. If employees are dishonest, they can usually figure out a way to steal from a company, thus circumventing even the most effective internal control structure. It is important to remember the cost of an internal control should not outweigh the benefit to the company.