Internal Control Structure

According to the Committee of Sponsoring Organizations of the Treadway Commission, there are five components of an internal control structure. When these components are linked to the organization’s operations, they can quickly respond to shifting conditions. The components are:

1. Control environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring

Control Environment

The control environment is the basis for all other elements of the internal control structure. The control environment includes many factors such as ethical values, management’s philosophy, the integrity of the employees of the corporation, and the guidance provided by management or the board of directors.

For example, Neeraj is a business owner who didn’t monitor his accounting records, choosing instead to let a trusted friend, Janet, make deposits. Unfortunately it turned out Janet was stealing cash out of the deposits. It would have been easy to catch that theft by simply matching the deposits from the bank statements to the sales receipts (which is how forensic accountants determined that Janet had skimmed $42,828.96 over 18 months).

Risk Assessment

After the entity sets objectives, the risks (such as theft and waste of assets) from external and internal sources must be assessed. Examining the risks associated with each objective allows management to develop the means to control these risks.

In the old days before debit cards, when you drove up to a gas station to fuel up, there were attendants with wads of cash in their pockets to make change for customers who regularly paid in cash. Not remarkably, the company accountants would find at the end of the month that cash did not reconcile with sales. It was always short. However, it was considered a cost of doing business. The cost of putting in extensive control would outweigh the additional collection of cash, so the loss was considered acceptable—up to a point. With the advent of debit cards and self-serve gas, much of that risk went away.

Control Activities

To address the risks associated with each objective, management establishes control activities. These activities include procedures that employees must follow. Examples include procedures to protect the assets through segregation of employee duties and the other means we discussed earlier.

Some businesses are too small to be able to have extensive cross-checking. A sole proprietor probably doesn’t have to worry too much about controls because he or she owns everything anyway. Notice, however, that the coffee shop referenced above was too small to separate duties among even three or four people, which would have made the theft of cash a lot harder. Even so, if management isn’t even aware of the potential for a problem and isn’t watching for it, someone with a motive to steal and an idea about the method will have the opportunity. In addition to preventing fraud and theft, internal controls should be designed to catch and prevent mistakes.

Information and Communication

Information relevant to decision making must be collected and reported in a timely manner. The events that yield this data may come from internal or external sources. Communication throughout the entity is important to achieve management’s goals. Employees must understand what is expected of them and how their responsibilities relate to the work of others. Communication with external parties such as suppliers and shareholders is also important.

So often in business people operate in compartments, each one “just doing the job,” but good internal control relies on all the parts of a company, internal and external, working together. An unscrupulous employee could steal cash, creating a false sale to cover it, or pocketing a payment on a vendor account. Communication with the customers and vendors, along with other internal controls, could uncover those defalcations. More importantly, constant communication can increase profits, which is the goal of for-profit businesses, and can assist in coming up with new products, better processes, and business insights that people immersed in the day-to-day operations can’t see. For instance, communication with an accountant could have saved the coffee shop tens of thousands of dollars.

Monitoring

After the internal control structure is in place, the firm should monitor its effectiveness and make any needed changes before serious problems arise. In testing components of the internal control structure, companies base their thoroughness on the risk assigned to those components.

Again, simply monitoring the cash position of the coffee shop on a proactive basis could have prevented the loss. Even computerized systems have to be monitored by some outside entity. As you will learn in the section on inventory, employees periodically count the physical inventory (goods for sale to customers) in order to verify that the computer tracking system is accurate. The same goes for equipment. Your general ledger (GL) will have a control account, say with a total of $150,000, with a subsidiary ledger that lists all the individual items, the total of which has to match the GL. As an internal control, someone takes that list and walks around verifying that all the assets exist and that all the assets are included on the list. For cash, the ultimate verification and internal control is the bank.

As you study the basic procedures and actions of an effective internal control structure in the next section, remember that all companies benefit from using some internal control measures, even if they have to be modified for a small company.

Internal Control Activities

Companies protect their assets by:

1. segregating employee duties.
2. assigning specific duties to each employee.
3. rotating employee job assignments.
4. using mechanical devices.

Segregating Duties (Separation of Assignments)

Segregation of duties requires that someone other than the employee responsible for safeguarding an asset must maintain the accounting records for that asset. Also, employees share responsibility for related transactions so that one employee’s work serves as a check on the work of other employees.

When a company segregates the duties of employees, it minimizes the probability of an employee being able to steal assets and cover up the theft. For example, an employee could not steal cash from a company and have the theft go undetected unless someone changes the cash records to cover the shortage. To change the records, the employee stealing the cash must also maintain the cash records or be in collusion with the employee who maintains the cash records.

In the coffee caper, it’s likely that the friend who was making the deposits simply changed the deposit slip so that it matched the total amount of checks from the day’s sales, pocketing the cash. Just one simple check by an independent person, or even the owner, could have prevented the theft.

Assigning Specific Duties (Establishing Responsibility)

When the responsibility for a particular work function is assigned to one employee, that employee is accountable for specific tasks. Should a problem occur, the company can quickly identify the responsible employee.

When a company gives each employee specific duties, it can trace lost documents or determine how a particular transaction was recorded. Also, the employee responsible for a given task can provide information about that task. Being responsible for specific duties gives people a sense of pride and importance that usually makes them want to perform to the best of their ability.

Rotating Assignments

Some companies rotate job assignments to discourage employees from engaging in long-term schemes to steal from the company. Employees realize that if they steal from the company, the next employees assigned to their positions may discover the theft.

Frequently, companies have a policy that all employees must take an annual vacation. This especially includes employees with sensitive assignments. This policy discourages theft because many dishonest schemes collapse when the employee does not attend to the scheme on a daily basis.

Use of Mechanical Devices

Companies use several mechanical devices to help protect their assets. Check protectors (machines that perforate the check amount into the check), cash registers, and time clocks make it difficult for employees to alter certain company documents and records.

Record Keeping (Accounting)

Companies should maintain complete and accurate accounting records. One or more business documents support most accounting transactions. These source documents are an integral part of the internal control structure. For optimal control, source documents should be serially numbered.

The best method to ensure that such accounting records are kept accurate is to hire and train competent and honest individuals. Periodically, supervisors evaluate an employee’s performance to make sure the employee is following company policies. Inaccurate or inadequate accounting records serve as an invitation to theft by dishonest employees because theft can be concealed more easily.

Employees

Internal control policies are effective only when employees follow them. To ensure that they carry out its internal control policies, a company must hire competent and trustworthy employees. Thus, the execution of effective internal control begins with the time and effort a company expends during the hiring of employees. Once the company hires the employees, it must train those employees and clearly communicate to them company policies, such as obtaining proper authorization before making a cash disbursement. Frequently, written job descriptions establish the responsibilities and duties of employees. The initial training of employees should include a clear explanation of their duties and how to perform them.

Companies should carry adequate casualty insurance on assets. This insurance reimburses the company for loss of a nonmonetary asset such as specialized equipment. Companies should also have fidelity bonds on employees handling cash and other negotiable instruments. These bonds ensure that a company is reimbursed for losses due to theft of cash and other monetary assets. With both casualty insurance on assets and fidelity bonds on employees, a company can recover at least a portion of any loss that occurs

Legal Requirements

In publicly held corporations, the company’s internal control structure must satisfy the requirements of federal law, including the following:

• In December 1977, Congress enacted the Foreign Corrupt Practices Act (FCPA). This law requires a publicly held corporation to devise and maintain an effective internal control structure and to keep accurate accounting records. This law came about partly because company accounting records covered up bribes and kickbacks made to foreign governments or government officials. The FCPA made this specific type of bribery illegal as part of the Sarbanes-Oxley Act.
• In 2002, Congress passed the Sarbanes-Oxley Act (SOX), which established rules to protect the public from fraudulent or erroneous practices by corporations and other business entities.
  • SOX applies to all publicly traded companies in the United States as well as wholly owned subsidiaries and foreign companies that are publicly traded and do business in the United States.
  • SOX also regulates accounting firms that audit companies which must comply with SOX.
  • Even though private companies, charities, and non-profits are generally not required to comply with every provision of SOX, there are penalties for those organizations that knowingly destroy or falsify financial data.
• Here are the most important SOX requirements:
  • CEOs and CFOs are directly responsible for the accuracy, documentation, and submission of all financial reports as well as the internal control structure to the Securities and Exchange Commission (SEC). Officers risk jail time and monetary penalties for compliance failures—intentional or not.
  • An Internal Control Report that states management is responsible for an adequate internal control structure for their financial records. Any shortcomings must be reported up the chain as quickly as possible.
  • Companies must have formal data security policies, communication of data security policies, and consistent enforcement of data security policies.
  • Companies maintain and provide documentation proving they are continuously in compliance.

The Internal Audit Function

Many companies use an internal auditing staff. Internal auditing consists of investigating and evaluating employees’ compliance with the company’s policies and procedures. Companies employ internal auditors to perform these audits. Trained in company policies and internal auditing duties, internal auditors periodically test the effectiveness of controls and procedures throughout the company.

Internal auditors encourage operating efficiency throughout the company and are alert for breakdowns in the company’s internal control structure. In addition, internal auditors make recommendations for the improvement of the company’s internal control structure. All companies and nonprofit organizations can benefit from internal auditing. However, internal auditing is especially necessary in large organizations because the owners (stockholders) cannot be involved personally with all aspects of the business.

Internal control is the general responsibility of all members of an organization. Unfortunately, even though a company implements all these features in its internal control structure, theft may still occur. If employees are dishonest, they can usually figure out a way to steal from a company, thus circumventing even the most effective internal control structure. It is important to remember the cost of an internal control should not outweigh the benefit to the company.