Internal Control Concepts


Introduction - Control in Organizations

History of Internal Control

Statement on Auditing Standards No. 48

"Administrative control includes but is not limited to, the plan of organization and the procedures and records that are concerned with the decision processes leading to management's authorization of transactions. Such authorization is a management function directly associated with the responsibility for achieving the objectives of the organization and is the starting point for establishing accounting control of transactions." (AU320.27)

"Accounting control comprises the plan of organization and the procedures and records that are concerned with the safeguarding of assets and reliability of financial records and consequently are designed to provide reasonable assurance that:

Threats, Exposure, Risk and Objectives

Threats and Exposure

Examples of threats (incompetence)

Examples of threats (illegal)

Risk - inherent risk, control risk and detection risk

From the Auditing Standards: (AU312.20)

Control Weakness

"A material weakness in internal accounting control is a condition in which the specific control procedures or the degree of compliance with them do not reduce to a relatively low level the risk that errors or irregularities in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned tasks." (AU323.01)

Four objectives for controls

In addition, accounting and data processing must be operationally efficient.

Cost and Benefits of Internal Control

The benefit of an internal control must exceed its cost

Consider both effectiveness and timing

Reliability analysis

risk = 1 - reliability

Compliance with Foreign Corrupt Practices Act

Control Structure - Environment, Systems and Procedures

Control Environment

Management's attitude toward internal control is the most critical element. If management shows little concern, others not likely to be diligent.

"The problem is that many of our rules are arbitrary, irrational and unworthy of support and obedience. People will comply with irrational rules when there is adequate surveillance and punishment. But the threat of punishment does not contribute to moral development; indeed, it tends to inhibit the internalization of ethical behavior. Rewarding good behavior is better than threatening punishment to influence behavior, since rewards avoid the resistance and rebelliousness that accompany punishment."
"How to stop Lying, Cheating, & Stealing," Executive Excellence, July, 1990.

Management's philosophy and operating style

Organization structure

External Influence

Control Systems

"Internal control should not be viewed as something that must be superimposed on an organization's normal operating structure. To do so only means costs that can inhibit the organization's ability to compete. Internal control should be built into the infrastructure of an enterprise. When controls are integrated with operational activities, and a focus on controls has been instilled in all personnel, the result is better control with minimum incremental cost. Such integration avoids a superstructure of control procedures on top of existing activities. Whenever management considers changes to their company's operations or activities, the concept that it's better to 'build-in' rather than 'build-on' controls, and to do it right the first time, should be fundamental guiding premises."
Internal Control: Integrated Framework (Exposure Draft 12, March, 1991), Committee of Sponsoring Organizations of the Treadway Commission, NY, NY.

Audit Committee

Assigning authority and responsibility

Monitoring performance

Personnel policies and practices

Control Procedures

"Internal control is broadly defined as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

The first category addresses an entity's basic business objectives, including performance and profitability goals and safeguarding of resources.

The second relates to the preparation of reliable published financial statements, including interim and condensed financial statements and selected financial data derived from such statements, such as earnings releases, reported publicly.

The third deals with complying with those laws and regulations to which the entity is subject.

These distinct but overlapping categories address different needs and allow a directed focus to meet the separate needs."

Internal Control: Integrated Framework -Framework (September 1992), Committee of Sponsoring Organizations of the Treadway Commission, NY, NY., p.1.

Implementation of Control Objectives

Management policies and rules regarding employee behavior provide reasonable assurance that control objectives are achieved by:

Proper Authorization

Segregation of duties

Examples that occur without segregation of duties

Case in Point:

Baring lost $1 billion due to lack of internal controls

On February 23, 1995 a 232 year old British bank, Baring Bros. and Co., was bankrupt by a loss of $1 billion in futures trading by one employee, Nick Leeson.

A statement by the Singapore International Monetary Exchange (SIMEX) attributed the loss to a failure of internal controls. [Associated Press March 5, 1995]

Senior Executives conceded that controls should have been much tighter

The organization ignored several warning signs of internal control weaknesses over several years:

Managers were reluctant to impose tight controls which might reduce profits and bonuses.

Source: Brauchli, Marcus W., Bray, Nicholas, and Sesit, Michael, "Barings PLC Officials May Have Been Aware of Trading Position," (1995) Wall Street Journal, March 6, 1995, p. 1,6

Collusion: conspiracy of two or more persons to commit fraud

Documents and records

Safeguarding of assets