Accounting: The Language of Business (Part 22)

“Life as we know it, with all its ups and downs, will soon be over. We all will give an accounting to God of how we have lived.” —William Wilberforce

Accounting Systems and Internal Controls

(Part C)

by

Charles Lamson

Elements of Internal Control

How does management achieve its internal control objectives? Management is responsible for designing and applying five elements of internal control to meet the three internal control objectives (From last post: (1) assets are safeguarded and used business purposes; (2) business information is accurate; (3) employees comply with laws and regulations.) These elements are:

1. the control environment

2. risk assessment

3. control procedures

4. monitoring

5. information and communication

The elements of internal control are Illustrated in Exhibit 1. In this exhibit, the elements of internal control form an umbrella over the business to protect it from control threats. A business's control environment is represented by the size of the control threats. The business's control environment is represented by the size of the umbrella. Risk assessment, control procedures, and monitoring are the fabric that keeps the umbrella from leaking. Information and communication links the umbrella to management. In the following paragraphs, we discuss each of these elements.

Control Environment

A business's control environment is the overall attitude of management and employees about the importance of controls. One of the factors that influences the control environment is management's philosophy and operating style. A management that overemphasizes operating goals and deviates from control policies may indirectly encourage employees to ignore controls. For example, the pressure to achieve revenue targets may encourage employees to fraudulently record sham sales. On the other hand, a management that emphasizes the importance of controls and encourages adherence to control policies will create an effective control environment. 

The business's organizational structure, which is the framework for planning and controlling operations, also influences the control environment. For example, a department-store chain might organize each of its stores as separate business units. Each store manager has full authority over pricing and other operating activities. In such a structure, each store manager has the responsibility for establishing an effective control environment. 

Personnel policies also affect the control environment. Personnel policies involve the hiring, training, evaluation, compensation, and promotion of employees. In addition, job descriptions, employee codes of ethics, and conflict-of-interest policies are part of the personnel policies. Such policies and procedures can enhance the internal control environment if they provide reasonable assurance that only competent, honest employees are hired and retained.

Risk Assessment

All organizations face risks. Examples of risk include changes in customer requirements, competitive threats, regulatory changes, changes in economic factors such as interest rates, and employee violations of company policies and procedures. Management should assess these risks and take necessary actions to control them, so that the objectives of internal control can be achieved.

Once risks are identified, they can be analyzed to estimate their significance, to assess their likelihood of occurring, and to determine actions that will minimize them. For example, the manager of a warehouse operation may analyze the risk of employee back injuries, which might give rise to lawsuits. If the manager determines that the risk is significant, the company may take action by purchasing back support braces for its warehouse employees and requiring them to wear the braces.

Control Procedures

Control procedures are established to provide reasonable assurance that business goals will be achieved, including the prevention of fraud. In the following paragraphs, we will briefly discuss control procedures that can be integrated throughout the accounting system. These procedures are listed in Exhibit 2.

Competent Personnel, Rotating Duties, and Mandatory Vacations The successful operation of an accounting system requires procedures to ensure that people are able to perform the duties to which they are assigned. Hence, it is necessary that all accounting employees be adequately trained and supervised in performing their jobs. It may also be advisable to rotate duties of clerical personnel and mandate vacations for non-clerical personnel. These policies encourage employees to adhere to prescribed procedures. In addition, existing errors or fraud may be detected.

Separating Responsibilities for Related Operations To decrease the possibility of inefficiency, errors, and fraud, the responsibility for related operations should be divided among two or more persons. For example, the responsibilities for purchasing, receiving, and paying for computer supplies should be divided among three persons or departments. If the same person orders supplies, verifies the receipt of the supplies, and pays the supplier, the following abuses are possible:

1. Orders may be placed on the basis of friendship with a supplier, rather than on price, quality, and other objective factors.

2. The quantity and quality of supplies received may not be verified, thus causing payment for supplies not received or poor quality supplies.

3. Supplies may be stolen by the employee.

4. The validity and accuracy of invoices may be verified carelessly, thus causing the payment of false or inaccurate invoices.

The "checks and balances" provided by dividing responsibilities among various departments requires no duplication of effort. The business documents prepared by one department are designed to coordinate with and support those prepared by other departments.

Separating Operations, Custody of Assets, and Accounting Control policies should establish the responsibilities for various business activities. To reduce the possibility of errors and fraud the responsibilities for operations, custody of assets, and accounting should be separated. The accounting records then serve as an independent check on the individuals who have custody of the assets and who engage in the business operations. For example, the employees entrusted with handling cash receipts from credit customers should not record cash receipts in the accounting records. To do so would allow employees to borrow or steal cash and hide the theft in the records. Likewise, if those engaged in operating activities also record the results of operations, they could distort the accounting reports to show favorable results. For example, a store manager whose year-end bonus is based upon operating profits might be tempted to record fictitious sales in order to receive a larger bonus.

Proofs and Security Measures Proofs and security measures should be used to safeguard assets and ensure reliable accounting data. This control procedure applies to many different techniques, such as authorization, approval, and reconciliation procedures. For example, employees who travel on company business may be required to obtain a department manager's approval on a travel request form.

Other examples of control procedures include the use of bank accounts and other measures to ensure the safety of cash and valuable documents. A cash register that displays the amount recorded for each sale and provides the customer a printed receipt can be an effective part of the internal control structure. An all-night convenience store could use the following security measures to deter robberies:

1. Locate the cash register near the door, so that it is fully visible from outside the store; have two employees work late hours; employ a security guard.

2. Deposit cash in the bank daily, before 5 PM.

3. Keep only small amounts of cash on hand after 5 p.m. by depositing excess cash in a store safe that can't be opened by employees on duty.

4. Install cameras and alarm systems.

Monitoring

Monitoring the internal control system locates weaknesses and improves control effectiveness. The internal control system can be monitored through either ongoing efforts by management or by separate evaluations. Ongoing monitoring efforts may include observing both employee behavior and warning signs from the accounting system.

Separate monitoring evaluations are generally performed when there are major changes in strategy, senior management, business structure, or operations. In large businesses, internal auditors who are independent of operations normally are responsible for monitoring the internal control system. Internal auditors can report issues and concerns to an audit committee of the board of directors, who are independent of management. In addition, external auditors also evaluate internal control as a normal part of their annual financial statement audit.

Information and Communication

Information and communication are essential elements of internal control. Information about the control environment, risk assessment, control procedures, and monitoring are needed by management to guide operations and ensure compliance with reporting, legal, and regulatory requirements.

Management can also use external information to assess events and conditions that impact decision-making and external reporting. For example, management uses information from the Financial Accounting Standards Board (FASB) to assess the impact of possible changes and reporting standards. 

*WARREN, REEVE, & FESS, 2005, ACCOUNTING, 21ST ED., PP. 185-189*

end