Designing Internal Control
An internal control is a process or procedure put in place to protect assets, promote effective operations, and ensure accurate accounting and record keeping. An effective system may prevent and detect errors and irregularities. Though the gold standard for risk management and internal control systems design is represented by the Sarbanes-Oxley legislation and Committee of Sponsoring Organizations (COSO) guidance, not every control activity is feasible in practice. In practice the extent and type of internal controls will depend on the nature and size of the business.An internal control procedure could be as simple as having a procedures manual for training purposes (e.g., for submitting expense reports), requiring a username and password to sign into the system, or performing monthly bank reconciliations.
Expense Claim Process
An organization that is lacking in internal controls or has controls that are not working properly may be susceptible to accounting errors, fraud, and irregularities, whether intentional or unintentional. An internal control system weakness exists if a company's policies and procedures do not protect assets, ensure reliable accounting, promote efficient operations, and encourage adherence to policies and procedures or prevent fraud. Different internal control weaknesses have specific impacts on an organization.
Control Weaknesses and Impacts
|Control Procedure||Example of Control Weakness||Possible Impact to the Organization|
|Establish document trail.||Invoices to customers are not prenumbered.||Purchase orders and invoices may be missing and go unrecorded.|
|Establish responsibilities.||A bank teller or cashier does not need to reconcile his or her assigned cash tray.||There is no way to ensure that there is no cash or fund shortage at the end of the employee's shift.|
|Segregate incompatible duties.||Credit limits are authorized by the sales personnel, and there are no credit checks performed.||Credit could be extended to customers with a bad credit history.|
|Physically protect assets.||Any employee can enter the warehouse and take items from the inventory shelves.||Possible theft of inventory occurs.|
|Establish policies and procedures.||There are no guidelines for promotions and salary increases.||Negative impact on employee morale occurs.|
|Review operating performance.||Internal audit function reports to the operating manager.||Lack of objectivity and independence in conducting the review defeats the purpose of the presence of an internal audit function.|
Internal Control Procedures
Six control procedures protect assets, promote effective operations, and ensure accurate accounting and record keeping: (1) creating a document trail, (2) establishment of responsibilities, (3) segregation or separation of duties, (4) physically protecting assets, (5) establishment of policies and procedures, and (6) reviewing operating performance. Here are the internal control principles with some practical examples of related control activities and procedures.
Establish a document trail
Prepare the proper documents (source documents) to support business activities that have occurred.
- Use prenumbered purchase orders for purchases.
- Use prenumbered invoices to bill customers and account for any missing invoices.
- Use a preestablished chart of accounts (all accounts in the general ledger).
Assign responsibilities to persons accountable for functions within an organization.
- A bank teller or cashier is responsible for reconciling his or her assigned cash tray and ensuring that there is no cash or fund shortage at the end of a shift.
- The manager is responsible for authorizing expenditures within his or her own operating department or cost center.
- Disbursement checks greater than $2,500 must have two signatures.
Segregate or separate duties
Do not make employees responsible for all parts of a process or business transaction. Establish responsibilities and divide workflow to prevent fraud or other unethical practices.
- Buyers should not approve payment of invoices from suppliers (review and approval).
- Personnel handling cash (custody of assets) should not do the record keeping (recording of transaction).
- Credit limits should be authorized by the credit manager, not by the sales personnel.
- Goods received must be checked and verified by the receiving department.
Physically protect assets
Restrict access to assets or information based on assigned responsibilities.
- Use a safe to store valuables such as cash or jewelry.
- Restrict access to systems and information using passwords and firewalls.
- Store inventory in a warehouse or separate area with restricted access to employees with custodial responsibilities.
- Have a good inventory control system.
- Perform bank reconciliations.
- Dispose of confidential information properly by shredding documents and completely removing data from electronic devices before redeploying or disposing of them.
Establish policies and procedures
Establish and communicate well-designed and clear policies and procedures.
- Provide fair and equitable hiring policies and practices.
- Provide fair and equitable guidelines for promotions and salary increases.
- Clearly communicate and provide access to policies, including a code of ethics.
- Make it mandatory for employees to take vacation time, and rotate duties and responsibilities.
Review operating performance
Conduct operational reviews and operational audits with an internal audit team.
- The team reports to the audit committee to enhance objectivity of the reviews.
- The team conducts a biannual review of operating departments and reports its findings to the audit committee.
- The team periodically reviews the efficiency and effectiveness of operations and controls.
- The team recommends corrective action.
Communication of Internal Control
Major corporations will communicate internal control and ethical practices visibly on their website. For example, PepsiCo's website displays its global code of conduct online. This not only sends a strong message to the public and to investors, but it also ensures that such policies and practices are readily available for employees and other stakeholders to review and download. Many companies also provide a visible facility, such as a hotline, for employees and other stakeholders to ask questions, raise issues, and seek guidance when a course of action is not clear regarding reporting suspected violations. Statistics regarding the usage of PepsiCo's hotline are reported on an annual basis.
Internally, communication should be proactive to alert employees of the issuance of a new policy or procedure and should be readily available for reference and training purposes. Companies may announce policies or procedures by internal e-mail, by posting on intranet (internal) websites, or at staff meetings. New employee orientation programs could also include the communication of sound ethical practice and an overview of the company's policies and procedures.
Most companies encourage workers to communicate any weaknesses in internal controls or lack of controls to management in a timely manner. Thus, such issues can be addressed promptly. For instance, the results of periodic reviews by the internal audit department should be communicated to an audit committee. The audit committee is a subcommittee of the board of directors that is in charge of overseeing financial reporting and disclosure.
Limitations of Internal Control
Inherent limitations of internal control is the concept that in every well-designed internal control system, there will be limitations. Controls may stop working or not work as intended if an employee does not understand the internal control procedures, or if the employee has good intentions but misjudges the importance of a control and bypasses it. The employee may also allow a staff member to bypass the control or may be rushed into cutting corners to meet a deadline. For example, in order to meet the cutoff for payroll, employee pay rates and hours may not go through the appropriate review and scrutiny prior to issuing paychecks.
Moreover, an overkill of control procedures could backfire and result in less effectiveness, proving to be costly in the long run. If controls are too stringent and make the day-to-day operations too cumbersome, employees may ignore them or try to bypass the control.In addition, internal controls may also be bypassed deliberately. For example, an employee may set up false worker compensation claim files under the $5,000 limit to knowingly bypass scrutiny and approval of claims greater than $5,000. The employee then channels the payments of the false claims into a personal bank account. In situations where record keeping is separate from the custody of assets, theft and fraud could still occur if two or more employees collude to commit the theft (which can be hard to detect).