The Meaning of Internal Control

LO 7-1

The Meaning of Internal Control

  • Historical perspective and evolution

    • Before the early 1990s, interpretations varied: some viewed internal control primarily as steps to prevent fraud (misappropriation of assets and fraudulent financial reporting), while others saw internal control as essential for controlling business processes and ensuring compliance with laws and regulations.

    • Professional organizations (AICPA, IIA, FEI) differed in definition until collaboration in the early 1990s to harmonize concepts.

    • In response to fraudulent financial reporting (1970s–1980s), the Treadway Commission studied causal factors and recommended improvements in internal control, including a strong audit committee and an active internal audit function.

    • COSO (Committee of Sponsoring Organizations) was tasked to develop common criteria to evaluate internal control and establish a common definition.

  • COSO’s mandate

    • Establish a common definition of internal control for diverse stakeholders.

    • Provide a standard against which organizations can assess and improve their control systems.

  • COSO’s definition of internal control (emphasis added)

    • A process, effected by the entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance.

    • Internal control is a process, not an end in itself; it is enacted by people, not just policy manuals or forms.

    • Reasonable assurance acknowledges that absolute assurance is unattainable due to cost-benefit considerations; the cost of internal control should not exceed the expected benefits.

    • Comprehensive in scope: covers effectiveness and efficiency of operations, reliability of internal and external reporting, and compliance with laws and regulations.

    • Includes delegation of authority and assignment of responsibility across functions (selling, purchasing, production, financing, accounting).

    • Encompasses the program for preparing, verifying, and distributing current reports and analyses to management to maintain control over multiple activities in a large organization.

    • Involves various programs (monitoring techniques, standards, laboratories, time-and-motion studies, training) that may involve personnel outside accounting/finance; these are part of internal control.

  • Three categories of objectives in the COSO framework

    • Operations: effectiveness and efficiency of operations

    • Reporting: reliability of internal and external reporting

    • Compliance: adherence to laws and regulations

  • Practical takeaway

    • Internal control is the means to an end (achieving objectives), not an end in itself.

Internal Control over Financial Reporting: Objectives and Subobjectives

  • Top-level objective for internal control over financial reporting

    • To prepare and issue reliable financial information.

  • Detailed (subobjectives) example for sales transactions

    • The following control objectives apply to sales within the broader objective of financial reporting:
      egin{aligned}

    1. & ext{ All sales transactions that occur are recorded on a timely basis. }\

    2. &\text{ Sales transactions are recorded at correct amounts in the right accounts. }\

    3. &\text{ Sales transactions are accurately and completely summarized in the company's books and records. }\

    4. &\text{ Presentation and disclosures relating to sales are properly described, sorted, and classified. }
      \end{aligned}

  • Relation to management's assertions

    • These control objectives align with management’s financial statement assertions (as discussed in earlier chapters, e.g., Figure 5.1).

    • A key distinction: control objectives are broader than assertions because they cover operations and compliance in addition to financial reporting.

Relevance to Audits and Data Reliability

  • Which controls are most relevant to the audit?

    • Generally, controls that affect the reliability of financial reporting are most relevant because they influence the preparation of external financial statements.

    • Controls that affect the reliability of data used by auditors (including nonfinancial data used in analytical procedures, like production statistics) may also be relevant.

  • Examples of control relevance

    • Inventory access controls that limit physical access impact financial statement reliability.

    • Excessive wastage controls in production may not directly affect cost of materials reflected in financial statements, so they may be less relevant for financial reporting, unless cost data is misstated.

The Foreign Corrupt Practices Act (FCPA) and Internal Control Provisions

  • Context

    • In the mid-1970s, many U.S. corporations acknowledged improper payments to foreign officials to obtain business.

    • While some payments were legal in foreign jurisdictions, they violated U.S. ethics and accounting standards.

    • The FCPA (1977) prohibits payments to foreign officials to secure business and requires anti-bribery provisions.

    • The act also imposes internal control requirements to prevent such payments and ensure top management awareness and accountability.

  • Internal control provisions under the FCPA

    • The internal control provisions require all SEC-jurisdictional corporations to maintain a system of internal control that provides reasonable assurance that:
      egin{aligned}

    1. &\text{ Transactions are executed with the knowledge and authorization of management. }\

    2. &\text{ Transactions are recorded as necessary to permit the preparation of reliable financial statements and maintain accountability for assets. }\

    3. &\text{ Access to assets is limited to authorized individuals. }\

    4. &\text{ Accounting records of assets are compared to existing assets at reasonable intervals and differences are addressed. }
      \end{aligned}

  • Consequences

    • Violations can result in fines and imprisonment for responsible management members.

    • The act underscores the importance of an effective internal control system beyond general governance.

Means of Achieving Internal Control

  • Variability across organizations

    • Internal control design varies with organization size, nature of operations, and objectives.

  • Classifications of financial-reporting controls

    • Preventive controls: aimed at preventing misstatements before they occur.

    • Detective controls: aimed at discovering misstatements after they occur.

    • Corrective controls: designed to remedy or correct misstatements after detection.

  • Examples

    • Preventive: segregation of duties; requiring approval of period-end journal entries.

    • Detective: monthly bank reconciliations to detect misstatements in cash transactions.

    • Corrective: backup copies of key transactions and master files to correct data entry errors.

Characteristics of Controls: Precision, Overlap, and Types of Overlaps

  • Precision of controls

    • Controls vary in the size of misstatement they prevent or detect; this is known as a control’s precision.

    • Example: bank reconciliations can be highly precise for certain cash-related assertions, but other aspects may be less precise.

  • Overlap and collaboration among controls

    • Controls often overlap to address imprecision and limitations.

    • Complementary controls work together to achieve the same objective (e.g., requiring both cash disbursements to be authorized and periodic bank reconciliations).

  • Redundancy and compensating controls

    • Redundant controls address the same assertion/objective to provide backups.

    • Compensating controls reduce risk when a weakness exists (e.g., owner-manager review compensates for insufficient segregation of duties in a small business).

Direct vs Indirect Controls

  • Direct controls

    • Specifically designed and precise enough to prevent or detect a material misstatement for a particular assertion related to a significant account, transaction, or disclosure.

    • Example: bank reconciliation is a direct control for cash-related assertions.

  • Indirect controls

    • Not precise enough to detect material misstatements at the assertion level but can have an indirect effect on detecting misstatements (e.g., an active audit committee).

    • The indirect control supports overall governance but is unlikely to identify a specific misstatement by itself.

Summary: Implications for Practice and Real-World Relevance

  • Internal control is essential for reliable financial reporting, operational efficiency, and regulatory compliance.

  • The COSO framework provides a unified language and structure to evaluate and improve internal control across organizations.

  • Effective internal control requires the coordination of people, processes, and technology, not just policies and forms.

  • The FCPA reinforces the legal and ethical imperative of strong internal controls, particularly around authorization, record-keeping, asset protection, and monitoring.

  • Management should strive for a balanced system of preventive, detective, and corrective controls with appropriate overlap and compensating mechanisms, tailored to organizational size and risk.

  • For auditors, the focus is on controls that impact the reliability of financial reporting, with additional attention to data and processes used in audit procedures.