The Internal Control Structure

The Relationship between Risks,

Opportunities, and Controls
Risks
A risk is any exposure to the chance of injury
or loss.
Opportunities and Objectives
Opportunity and risk go hand in hand. You
can't have an opportunity without some risk and
with every risk there is some potential
opportunity.


The Relationship between Risks,
Opportunities, and Controls
Controls
A control is an activity we perform to minimize
or eliminate a risk.




Internal Control
Internal Control is a state that management
strives to achieve to provide reasonable
assurance that the firms objectives will be
achieved.
These controls encompass all the measures and
practices that are used to counteract exposures
to risks.
The control framework is called the Internal
Control Structure.


The Relationship between Risks,
Opportunities, and Controls
Internal controls encompass a set of rules,
policies, and procedures an organization
implements to provide reasonable assurance that:
(a) its financial reports are reliable,
(b) its operations are effective and efficient, and
(c) its activities comply with applicable laws and
regulations.



Internal Control Systems
The organization's board of directors,
management, and other personnel are
responsible for the internal control
system.



Components of the Internal
Control Structure
Control Environment
Accounting System
Specific Control Policies,
Procedures and Security
Measures


Control Environment
The Control Environment establishes the tone of a
company, influencing the control consciousness of its
employees.
It is comprised of seven components:
Management philosophy and operating style
Integrity and ethical values
Commitment to competence
The Board of Directors and the Audit Committee
Organizational Structure
Assignment of authority and responsibility
Human resources policies and practices


Accounting System
The Accounting System relates to safeguarding
assets and checking the accuracy and reliability of
accounting data.
The Accounting System measures,
processes and communicates financial
data from transactions to internal and
external users.


Control Procedures
Control Procedures may be classified
according to their intended uses in a system:
Preventive Controls block adverse events, such as
errors or losses, from occurring.
Detective Controls discover the occurrence of
adverse events such as operational inefficiency.
Corrective controls are designed to remedy
problems discovered through detective controls.


Control Procedures
Control Procedures may also be classified
according to where they will be applied
within the system.
General controls are those controls that pertain to all
activities involving a firms AIS and assets.
Application controls relate to specific accounting tasks
or transactions.
Security Measures are intended to provide adequate
safeguards over access to and use of assets and data
records.


Risk
Business firms face risks that reduce the
chances of achieving its control objectives.
Risk exposures arise from internal sources,
such as employees, as well as external
sources, such as computer hackers.
Risk assessment consists of identifying
relevant risks, analyzing the extent of
exposure to those risks, and managing risks
by proposing effective control procedures.


Types of Risks
Unintentional errors
Deliberate Errors (Fraud)
Unintentional Losses of Assets
Thefts of assets
Breaches of Security
Acts of Violence


Factors that increase Risk
Exposure
Frequency - the more frequent an
occurrence of a transaction the greater the
exposure to risk.
Vulnerability - liquid and/or portable assets
contribute to risk exposure.
Size of the potential loss - the higher the
monetary value of a loss, the greater the risk
exposure.


Problem Conditions Affecting
Risk Exposures
Collusion, which is the cooperation of two or more
people for a fraudulent purpose, is difficult to
counteract even with sound control procedures.
Management may not prosecute wrongdoers because
of the potential embarrassment.
Computer crime poses very high
degrees of risk, and fraudulent
activities are difficult to detect.


Feasibility of Controls
The Internal Control Structure should be
fully auditable, thus auditors should be
consulted during the system design stage.
A cost-benefit analysis should be
conducted in order to make sure that the
benefits of planned controls exceed the cost
of incorporating them in the system.
Costs of controls include one time costs, recurring
costs, additional losses caused by control failure and
opportunity cost.


Forces for the Improvement of
Controls
In recent decades various forces have arisen
to encourage the improvement of internal
control systems.
The most influential forces have been:
managers
professional associations
governmental bodies.


Management as a Force for
Improving Controls
Managers have become increasingly aware of the
tremendous losses that can occur to assets entrusted to
their care, and of the potential problems that result
from inaccurate or incomplete information.
Because of their vital stake in a sound internal control
structure, managers are a force for improvement of
controls.


Ethical Concerns of
Professional Associations
Professional accounting associations have self-
imposed and self-enforced codes of ethics or
professional conduct.
Ethics committees have been established to provide
association members with continuing education,
advice and assistance with investigations.
The feasibility of a universal code of conduct is
being studied that would combine computer
professional ethics and accounting association
ethics.


Information and Communication
The information system consists of the methods and
records used to record, maintain, and report the events of
an entity, as well as to maintain accountability for the
related assets, liabilities, and equity. The quality of the
system-generated information affects management's ability
to make appropriate decisions in managing and controlling
the entity's activities and to prepare reliable financial
reports.
.



Information and Communication
The information system should do each of the following
to provide accurate and complete information in the
accounting system and correctly report the results of
operations:
Identify and record all business events on a timely
basis.
Describe each event in sufficient detail.
Measure the proper monetary value of each event.
Determine the time period in which events occurred.
Present properly the events and related disclosures in
the financial statements


Information and Communication
The communication aspect of this component
deals with providing an understanding of
individual roles and responsibilities pertaining to
internal controls.
People should understand how their activities
relate to the work of others and how exceptions
should be reported to higher levels of
management.


Information and Communication
Open communication channels help insure that
exceptions are reported and acted upon.
Communication also includes the
policy manuals, accounting manuals,
and financial reporting manuals.




Provisions of the Foreign
Corrupt Practices Act
The FCPA requires that publicly-held
companies design and implement a system of
control procedures that provide reasonable
assurance that:
assets are accounted for appropriately
transactions are in conformity to GAAP
access to assets is properly controlled
periodic comparisons of existing assets to the
accounting records are made


Essential Elements of an
Internal Control Structure
A good Audit Trail
Sound Personnel Policies and Competent
Employees
Segregation of related organizational duties
Physical Protection of assets
Internal Reviews of Controls
Timely Performance Reports


Audit Trail
An audit trail enables auditors and accountants
within the organization to follow the path of
transaction data from source documents to ultimate
disposition in a financial report
and vice-versa.
A computerized AIS tends to
fragment the paper trail, thus
making the systems audit
trail difficult to follow.


Sound Personnel Policies and
Competent Employees
Inefficient use of the companys assets may occur
without competent and honest employees.
Examples of sound personnel policies are:
specific hiring procedures
supervision
rotating of duties
enforced vacations
regular performance reviews
proper training
fidelity bond coverage on those employees who handle
liquid assets.


Segregation of Related
Organizational Duties
Segregating activities and responsibilities of a
companys employees allows different people
to perform various tasks of a specific
transaction.
The main functions that should be kept separate
are custody, recordkeeping and authorization of
the transaction.


Physical Protection of Assets
Keeping a companys assets in a safe physical
location minimizes the risk of damage to the assets
or theft by employees or outsiders.
A voucher system is an example of an accounting
control procedure that protects against
unauthorized cash disbursements.
A petty cash fund may be used for
small expenditures where writing
a check would be inefficient.


Internal Reviews of Controls
Internal audit is a service function within many
large companies.
As a separate subsystem, they report to high-level
management or to the board of directors in order
to remain independent and objective.
They perform periodic reviews, called
operational audits, on each department within the
organization in order to evaluate the efficiency and
effectiveness of that particular department.


Timely Performance Reports
Performance reports provide information to
management on how efficiently and effectively its
companys internal controls are functioning.
These reports should provide timely
feedback to management on the
success or failure of the companys
internal controls.


Information Processing Risks
Recording risks include recording incomplete,
inaccurate, or invalid data about a business event.
Incomplete data results in not having all the
relevant characteristics about an operating event.
Inaccuracies arise from recording data that do not
accurately represent the event. Invalid refers to
data that are recorded about a fabricated event.


Information Processing Risks
Maintaining risks are essentially the same as
those for recording. The only difference is the data
relates to resources, agents, and locations rather
than to operating events. The risk relating to
maintenance processes is that changes with respect
to the organization's resources, agents, and
locations will go either undetected or unrecorded
(e.g., customer or employee moves, customer
declares bankruptcy, or location is destroyed
through a natural disaster).


Information Processing Risks
Reporting risks include data that are improperly
accessed, improperly summarized, provided to
unauthorized individuals, or not provided in a
timely manner.