Chapter 4Chapter 4

Internal Controls

Copyright © 2010 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin

OutlineOutline

• Objectives

• Definition of internal control

• Internal control purposes

• Risk exposures

• COSO frameworks

• Examples

4-2

ObjectivesObjectives

When you finish this chapter, you should be able to:– Define “internal control” and explain its importance in the

accounting information system

– Explain the basic purposes of internal control

– Describe and give examples of various kinds of risk exposures

– Conduct a comprehensive risk assessment

– Summarize and explain the importance of the COSO documents on internal control

– Critique existing internal control systems and design effective internal controls

4-3

Definition of internal controlDefinition of internal control

Most definitions of internal control contain four common elements:– Internal control is a

process– Internal controls are

designed to provide reasonable assurance

– Internal control necessarily involves people in the organization

– Internal controls provide that reasonable assurance in a few common areas

4-4

Internal control purposesInternal control purposes

Broadly speaking, internal controls should help organizations:– Safeguard their assets– Ensure the reliability of financial statements– Promote operating efficiency– Encourage compliance with management’s

directives

4-5

Risk exposuresRisk exposures

One good way to start designing internal

controls is to think about an organization’s

risks. Among the many good ways to

think about risk is Brown’s taxonomy.

4-6

Risk exposuresRisk exposures

• Operational risk– Systems risk: related to

information technology– Human error risk: people

in the organization might make mistakes

• Financial risk– Market risk: changes in

stock prices, investment values, interest rates

– Credit risk: customers’ unwillingness or inability to pay their debts

– Liquidity risk: insufficient cash to pay debts

4-7

Risk exposuresRisk exposures

• Hazard riskOfficers’ and directors’

liability: people might break laws, resulting in personal penalties

• Strategic risks– Legal and regulatory

risk: people might break laws, resulting in penalties for the organization

– Business strategy risk: poor decision making related to market competition

4-8

COSO frameworksCOSO frameworks

The Committee of Sponsoring Organizations

of the Treadway Commission (COSO)

developed frameworks related to internal

control (1985) and enterprise risk

management (2004).

4-9

COSO frameworksCOSO frameworks

Internal Control: Integrated Framework– Control environment:

the tone at the top– Risk assessment:

using a taxonomy to identify organizational risks

– Control activities: actual responses to risk.

• Preventive, detective, corrective

• General, application

– Information and communication: keeping people informed

– Monitoring: periodic reviews and updates

In 2006, COSO published “Internal Control over Financial Reporting—Guidance for Smaller Public Companies” to provide

suggestions for implementing Internal Control: Integrated Framework.

4-10

COSO frameworksCOSO frameworks

Enterprise Risk Management: Integrated Framework– Internal environment:

tone at the top– Objective setting:

organizational goals• Strategic• Reporting• Operations• Compliance

– Event identification: what can happen that may impede goals

• Internal• External

– Risk assessment: likelihood and impact

• Inherent• Residual

4-11

COSO frameworksCOSO frameworks

Enterprise Risk Management: Integrated Framework (continued)– Risk response:

generic ways to deal with risk

• Avoid• Accept• Reduce• Share

– Control activities: specific procedures for responding to risk

– Information and communication: keep people informed about what’s happening with risk and the plan

– Monitoring: Ongoing activities and / or separate evaluations that ensure the plan is updated as needed

4-12

ExamplesExamples

Although every organization’s approach to

internal control is slightly different, certain

controls are common in many

organizations. The following slides

contain some examples.

4-13

ExamplesExamples

• Adequate documentation

• Background checks

• Back-up computer files

• Back-up power supplies

• Bank reconciliation

• Batch control totals

• Data encryption

• Document matching

• Edit checks

4-14

ExamplesExamples

• Firewalls

• Insurance and bonding

• Internal audits

• Limit checks

• Lockbox systems

• Physical security

• Preformatted data entry screens

• Prenumbered documents

• Restrictive endorsements of checks

4-15

ExamplesExamples

• Daily deposit of cash receipts

• Segregation of duties

• User training

All internal controls

have associated costs

—financial,

operational and

behavioral. The key

is ensuring that the

benefits outweigh the

costs.

4-16

4-17