UNDERSTANDING INTERNAL CONTROLS

INTERNAL CONTROLS:

AICPA-INTERNALCONTROL STANDARDS:

TheinformationthatfollowsisspecificguidancefromtheAmericanInstituteofCertifiedPublicAccountants

CodificationonStatements onAuditing Standards AU319“InternalControlinaFinancialStatementAudit”.

Internalcontrolisaprocessaffectedby anentity’sboardofdirectors,management,and otherpersonneldesignedtoprovidereasonableassurance regarding theachievementof objectivesinthefollowingcategories:(a)reliability offinancialreporting,(b) effectivenessandefficiency ofoperations,and(c)compliancewithapplicablelawsand regulations.

Internal Control consists of five interrelated components, which are:

  • Controlenvironmentsetsthetoneofan organization,influencing thecontrol consciousnessof itspeople. Itisthefoundationfor allother componentsof internal control, providingdiscipline and structure.
  • Riskassessmentisthe entity’s identificationandanalysisofrelevantrisksto achievementofitsobjectives,formingabasisfordetermininghowtherisks should bemanaged.
  • Control activities are the policiesand procedures that help ensure that management directives arecarried out.
  • Information andcommunicationare theidentification,capture,andexchangeof informationinaformandtimeframethatenablepeopletocarry outtheir responsibilities.
  • Monitoringisaprocessthatassessesthequalityofinternalcontrolperformance over time.

CONTROLENVIRONMENT:

Factorseffecting thecontrolenvironmentinclude: integrity andethicalvalues, commitmenttocompetence,board of trustees, council membersor audit financecommittee participation, management’sphilosophy andoperating style,organizationalstructure,assignment of authorityandresponsibility, and humanresourcepolicies and practices.

  • Integrity andEthicalValues: Theeffectivenessof controlscannotriseabove the integrity andethicalvaluesofthepeoplewhocreate,administer,andmonitor them.Integrity and ethical values areessentialelements of thecontrol environment,affecting thedesign,administration,andmonitoring ofother components. Integrity andethicalbehavioraretheproductsoftheentity’sethical andbehavioralstandards,howthey arecommunicated,andhowthey are reinforcedinpractice. Theyincludemanagement’sactionstoremoveorreduce incentivesandtemptationsthatmightpromptpersonneltoengage indishonest, illegal,orunethicalacts. Theyalsoincludethecommunicationofentityvaluesandbehavioralstandardstopersonnelthroughpolicy statementsandcodesof conductand byexample.
  • CommitmenttoCompetence:Competenceistheknowledgeandskillsnecessary toaccomplishtasksthatdefine the individual’sjob. Commitmenttocompetence includesmanagement’sconsiderationofthecompetence levelsforparticularjobs and how thoselevels translateinto requisite skillsand knowledge.
  • BoardofTrustees, Council MembersorAudit Finance Committee Participation:Anentity’scontrol consciousness is influenced significantlybytheentity’s board oftrustees, council membersor audit financecommittee. Attributesincludetheboard, council memberorauditfinance committee’sindependence from management,theexperienceandstatureof itsmembers, theextentof its involvement and scrutiny of activities, the appropriateness of its actions, the degreeto which difficult questions are raisedandpursued with management, and the interaction with internal and external auditors.
  • Management’sPhilosophyandOperatingStyle: Management’sphilosophy and operatingstyleencompassabroadrangeofcharacteristics. Suchcharacteristics may includethefollowing:management’sapproachtotakingandmonitoring businessrisks, management’s attitudes and actions towards financial reporting (conservative oraggressive selection fromavailablealternative accounting principles, and conscientiousness and conservatism with which accounting estimatesare developed);andmanagement’sattitudetowardinformation processingandaccountingfunctions and personnel.
  • Organizational Structure: An entity’s organizationalstructure provides the framework withinwhichitsactivitiesforachievingentity-wide objectivesare planned,executed,controlled,andmonitored. Establishinga relevant organizationalstructureincludesconsideringkeyareasofauthority and responsibility andappropriatelinesofreporting. Anentitydevelopsan organizationalstructuresuitedtoitsneeds. The appropriateness of anentity’s organizational structuredepends, in part, on its size and the natureof its activities.
  • AssignmentofAuthorityandResponsibility: Thisfactorincludeshowauthority andresponsibility foroperating activitiesareassignedandhowreporting relationships andauthorizationhierarchiesareestablished. Italsoincludes policiesrelating toappropriatebusinesspractices,knowledgeandexperienceof key personnel,andresourcesprovidedforcarrying outduties. Inaddition,it includespoliciesandcommunicationsdirectedatensuring thatallpersonnel understandtheentity’sobjectives,knowhowtheirindividualactionsinterrelate andcontributetothoseobjectives,andrecognizehowandforwhatthey willbe held accountable.
  • Human ResourcePoliciesandPractices: Humanresourcepoliciesand practices relate to hiring, orientation, training, evaluating, counseling, promoting,compensating,andremedialplans. Forexample,standardsfor hiring themost qualified individuals with emphasis on educational background, priorwork experience,pastaccomplishments,andevidenceofintegrity andethicalbehavior demonstrateanentity’scommitmenttocompetentandtrustworthy people. Training policiesthatcommunicateprospectiverolesandresponsibilitiesand includepracticessuchastrainingschoolsandseminarsillustrateexpectedlevels of performance andbehavior. Promotions driven by periodicperformanceappraisalsdemonstratetheentity’scommitmenttotheadvancementofqualifiedpersonnel to higher levels of responsibility.

RISKASSESMENT:

Riskassessmentforfinancialreporting purposesisitsidentification,analysis,and managementofrisksrelevanttothepreparationoffinancialstatementsthatare fairly presentedinconformitywithgenerally acceptedaccounting principles. Forexample, Riskassessmentmayaddresshowtheentityconsidersthepossibility ofunrecorded transactionsoridentifiesandanalyzessignificantestimates recordedinthe financial statements. Risksrelevanttoreliablefinancialreporting alsorelatetospecificevents ortransactions.

Riskrelevanttofinancialstatementreporting includeexternalandinternaleventsand circumstancesthatmay occurandadversely affectanentity’sability torecord, process,summarize andreportfinancialdataconsistentwiththeassertionsof managementinthefinancialstatements. Oncerisksare identified,management considerstheirsignificance,thelikelihoodoftheiroccurrence,andhowtheyshould bemanaged. Management mayinitiateplans, programs, oractions to address specific risksoritmay decidetoacceptariskbecauseofcostorotherconsiderations. Risks can ariseor changedueto circumstances such as the following:

  • ChangesinOperatingEnvironment:Changesintheregulatory oroperating environmentcanresultinchangesincompetitive pressuresandsignificantly differentrisks.
  • NewPersonnel:Newpersonnelmayhaveadifferentfocusonorunderstanding ofinternal control.
  • New orRevamped InformationSystems: Significant and rapid changesin information systems canchangetherisk relatingto internal control.
  • RapidGrowth: Significantandrapidexpansionofoperationscanstraincontrols and increasethe risk ofabreakdown incontrols.
  • NewTechnology:Incorporating newtechnologiesintoproductionprocessesor information systems maychangetherisk associated with internal control.
  • NewLines,Products,orActivities: Enteringintobusinessareasortransactions withwhichanentityhaslittleexperiencemayintroducenewrisksassociatedwithinternal control.
  • Corporate Restructurings: Restructurings may be accompanied bystaff reductionsandchanges insupervisionandsegregationofdutiesthanmay change the risk associated with internal control.
  • ForeignOperations: Theexpansionoracquisitionofforeignoperationscarries newandoftenuniquerisksthatmay impactinternalcontrol,forexample, additional or changedrisks from foreigncurrencytransactions.
  • Accounting Pronouncements: Adoptionofnew accounting principles or changingaccountingprinciples mayaffect risks inpreparingfinancial statements.

CONTROLACTIVITIES:

Controlactivitiesare thepoliciesandproceduresthathelpensurethatnecessary actionsaretakentoaddressriskstoachievementoftheentity’sobjectives. Control activitieshavevariousobjectivesandare appliedatvariousorganizationaland functional levels.

Generallycontrolactivitiesthatmay berelevanttoanauditmaybecategorizedas policies and procedures that pertain to the following:

  • PerformanceReviews: These control activities include reviews of actual performance versusbudgets,forecasts,andpriorperiodperformance;relating differentsetsofdataoperatingorfinancialtooneanother,togetherwithanalysis of the relationshipsandinvestigativeandcorrectiveactions;andreview of functionaloractivity performance,suchasabank’sconsumerloanmanager’s reviewofreportsby branch,region,andloantypeforloanapprovalsand collections.
  • InformationProcessing: Avariety ofcontrolsareperformedtocheckaccuracy, completeness,andauthorizationof transactions. The twobroadgroupingsof information systems controlactivitiesaregeneralcontrols and application controls. Generalcontrolsover data center operations,systemsoftware acquisition and maintenance, accesssecurity,and application system development andmaintenance. Thesecontrolsapplytomainframe,minicomputer,andend- userenvironments. Applicationcontrolsapply totheprocessing ofindividual applications. Thesecontrolshelpensure thattransactions arevalid,properly authorized, and completelyandaccuratelyprocessed.
  • PhysicalControls: Theseactivitiesencompassthephysicalsecurity ofassets, including adequatesafeguardssuchassecuredfacilities,overaccesstoassetsand records; authorization for access to computer programs and data files; and periodiccountingandcomparisonwithamountsshownoncontrolrecords. The extenttowhichphysicalcontrolsintendedtopreventtheftofassetsare relevantto thereliability offinancialstatementpreparation,andthereforetheaudit,depends on the circumstances such as when assets are highly susceptible to misappropriation. Forexample,thesecontrolswouldordinarilynotberelevant whenany inventory losseswouldbedetectedpursuanttoperiodicphysical inspectionandrecordedinthefinancialstatements. However,iffor financial reportingpurposesmanagementreliessolely onperpetualinventoryrecords,the physical securitycontrolswould be relevant to the audit.
  • Segregation of Duties: Assigning different people the responsibilitiesof authorizing transactions,recording transactions,andmaintaining custodyofassets isintendedtoreducetheopportunitiestoallowany persontobeinapositionto bothperpetrate andconcealerrorsorirregularitiesinthe normalcourse of hisor her duties.

INFORMATION ANDCOMMUNICATION:

Theinformation systemrelevanttofinancialreporting objectives,whichincludesthe accounting system,consistsofthemethods andrecordsestablishedtorecord,process, summarize,andreportentitytransactions(aswellaseventsandconditions)andto maintainaccountability fortherelatedassets,liabilities,andequity.Thequality of system-generatedinformationaffectsmanagement’sability tomakeappropriate decisionsinmanagingandcontrollingtheentity’sactivitiesandtopreparereliable financial reports.

An information systemencompasses methods andrecords that:

  • Identifyand Recordalltransactions.
  • Describe on a Timely Basis the transactions in sufficient detailto permit proper classification oftransactions for financial reporting.
  • MeasuretheValue oftransactions in amanner that permits recordingtheirproper monetaryvalue in thefinancial statements.
  • DeterminetheTimePeriodin which transactionsoccurred to permit recordingof transactions in the properaccountingperiod.
  • Present Properly the transactions and related disclosures in the financial statements.

Communication involvesprovidingan understandingofindividual roles and responsibilities pertainingto internalcontrol overfinancial reporting. It includes the extent to which personnel understand howtheiractivities in the financial reporting information system relateto thework of othersand the means of reporting exceptions to an appropriatehigher level within the entity. Open communication channels help ensurethat exceptions are reported and acted on.

Communication takes such forms as policymanuals, accountingandfinancial reportingmanuals,and memoranda. Communication also can bemadeorallyand through theactions of management.

MONITORING:

Monitoringisaprocessthatassessesthequality ofinternalcontrolperformanceover time. Itinvolvesassessing thedesignandoperationofcontrolsonatimely basisand takingnecessary correctiveactions.Thisprocessisaccomplishedthroughongoing monitoringactivities, separateevaluations, or a combination ofthe two.

Ongoingmonitoringactivitiesarebuiltintothenormalrecurringactivitiesofthe entity andincluderegularmanagementandsupervisory activities. Managersofsales, purchasing,and production at divisional andcorporatelevelsare in touch with operationsandmay questionreportsthatdiffersignificantly fromtheirknowledgeof operations.

In manyentities, internal auditorsor personnelperforming similarfunctions contributetothemonitoringofanentity’sactivitiesthroughseparateevaluations. They regularlyprovideinformationaboutthefunctioning ofinternalcontrol,focusing considerableattentiononevaluatingthedesignandoperationofinternalcontrol. They communicate informationaboutstrengthsand weaknesses and recommendations for improvinginternal control.

Monitoringactivitiesmay includeusinginformationfromcommunicationsfrom external parties. Customers implicitly corroboratebilling databy paying their invoicesorcomplaining abouttheircharges. Inaddition,regulatorsmay communicatewiththeentity concerningmattersthataffectthe functioningofinternal control,forexample,communicationsconcerningexaminationsbybankregulatory agencies. Also, management may consider communicationsrelating to internalcontrol from external auditors in performingmonitoringactivities.

FINANCIAL STATEMENT ASSERTIONS:

Existence Completeness

Rights/Obligations

Valuation

Presentation/Disclosure

All transactions recordedmusthavethesein orderto be considered valid.

FRAUD:

Black’sLawDictionary–agenerictermthatembracesallmeansby whichhumanscan devise,whichisresortedtoby oneindividualtogetadvantageoveranotherbyfalse suggestionsorby suppressionoftruth,andincludesallsurprise,trickery,cunning, dissembling, and anyunfair waybywhich anotheris cheated.

US SupremeCourt-atort (alegal wrong)that meets the following conditions:

  • Misrepresentation ofamaterial fact
  • Theperpetrator knew it was false
  • Madewith theintention that the misrepresentation would be relied on
  • Thevictimdid relyon itand as a resultsuffered aloss

InstituteofInternalAuditors–encompassesanarray ofirregularitiesandillegalacts characterizedbyintentionaldeception. Itcanbeperpetratedforthebenefitofortothe detriment of theorganization.

AICPA–“abroadlegalconcept”thatisdistinguishedfromerrordependingonwhetherthe action is intentional or unintentional.

Types of Fraud:

  • Misrepresentation in financial reports
  • False oroverstatedexpense reimbursements
  • False oroverstated vendorinvoices
  • Check tampering
  • Lappingof cashreceipts
  • Bogus credits
  • Fictitious vendor
  • Substitution
  • Alteringbank deposits
  • Forgingchecks
  • Kickbacks
  • Bid-rigging
  • Ghost employees
  • Skimming
  • Overstatement of payrollhours/effort
  • Asset misappropriations / Stealing
  • Theft /Larceny

Formula for Fraud:

  • Incentive/ Pressureto commitfraud
  • Opportunities to commitfraud
  • Attitudes / Rationalization

FRAUDPREVENTION ANDDETECTION:

Haveastrong internalcontrol systeminplace. Controlenvironmentandriskassessment ismostimportant. Ensure thatalltransactionshave morethan one personinvolvedfrom thebeginningofthebusiness process to theend. When risksare high dueto the limitationof staff, closer supervisionoverthebusinessprocess,independent reconciliations/reviews, and audits areimportant to compensate for controlweaknesses.

Fraud preventionis accomplished by:

  • Segregation ofduties
  • Rotation of duties in positions susceptible to fraud
  • Requireemployeeshandlingfinancialtransactionstotakeregularvacationsof2 weeksormore atone timeandletsomeone elseperformtheirnormal responsibilities
  • Adherencetoorganizationalpoliciesandproceduresespecially thoseconcerning documentation and authorization oftransactions
  • Physical securityover assets such as locking doors and restricting access to certain areas.
  • Proper trainingof employees
  • Independentreviewsandmonitoringof tasks
  • Clear lines of authority
  • Conflict of interest policies, which are enforced
  • Regular independent audits of areas moresusceptible to fraud

Fraud detectionis accomplished by:

  • Independentreconciliations
  • Inspections of documents(canceled checks)
  • Employeecomplaints
  • Discoveryof unusual items that indicate follow-up is necessary
  • Problems detected byaudits
  • Customer orvendor complaints, such as paymentsnot beingcredited
  • Unusual or unexplained report variances orfinancial statement trends

TYPESOFCONTROLACTIVITIES: (PREVENTIVE– DETECTIVE)

Control activities areeither preventative ordetective.

  • Preventive controls are built in as part of the system and look at each transaction similarity tostoperrorsbeforetheyarerecordedinthesystem. Preventivecontrols include segregationof duties,appropriate organizationallinesof responsibility/authority, proper communication,signedstatements/representations,written contracts/agreements, trustworthy employees, knowledgeable employees, performance management (work plans/gaining commitment/counseling/monitoring/evaluation),employeetraining/ reinforcement, supervision/oversight, independent authorization, documented accounting proceduresandcontrols,adequatesupporting documentationandrecords(including pre- numbereddocumentsandthe cancellationofdocuments), proper record-keeping procedures(includingthetimelinessofprocessing),budgetary accounting,physical security/controloverassetsanddocuments(including documentcontrol,safedeposits, timelinessofdepositsandcomputer security),andpreauditsoftransactions(including matchingof documents).
  • Detective controlsaredependentonmanual review ofrecordedinformationandare consideredcompensatingcontrolswhenpreventative controlsarenotinplace. They requiretimely correctionprocedures. Detectivecontrolsincluderecalculations,checking control totals, analysis and review, independent reconciliations, follow up on questionable accounts/transactions,customercomplaints/employeecomplaints, observations,rotationof staff, inspectionofdocuments,confirmations,andpost review/audits of accounts/transactions/exception reports/aging reports, etc.

1