Why do internal controls exist

A properly designed internal control system will not prevent all loss from occurring, but it will significantly reduce the risk of loss and increase the chance of identifying the responsible party. All businesses are concerned with internal controls over reporting and assets. For the grocery industry this concern is even greater, because profit margins on items are so small that any lost opportunity hurts profitability. How can an individual grocery store develop effective controls?

Consider the two biggest items that a grocery store needs to control: food inventory and cash. Inventory controls are set up to stop shrinkage theft. While it is not profitable for each aisle to be patrolled by a security guard, cameras throughout the store linked to a central location allow security staff to observe customers.

More controls are placed on cash registers to prevent employees from stealing cash. Grocery stores invest more resources in controlling cash because they have determined it to be the greatest opportunity for fraudulent activity. The accounting system is the backbone of any business entity, whether it is profit based or not. It is the responsibility of management to link the accounting system with other functional areas of the business and ensure that there is communication among employees, managers, customers, suppliers, and all other internal and external users of financial information.

With a proper understanding of internal controls, management can design an internal control system that promotes a positive business environment that can most effectively serve its customers. For example, a customer enters a retail store to purchase a pair of jeans. As the cashier enters the jeans into the point-of-sale system, the following events occur internally:. Because many systems are linked through technology that drives decisions made by many stakeholders inside and outside of the organization, internal controls are needed to protect the integrity and ensure the flow of information.

An internal control system also assists all stakeholders of an organization to develop an understanding of the organization and provide assurance that all assets are being used efficiently and accurately. Internal controls have grown in their importance as a component of most business decisions. This importance has grown as many company structures have grown in complexity.

Despite their importance, not all companies have given maintenance of controls top priority. Additionally, many small businesses do not have adequate understanding of internal controls and therefore use inferior internal control systems. Many large companies have nonformalized processes, which can lead to systems that are not as efficient as they could be. The failure of the SCICAP Credit Union discussed earlier is a direct result of a small financial institution having a substandard internal control system leading to employee theft.

One of the largest corporate failures of all time was Enron , and the failure can be directly attributed to poor internal controls. Enron was one of the largest energy companies in the world in the late twentieth century. However, a corrupt management attempted to hide weak financial performance by manipulating revenue recognition, valuation of assets on the balance sheet, and other financial reporting disclosures so that the company appeared to have significant growth.

For example, Enron and its accounting firm, Arthur Andersen , did not maintain an adequate degree of independence. Arthur Andersen provided a significant amount of services in both auditing and consulting, which prevented them from approaching the audit of Enron with a proper degree of independence.

Also, among many other violations, Enron avoided the proper use of several acceptable reporting requirements. As a result of the Enron failure and others that occurred during the same time frame, Congress passed the Sarbanes-Oxley Act SOX to regulate practice to manage conflicts of analysts, maintain governance, and impose guidelines for criminal conduct as well as sanctions for violations of conduct.

It ensures that internal controls are properly documented, tested, and used consistently. The intent of the act was to ensure that corporate financial statements and disclosures are accurate and reliable.

It is important to note that SOX only applies to public companies. A publicly traded company is one whose stock is traded bought and sold on an organized stock exchange. Smaller companies still struggle with internal control development and compliance due to a variety of reasons, such as cost and lack of resources. As it pertains to internal controls, the SOX requires the certification and documentation of internal controls.

Specifically, the act requires that the auditor do the following:. Its creation was included in the Sarbanes-Oxley Act of to regulate conflict, control disclosures, and set sanction guidelines for any violation of regulations.

The PCAOB was assigned the responsibilities of ensuring independent, accurate, and informative audit reports, monitoring the audits of securities brokers and dealers, and maintaining oversight of the accountants and accounting firms that audit publicly traded companies.

The penalty is more severe for securities fraud 25 years than for mail or wire fraud 20 years. The SOX is relatively long and detailed, with Section having the most application to internal controls.

Under Section , management of a company must perform annual audits to assess and document the effectiveness of all internal controls that have an impact on the financial reporting of the organization. Also, selected executives of the firm under audit must sign the audit report and state that they attest that the audit fairly represents the financial records and conditions of the company.

The financial reports and internal control system must be audited annually. The cost to comply with this act is very high, and there is debate as to how effective this regulation is. Two primary arguments that have been made against the SOX requirements is that complying with their requirements is expensive, both in terms of cost and workforce, and the results tend not to be conclusive.

Proponents of the SOX requirements do not accept these arguments. Select personalised content. Create a personalised content profile.

Measure ad performance. Select basic ads. Create a personalised ads profile. Select personalised ads. Apply market research to generate audience insights. Measure content performance. Develop and improve products. List of Partners vendors. Internal controls are the mechanisms, rules, and procedures implemented by a company to ensure the integrity of financial and accounting information, promote accountability, and prevent fraud. Besides complying with laws and regulations and preventing employees from stealing assets or committing fraud, internal controls can help improve operational efficiency by improving the accuracy and timeliness of financial reporting.

Internal controls have become a key business function for every U. In their wake, the Sarbanes-Oxley Act of was enacted to protect investors from fraudulent accounting activities and improve the accuracy and reliability of corporate disclosures. This has had a profound effect on corporate governance, by making managers responsible for financial reporting and creating an audit trail. Managers found guilty of not properly establishing and managing internal controls face serious criminal penalties.

They ensure compliance with laws and regulations and accurate and timely financial reporting and data collection, as well as helping to maintain operational efficiency by identifying problems and correcting lapses before they are discovered in an external audit. No two systems of internal controls are identical, but many core philosophies regarding financial integrity and accounting practices have become standard management practices.

While internal controls can be expensive, properly implemented internal controls can help streamline operations and increase operational efficiency, in addition to preventing fraud. Regardless of the policies and procedures established by an organization, only reasonable assurance may be provided that internal controls are effective and financial information is correct.

The effectiveness of internal controls is limited by human judgment. A business will often give high-level personnel the ability to override internal controls for operational efficiency reasons, and internal controls can be circumvented through collusion. The U. Congress passed the Sarbanes-Oxley Act of to protect investors from the possibility of fraudulent accounting activities by corporations, which mandated strict reforms to improve financial disclosures from corporations and prevent accounting fraud.

Internal controls are typically comprised of control activities such as authorization, documentation, reconciliation, security, and the separation of duties. And they are broadly divided into preventative and detective activities. Preventive control activities aim to deter errors or fraud from happening in the first place and include thorough documentation and authorization practices. Peer Review results indicate that some auditors believe they can default control risk assessments to "maximum" without any consideration of their client's controls.

But is this the right approach? Many will be shocked to learn that the answer is "no. Auditors should not default to any level of control risk. An auditor should have a reasonable basis for his or her assessment of control risk, regardless of the assessment level. Defaulting to a control risk assessment of "maximum" without evaluating the design and implementation of relevant controls could lead an auditor to failing to identify risks that are relevant to the audit.

The evaluation of the design of controls and the determination of whether the controls are implemented provide the basis for designing an effective response to the risk of material misstatement. The auditor's strategy may or may not include testing the operating effectiveness of controls. In other words, a substantive audit approach may be implemented as long as your audit procedures are responsive and linked to the assessed risks of material misstatement.

Peer Review results also indicate that some auditors believe they can lower their control risk assessment without testing whether the controls are operating as designed, but that's not true.

If the auditor's response i. Evaluating control design and implementation is not the same thing as testing the operating effectiveness of those controls.

Many auditors confuse the terms "implementation" and "operating effectiveness," but as paragraph. A77 of AU - C Section states, "obtaining audit evidence about the implementation of a manual control at a point in time does not provide audit evidence about the operating effectiveness of the control at other times during the period under audit.

Once the auditor has assessed the risks of material misstatement including risk associated with the client's internal control, his or her next step will be to design and perform further audit procedures that are responsive to the client's risks. The auditor should not simply perform the same procedures that were required for another client in the same industry or even those audit procedures performed in the prior year.

To illustrate, consider two clients in the manufacturing industry. For both clients, the auditor has assessed the risks of material misstatement related to the rights and obligations assertion in the accounts payable balance as maximum. Client A's bookkeeper records all invoices in the accounting system once the invoice is received. Because the invoices are not matched to a purchase order or otherwise reviewed to confirm their validity, the auditor determines that Client A's controls over the recording of accounts payable are ineffectively designed.

A specific concern is the risk of recording fictitious invoices. Alternatively, Client B's bookkeeper records all invoices for authorized purchase orders in the accounting system when the invoice is paid. Because recording of invoices is delayed until payment occurs, the auditor determines that Client B's controls are ineffectively designed because a risk of unrecorded liabilities exists.

While both clients are in the same industry and both have maximum risks of material misstatement related to the accounts payable rights and obligations assertion, they may require two very different audit responses. Client A's auditor may determine that the best way to lower detection risk would be to compare invoices received from vendors with a listing of approved vendors and purchase orders.

Conversely, Client B's auditor may lower the threshold amount in performing a search for unrecorded liabilities. When performing future audit engagements, auditors should be sure to:. Following these tips will help drive high - quality , efficient audits that conform to the standards. For more help, visit aicpa.