You are on page 1of 22

Internal Control

Acctg 18

Reference: Accounting Information Systems 9th ed., James A. Hall

Definition and Objectives

The internal control system comprises policies, practices, and

procedures employed by the organization to achieve four broad
1. To safeguard assets of the firm.
2. To ensure the accuracy and reliability of accounting records
and information.
3. To promote efficiency in the firm’s operations.
4. To measure compliance with management’s prescribed policies
and procedures.
Modifying Assumptions
Inherent in these control objectives are four modifying assumptions
that guide designers and auditors of internal controls:
1. Management Responsibility
2. Reasonable Assurance
3. Methods of Data Processing
4. Limitations
1. Possibility of error
2. Circumvention
3. Management Override
4. Changing Conditions
Exposure and Risks

Exposure - the absence or weakness of a control.

A weakness in internal control may expose the firm to one or more of
the following types of risks:
1. Destruction of assets (physical assets and information)
2. Theft of assets.
3. Corruption of information or the information system.
4. Disruption of the information system.
The Preventive-Detective-Corrective
(PDC) Model
Three Levels of Control:

1. Preventive Controls
2. Detective Controls
3. Corrective Controls
The Preventive-Detective-Corrective
(PDC) Model

1. Preventive Controls
 Passive techniques designed to reduce the frequency of
occurrence of undesirable events.
 The first line of defense in the control structure; vast majority of
undesirable events can be blocked at the first level.
 A well-designed source document is an example of a preventive
The Preventive-Detective-Corrective
(PDC) Model

2. Detective Controls
 Devices, techniques, and procedures designed to identify and
expose undesirable events that elude preventive controls.
 Reveal specific types of errors by comparing actual occurrences
to pre-established standards
The Preventive-Detective-Corrective
(PDC) Model

3. Corrective Controls
 Action taken to reverse the effects of errors detected in the first
 Error correction should be viewed as a separate control step
that should be taken seriously
COSO Internal Control Framework

Five Components:

1. Control Environment
2. Risk Assessment
3. Information and Communication
4. Monitoring
5. Control Activities
COSO Internal Control Framework

1. Control Environment
 Sets the tone for the organization and influences the control
awareness of its management and employees.
2. Risk Assessment
 Organizations must perform a risk assessment to identify,
analyze, and manage risks relevant to financial reporting.
3. Information and Communication
 The quality of information the accounting information system
generates impacts management’s ability to take actions and
make decisions in connection with the organization’s
operations and to prepare reliable financial statements.
COSO Internal Control Framework
3. Information and Communication
 The quality of information the accounting information system
generates impacts management’s ability to take actions and
make decisions in connection with the organization’s
operations and to prepare reliable financial statements.
 An effective accounting information system will:
 Identify and record all valid financial transactions.
 Provide timely information about transactions in sufficient
detail to permit proper classification and financial reporting.
 Accurately measure the financial value of transactions so
their effects can be recorded in financial statements.
 Accurately record transactions in the time period in which
they occurred.
COSO Internal Control Framework

4. Monitoring
 The process by which the quality of internal control design and
operation can be assessed.
5. Control Activities
 The policies and procedures used to ensure that appropriate
actions are taken to deal with the organization’s identified risks.
i. IT Controls
ii. Physical Controls
Control Activities

1. IT Controls - relate specifically to the computer environment.

a. General Controls - pertain to entity-wide IT concerns such as
controls over the data center, organization databases, network
security, systems development, and program maintenance.
b. Application Controls - ensure the integrity of specific computer
systems such as sales order processing, accounts payable, and
payroll applications.
2. Physical Controls - relate to the human activities employed in
accounting systems; do not relate to the computer logic that
actually performs accounting tasks.
Physical Controls

1. Transaction Authorization
2. Segregation of Duties
3. Supervision
4. Accounting Records
5. Access Control
6. Independent Verification
Physical Controls

1. Transaction Authorization - its purpose is to ensure that all material

transactions processed by the information system are valid and in
accordance with management’s objectives.
 General Authorization – granted to operations personnel to
perform day-to-day operations.
 Specific Authorization – deal with case-to-case decisions
associated with nonroutine transactions. This is a management
Physical Controls

2. Segregation of Duties - one of the most important control

activities; implemented to minimize incompatible functions.
- Three objectives:
a. Authorization for a transaction is separate from the processing
of the transaction.
b. Responsibility for the custody of assets should be separate from
the record-keeping responsibility.
c. The organization should be structured so that a successful fraud
requires collusion between two or more individuals with
incompatible functions.
Physical Controls

2. Segregation of Duties Objectives


Control Authorization Processing

Objective 1

Control Authorization Custody Recording

Objective 2

Control Journals Subsidiary General

Objective 3 Ledgers Ledger
Physical Controls

3. Supervision - a compensating control—management must

compensate for the absence of segregation controls with close
4. Accounting Records - consist of source documents, journals, and
ledgers. These records capture the economic essence of
transactions and provide an audit trail of economic events.
Organizations must maintain audit trails for two reasons:
 Audit trail is needed for conducting day-to-day operations.
 Audit trail plays an essential role in the financial audit of the firm.
Physical Controls
5. Access Controls - its purpose is to ensure that only authorized
personnel have access to the firm’s assets.
 Direct Access – Physical security devices such locks and alarm
 Indirect Access – Controlling the use of documents, and
segregating of duties.
6. Independent Verification - independent checks of the
accounting system to identify errors and misrepresentations.
Through independent verification procedures, management can
 The performance of individuals
 The integrity of the transaction processing system
 The correctness of data contained in accounting records
Physical Controls
5. Independent Verification - Examples:
 Reconciling of batch totals at points during transaction
 Comparing physical assets with accounting records
 Reconciling subsidiary accounts with control accounts
 Reviewing management reports (both computer and manually
generated) that summarize business activity
IT Controls
I. Input Controls
1. Check Digit
2. Missing Data Check
3. Numeric-Alphabetic Check
4. Limit Check
5. Range Check
6. Reasonableness Check
7. Validity Check
II. Processing Controls
1. Batch Controls
2. Run-to-run Controls
3. Audit Trail Controls – Transaction Logs; Master File Backup
IT Controls
III. Output Controls
1. Controlling Hard-Copy Output
a. Output Spooling
b. Print Programs
c. Waste
d. Report Distribution
e. End-User Controls
2. Controlling Digital Output