3-1

Internal Control Defined

Internal

control is a process effected by management, the

board of directors, and other personnel that is designed to

minimize risk exposures to an acceptable level given the
companys objectives.
Risk

exposures include events that can adversely affect the

company, such as asset losses due to theft or spoilage,

accounting errors and their consequences, revenue losses,
expense overruns, business interruptions, fraud and
embezzlement, fines and penalties, civil liabilities, and losses of
competitive advantage.
The

general rule is that internal controls must provide a

reasonable assurance (rather than a perfect assurance) that

they will achieve their objectives. That is, they must reflect a
balance between the benefits of reducing risk exposures versus
the costs of implementing the controls.

3-2

Objectives and Components of

Internal Control
Specific

objectives of internal control include the

following:
Ensuring

the integrity and reliability of the financial reports.

Ensuring compliance with applicable laws, regulations,
professional rules, and contractual obligations.
Promoting strategic, tactical, and operational efficiency and
effectiveness.
The

components of effective internal control processes

are the control environment, risk assessment, control
activities, information and communication, and monitoring.

3-3

The Control Environment

The

control environment represents the overall

atmosphere in which employees operate.
Management

Philosophy and Operating Style

Ethics and the Corporate Culture
Clearly Assigned Employee Responsibilities
Effective and Independent Audit Committee
Effective and Independent Internal Audit Function
Effective Human Resource Polices and Procedures
Risk Assessment and Management

3-4

Control Activities
Control

activities are the policies and procedures that

help ensure that management directives are carried out.
Segregation

of Duties (authorization, custody, and

recordkeeping)
Adequate Documentation and Records
Controlled Access to Assets
Independent Accountability Checks and Reviews of
Performance
Approval and Authorization

3-5

Information and Communication

Information primarily relates to the accounting system,

and communication relates to the flows of information
through the organization. The accounting system should
be well documented, beginning with a clearly defined
chart of accounts and a system of special journals and
subsidiary ledgers as needed. All transactions should be
processed on a consistent basis.
All forms (whether paper or electronic) should be clear
and simple to minimize input errors, and double checks
should be in place to detect input or processing errors.
All transactions and relevant activities should be properly
recorded with proper audit trails.

3-6

Monitoring
It

is not enough just to have good control processes. The

processes must be continually monitored and updated as
needed. Internal control monitoring is part of the general
corporate governance structure and involves the CEO,
CFO, chief information officer (CIO), corporate legal
counsel, internal auditor, and members of audit committee.
All of these individuals should periodically review reports on
the functioning of the internal control process.
Both external and internal audits involve monitoring the
internal control processes to assess their reliability and
effectiveness. This is normally accomplished by various
analytical tools that include reviews of documents,
questionnaires, interviews, reviews of the accounts and
transaction data, and tests of compliance.

3-7

Transaction Processing Controls

Transaction

processing controls are those controls that

are relevant to implementing good internal control
processes within specific transaction cycles. General
controls and application controls are the two types of
transaction processing controls.
General

controls pertain to the overall environment and

apply to all transactions.
Application controls, on the other hand, apply to specific
applications, processes, and transactions.

3-8

General Controls
The

general plan of organization for data processing should

include segregation of duties so that data processing is
segregated from other organizational functions
General operating procedures include good documentation,
training, and systems for the prevention, detection, and
correction of internal control violations.
Hardware control policies and procedures limit exposures
to hardware problems. For example, regular data backups
can permit recovery if an online data storage unit fails.
General access controls for data and hardware prevent
unauthorized changes to critical data

3-9

Application Controls
Generally

classified as input, processing, and output

controls.
These controls ensure the accuracy, integrity, and security
of the processes of collecting input data, processing input
data, and distributing processed data, respectively.
Accuracy

means that data are free from errors.

Integrity means that the data remain intact in that nothing is
added to or removed from the transaction data as they pass
through the system.
Security in this context means that only authorized persons
are granted access to the system