This section describes internal control and its fundamental principles. We also discuss the impact of technology on internal control and the limitations of control procedures.
Purpose of Internal Control
Managers (or owners) of small businesses often control the entire operation. These managers usually purchase all assets, hire and manage employees, negotiate all contracts, and sign all checks. They know from personal contact and observation whether the business is actually receiving the assets and services paid for. Most companies, however, cannot maintain this close personal supervision. They must delegate responsibilities and rely on formal procedures rather than personal contact in controlling business activities.
Internal Control System Managers use an internal control system to monitor and control business activities. An internal control system consists of the policies and procedures managers use to
- Protect assets.
- Promote efficient operations.
- Ensure reliable accounting.
- Urge adherence to company policies.
A properly designed internal control system is a key part of systems design, analysis, and performance. Managers place a high priority on internal control systems because they can prevent avoidable losses, help managers plan operations, and monitor company and employee performance. For example, internal controls for health care must protect patient records and privacy. Internal controls do not provide guarantees, but they lower the company’s risk of loss.
Sarbanes-Oxley Act (SOX) The Sarbanes-Oxley Act (SOX) requires the managers and auditors of companies whose stock is traded on an exchange (called public companies) to document and certify the system of internal controls. Following are some of the specific requirements:
- Auditors must evaluate internal controls and issue an internal control report.
- Auditors of a client are restricted as to what consulting services they can provide that client.
- The person leading an audit can serve no more than seven years without a two-year break.
- Auditors’ work is overseen by the Public Company Accounting Oversight Board(PCAOB).
- Harsh penalties exist for violators—sentences up to 25 years in prison with severe fines.
SOX has markedly impacted companies, and the costs of its implementation are high. Importantly, Section 404 of SOX requires that managers document and assess the effectiveness of all internal control processes that can impact financial reporting. The benefits include greater confidence in accounting systems and their related reports. However, the public continues to debate the costs versus the benefits of SOX as nearly all business activities of these companies are impacted by SOX. Section 404 of SOX requires that managers document and assess their internal controls and that auditors provide an opinion on managers’ documentation and assessment.
Principles of Internal Control
Internal control policies and procedures vary from company to company according to such factors as the nature of the business and its size. Certain fundamental internal control principles apply to all companies. The principles of internal control are to
- Establish responsibilities.
- Maintain adequate records.
- Insure assets and bond key employees.
- Separate recordkeeping from custody of assets.
- Divide responsibility for related transactions.
- Apply technological controls.
- Perform regular and independent reviews.
Point: Sarbanes-Oxley Act (SOX) requires that each annual report contain an internal control report, which must: (1) state managers’ responsibility for establishing and maintaining adequate internal controls for financial reporting; and (2) assess the effectiveness of those controls.
Establish Responsibilities Proper internal control means that responsibility for a task is clearly established and assigned to one person. When a problem occurs in a company where responsibility is not identified, determining who is at fault is difficult. For instance, if two salesclerks share the same cash register and there is a cash shortage, neither clerk can be held accountable. To prevent this problem, one clerk might be given responsibility for handling all cash sales. Alternately, a company can use a register with separate cash drawers for each clerk. Most of us have waited at a retail counter during a shift change while employees swap cash drawers.
Maintain Adequate Records Good recordkeeping is part of an internal control system. It helps protect assets and ensures that employees use prescribed procedures. Reliable records are also a source of information that managers use to monitor company activities. When detailed records of equipment are kept, for instance, items are unlikely to be lost or stolen without detection. Similarly, transactions are less likely to be entered in wrong accounts if a chart of accounts is set up and carefully used. Many preprinted forms and internal documents are also designed for use in a good internal control system. When sales slips are properly designed, for instance, sales personnel can record needed information efficiently with less chance of errors or delays to customers. When sales slips are prenumbered and controlled, each one issued is the responsibility of one salesperson, preventing the salesperson from pocketing cash by making a sale and destroying the sales slip. Computerized point-of-sale systems achieve the same control results.
Insure Assets and Bond Key Employees Good internal control means that assets are adequately insured against casualty and that employees handling large amounts of cash and easily transferable assets are bonded. An employee is bonded when a company purchases an insurance policy, or a bond, against losses from theft by that employee. Bonding reduces the risk of loss. It also discourages theft because bonded employees know an independent bonding company will be involved when theft is uncovered and is unlikely to be sympathetic with an employee involved in theft. (A common question on job applications is whether you are bonded or bondable.)
Separate Recordkeeping from Custody of Assets A person who controls or has access to an asset must not keep that asset’s accounting records. This principle reduces the risk of theft or waste of an asset because the person with control over it knows that another person keeps its records. Also, a recordkeeper who does not have access to the asset has no reason to falsify records. This means that to steal an asset and hide the theft from the records, two or more people must collude—or agree in secret to commit the fraud. Some payroll cash checking services require fingerprint ID before the payroll check is cashed.
Divide Responsibility for Related Transactions Good internal control divides responsibility for a transaction or a series of related transactions between two or more individuals or departments. This is to ensure that the work of one individual acts as a check on the other. This principle, often called separation of duties, is not a call for duplication of work. Each employee or department should perform unduplicated effort. Examples of transactions with divided responsibility are placing purchase orders, receiving merchandise, and paying vendors. These tasks should not be given to one individual or department. Assigning responsibility for two or more of these tasks to one party increases mistakes and perhaps fraud. Having an independent person, for example, check incoming goods for quality and quantity encourages more care and attention to detail than having the person who placed the order do the checking. Added protection can result from identifying a third person to approve payment of the invoice. A company can even designate a fourth person with authority to write checks as another protective measure.
Apply Technological Controls Cash registers, check protectors, time clocks, and personal identification scanners are examples of devices that can improve internal control. Technology often improves the effectiveness of controls. A cash register with a locked-in tape or electronic file makes a record of each cash sale. A check protector perforates the amount of a check into its face and makes it difficult to alter the amount. A time clock registers the exact time an employee both arrives at and departs from the job. Mechanical change and currency counters quickly and accurately count amounts, and personal scanners limit access to only authorized individuals. Each of these and other technological controls are an effective part of many internal control systems. Some companies video record workers as they clock in and out, which discourages them from clocking in or out for others.
Perform Regular and Independent Reviews Changes in personnel, stress of time pressures, and technological advances present opportunities for shortcuts and lapses. To counter these factors, regular reviews of internal control systems are needed to ensure that procedures are followed. These reviews are preferably done by internal auditors not directly involved in the activities. Their impartial perspective encourages an evaluation of the efficiency as well as the effectiveness of the internal control system. Many companies also pay for audits by independent, external auditors. These external auditors test the company’s financial records to give an opinion as to whether its financial statements are presented fairly. Before external auditors decide on how much testing is needed, they evaluate the effectiveness of the internal control system. This evaluation is often helpful to a client. Independent, external audits are usually performed by auditors who work for public accounting firms.
Technology and Internal Control
The fundamental principles of internal control are relevant no matter what the technological state of the accounting system, from purely manual to fully automated systems. Technology impacts an internal control system in several important ways. Perhaps the most obvious is that technology allows us quicker access to databases and information. Used effectively, technology greatly improves managers’ abilities to monitor and control business activities. This section describes some technological impacts we must be alert to.
Reduced Processing Errors Technologically advanced systems reduce the number of errors in processing information. Provided the software and data entry are correct, the risk of mechanical and mathematical errors is nearly eliminated. However, we must remember that erroneous software or data entry does exist. Also, less human involvement in data processing can cause data entry errors to go undiscovered. Moreover, errors in software can produce consistent but erroneous processing of transactions. Continually checking and monitoring all types of systems are important.
More Extensive Testing of Records A company’s review and audit of electronic records can include more extensive testing when information is easily and rapidly accessed. When accounting records are kept manually, auditors and others likely select only small samples of data to test. When data are accessible with computer technology, however, auditors can quickly analyze large samples or even the entire database.
Limited Evidence of Processing Many data processing steps are increasingly done by computer. Accordingly, fewer hard-copy items of documentary evidence are available for review. Yet technologically advanced systems can provide new evidence. They can, for instance, record who made the entries, the date and time, the source of the entry, and so on. Technology can also be designed to require the use of passwords or other identification before access to the system is granted. This means that internal control depends more on the design and operation of the information system and less on the analysis of its resulting documents.
Crucial Separation of Duties Technological advances in accounting information systems often yield some job eliminations or consolidations. While those who remain have the special skills necessary to operate advanced programs and equipment, a company with a reduced workforce risks losing its crucial separation of duties. The company must establish ways to control and monitor employees to minimize risk of error and fraud. For instance, the person who designs and programs the information system must not be the one who operates it. The company must also separate control over programs and files from the activities related to cash receipts and disbursements. For instance, a computer operator should not control check-writing activities. Achieving acceptable separation of duties can be especially difficult and costly in small companies with few employees.
Technology has encouraged the growth of e-commerce. Amazon.com and eBay are examples of companies that have successfully exploited e-commerce. Most companies have some e-commerce transactions. All such transactions involve at least three risks. (1) Credit card number theft is a risk of using, transmitting, and storing such data online. This increases the cost of e-commerce. (2) Computer viruses are malicious programs that attach themselves to innocent files for purposes of infecting and harming other files and programs. (3) Impersonation online can result in charges of sales to bogus accounts, purchases of inappropriate materials, and the unknowing giving up of confidential information to hackers. Companies use both firewalls and encryption to combat some of these risks—firewalls are points of entry to a system that require passwords to continue, and encryption is a mathematical process to rearrange contents that cannot be read without the process code. Nearly 5% of Americans already report being victims of identity theft, and roughly 10 million say their privacy has been compromised.
Limitations of Internal Control
All internal control policies and procedures have limitations that usually arise from either (1) the human element or (2) the cost–benefit principle.
Internal control policies and procedures are applied by people. This human element creates several potential limitations that we can categorize as either (1) human error or (2) human fraud. Human error can occur from negligence, fatigue, misjudgment, or confusion. Human fraud involves intent by people to defeat internal controls, such as management override, for personal gain. Fraud also includes collusion to thwart the separation of duties. The human element highlights the importance of establishing an internal control environment to convey management’s commitment to internal control policies and procedures. Human fraud is driven by the triple-threat of fraud:
- Opportunity—refers to internal control deficiencies in the workplace.
- Pressure—refers to financial, family, society, and other stresses to succeed.
- Rationalization—refers to employees justifying fraudulent behavior.
The second major limitation on internal control is the cost–benefit principle, which dictates that the costs of internal controls must not exceed their benefits. Analysis of costs and benefits must consider all factors, including the impact on morale. Most companies, for instance, have a legal right to read employees’ e-mails, yet companies seldom exercise that right unless they are confronted with evidence of potential harm to the company. The same holds for drug testing, phone tapping, and hidden cameras. The bottom line is that managers must establish internal control policies and procedures with a net benefit to the company.
CONTROL OF CASH
Cash is a necessary asset of every company. Most companies also own cash equivalents (defined below), which are assets similar to cash. Cash and cash equivalents are the most liquid of all assets and are easily hidden and moved. Cash is also the most desired asset as other assets must be fenced (sold in a secondary market). An effective system of internal controls protects cash assets and it should meet three basic guidelines:
- Handling cash is separate from recordkeeping of cash.
- Cash receipts are promptly deposited in a bank.
- Cash disbursements are made by check.
The first guideline applies separation of duties to minimize errors and fraud. When duties are separated, two or more people must collude to steal cash and conceal this action in the accounting records. The second guideline uses immediate (say, daily) deposits of all cash receipts to produce a timely independent record of the cash received. It also reduces the likelihood of cash theft (or loss) and the risk that an employee could personally use the money before depositing it. The third guideline uses payments by check to develop an independent bank record of cash disbursements. This guideline also reduces the risk of cash theft (or loss).
This section begins with definitions of cash and cash equivalents. Discussion then focuses on controls and accounting for both cash receipts and disbursements. The exact procedures used to achieve control over cash vary across companies. They depend on factors such as company size, number of employees, volume of cash transactions, and sources of cash.
Cash, Cash Equivalents, and Liquidity
Good accounting systems help in managing the amount of cash and controlling who has access to it. Cash is the usual means of payment when paying for assets, services, or liabilities. Liquidity refers to a company’s ability to pay for its near-term obligations. Cash and similar assets are called liquid assets because they can be readily used to settle such obligations. A company needs liquid assets to effectively operate.
Cash includes currency and coins along with the amounts on deposit in bank accounts, checking accounts (called demand deposits), and many savings accounts (called time deposits). Cash also includes items that are acceptable for deposit in these accounts such as customer checks, cashier’s checks, certified checks, and money orders. Cash equivalents are short-term, highly liquid investment assets meeting two criteria: (1) readily convertible to a known cash amount and (2) sufficiently close to their due date so that their market value is not sensitive to interest rate changes. Only investments purchased within three months of their due date usually satisfy these criteria. Examples of cash equivalents are short-term investments in assets such as U.S. Treasury bills and money market funds. To increase their return, many companies invest idle cash in cash equivalents. Most companies combine cash equivalents with cash as a single item on the balance sheet.
Point: The most liquid assets are usually reported first on a balance sheet; the least liquid assets are reported last.
When companies fail, one of the most common causes is their inability to manage cash. Companies must plan both cash receipts and cash payments. The goals of cash management are twofold:
- Plan cash receipts to meet cash payments when due.
- Keep a minimum level of cash necessary to operate.
The treasurer of the company is responsible for cash management. Effective cash management involves applying the following cash management principles.
- Encourage collection of receivables.The more quickly customers and others pay the company, the more quickly that company can use the money. Some companies have cash-only sales policies. Others might offer discounts for payments received early.
- Delay payment of liabilities.The more delayed a company is in paying others, the more time it has to use the money. Some companies regularly wait to pay their bills until the last possible day allowed—although, a company must take care not to hurt its credit standing.
- Keep only necessary levels of assets.The less money tied up in idle assets, the more money to invest in productive assets. Some companies maintain just-in-time inventory; meaning they plan inventory to be available at the same time orders are filled. Others might lease out excess warehouse space or rent equipment instead of buying it.
- Plan expenditures.Money should be spent only when it is available. Companies must look at seasonal and business cycles to plan expenditures.
- Invest excess cash.Excess cash earns no return and should be invested. Excess cash from seasonal cycles can be placed in a bank account or other short-term investment for income. Excess cash beyond what’s needed for regular business should be invested in productive assets like factories and inventories.
Control of Cash Receipts
Internal control of cash receipts ensures that cash received is properly recorded and deposited. Cash receipts can arise from transactions such as cash sales, collections of customer accounts, receipts of interest earned, bank loans, sales of assets, and owner investments. This section explains internal control over two important types of cash receipts: over-the-counter and by mail.
Over-the-Counter Cash Receipts For purposes of internal control, over-the-counter cash receipts from sales should be recorded on a cash register at the time of each sale. To help ensure that correct amounts are entered, each register should be located so customers can read the amounts entered. Clerks also should be required to enter each sale before wrapping merchandise and to give the customer a receipt for each sale. The design of each cash register should provide a permanent, locked-in record of each transaction. In many systems, the register is directly linked with computing and accounting services. Less advanced registers simply print a record of each transaction on a paper tape or electronic file locked inside the register.
Proper internal control prescribes that custody over cash should be separate from its recordkeeping. For over-the-counter cash receipts, this separation begins with the cash sale. The clerk who has access to cash in the register should not have access to its locked-in record. At the end of the clerk’s work period, the clerk should count the cash in the register, record the amount, and turn over the cash and a record of its amount to the company cashier. The cashier, like the clerk, has access to the cash but should not have access to accounting records (or the register tape or file). A third employee, often a supervisor, compares the record of total register transactions (or the register tape or file) with the cash receipts reported by the cashier. This record is the basis for a journal entry recording over-the-counter cash receipts. The third employee has access to the records for cash but not to the actual cash. The clerk and the cashier have access to cash but not to the accounting records. None of them can make a mistake or divert cash without the difference being revealed—see the following diagram.
Point: Convenience stores sometimes display a sign: Cashier has no access to cash in locked floor (or wall) safe. Such signs help thwart theft and holdups because of lack of access to the floor (or wall) safe.
Cash Receipts by Mail Control of cash receipts that arrive through the mail starts with the person who opens the mail. Preferably, two people are assigned the task of, and are present for, opening the mail. In this case, theft of cash receipts by mail requires collusion between these two employees. Specifically, the person(s) opening the mail enters a list (in triplicate) of money received. This list should contain a record of each sender’s name, the amount, and an explanation of why the money is sent. The first copy is sent with the money to the cashier. A second copy is sent to the recordkeeper in the accounting area. A third copy is kept by the clerk(s) who opened the mail. The cashier deposits the money in a bank, and the recordkeeper records the amounts received in the accounting records.
This process reflects good internal control. That is, when the bank balance is reconciled by another person (explained later in the chapter), errors or acts of fraud by the mail clerks, the cashier, or the recordkeeper are revealed. They are revealed because the bank’s record of cash deposited must agree with the records from each of the three. Moreover, if the mail clerks do not report all receipts correctly, customers will question their account balances. If the cashier does not deposit all receipts, the bank balance does not agree with the recordkeeper’s cash balance. The recordkeeper and the person who reconciles the bank balance do not have access to cash and therefore have no opportunity to divert cash to themselves. This system makes errors and fraud highly unlikely. The exception is employee collusion.
Control of Cash Disbursements
Control of cash disbursements is especially important as most large thefts occur from payment of fictitious invoices. One key to controlling cash disbursements is to require all expenditures to be made by check. The only exception is small payments made from petty cash. Another key is to deny access to the accounting records to anyone other than the owner who has the authority to sign checks. A small business owner often signs checks and knows from personal contact that the items being paid for are actually received. This arrangement is impossible in large businesses. Instead, internal control procedures must be substituted for personal contact. Such procedures are designed to assure the check signer that the obligations recorded are properly incurred and should be paid. This section describes these and other internal control procedures, including the voucher system and petty cash system.
Cash Budget Projected cash receipts and cash disbursements are often summarized in a cash budget. Provided that sufficient cash exists for effective operations, companies wish to minimize the cash they hold because of its risk of theft and its low return versus other investment opportunities.
Lock Box Some companies do not receive cash in the mail but, instead, elect to have customers send deposits directly to the bank using a lock box system. Bank employees are charged with receipting the cash and depositing it in the correct business bank account.
Voucher System of Control A voucher system is a set of procedures and approvals designed to control cash disbursements and the acceptance of obligations. The voucher system of control establishes procedures for
- Verifying, approving, and recording obligations for eventual cash disbursement.
- Issuing checks for payment of verified, approved, and recorded obligations.
A reliable voucher system follows standard procedures for every transaction. This applies even when multiple purchases are made from the same supplier.
A voucher system’s control over cash disbursements begins when a company incurs an obligation that will result in payment of cash. A key factor in this system is that only approved departments and individuals are authorized to incur such obligations. The system often limits the type of obligations that a department or individual can incur. In a large retail store, for instance, only a purchasing department should be authorized to incur obligations for merchandise inventory. Another key factor is that procedures for purchasing, receiving, and paying for merchandise are divided among several departments (or individuals). These departments include the one requesting the purchase, the purchasing department, the receiving department, and the accounting department. To coordinate and control responsibilities of these departments, a company uses several different business documents. Documents are accumulated in a voucher, which is an internal document (or file) used to accumulate information to control cash disbursements and to ensure that a transaction is properly recorded. This specific example begins with a purchase requisition and concludes with a check drawn against cash. Appendix 6A describes the documentation and verification necessary for a voucher system of control. It also describes the internal control objective served by each document.
A voucher system should be applied not only to purchases of inventory but to all expenditures. To illustrate, when a company receives a monthly telephone bill, it should review and verify the charges, prepare a voucher (file), and insert the bill. This transaction is then recorded with a journal entry. If the amount is currently due, a check is issued. If not, the voucher is filed for payment on its due date. If no voucher is prepared, verifying the invoice and its amount after several days or weeks can be difficult. Also, without records, a dishonest employee could collude with a dishonest supplier to get more than one payment for an obligation, payment for excessive amounts, or payment for goods and services not received. An effective voucher system helps prevent such frauds.