Internal Control Systems
Internal Control
This paper examines the premise that, within any organization, there are inherent limitations of internal control systems. Internal controls are established to meet certain business requirements, and are intended to:
Protect an organization from waste, fraud and inefficiency
Ensure the accuracy and reliability of accounting and operating data
Secure compliance with the organization's policies
Evaluate the performance of units within the organization (Kansas State University, 2003).
Given these goals, it can be seen that internal controls relate to good business practices.
The challenge of establishing and maintaining internal control lies in the fact that there is just no such thing as the perfect control system. Given that the cost of implementing a control should not exceed its expected benefit, then that constraint in itself implies an upper limit on what is possible for an organization to implement. As Trenerry (1999, p.20) observes, "Most internal control systems are cost-effective and are designed with a certain cost/benefit ratio as a limitation. This means that some errors will never be identified."
In practice, there are various other limitations on internal control as well. In addition to budget constraints, the list of possible limitations on internal control includes staff size. Another constraint is imposed by the element of human error, misunderstandings, fatigue and stress. Still another is the desire to commit fraud, theft, or embezzlement. Many internal control systems cannot detect a cover-up by two or more people acting together to commit fraud. Trenerry (1999, pp. 19-20) offers the example of EFC (Equity Funding Corporation) where more than 40 middle and senior managers conspired to commit fraud, which collusion went undetected for a span of 10 years.
Business growth can become another internal control limitation. When a company grows or diversifies, those activities can render controls ineffective or inoperative. Internal controls should manage a business's risk, and when operations change, the internal control system may be inadequate for the new conditions. Procedures that were once effective can become less effective, due to the arrival of new personnel, or due to varying effectiveness of training and supervision, or to additional pressures. Or, the circumstances for which the internal control system was originally designed can also change (Kansas State University, 2003).
One of the basic principles of internal control requires segregation of duties. That is, if the same person handles multiple functions, the potential for fraud or error exists and must be managed. Implementing this principle means that the responsibility for related activities must be assigned to different individuals, and the responsibility for record keeping for an asset must be separate from the physical custody of the asset.
An example of implementing an internal control procedure is the way that purchasing activities are managed. Such related activities as ordering merchandise, receiving goods, and paying or authorizing payment for merchandise should be assigned to different individuals. If the same individual handles these functions, the opportunity exists for unauthorized purchase or use, fraud, theft or simple human error.
Another internal control example requiring segregation of duties involves payroll accounting activities. Siegel and Shim (2006, pp. 821- 822) discuss a number of payroll duties which should be handled by different people:
Hiring, preparing and approving payroll
Distributing and recording payroll
Payroll bank reconciliation
By distributing these duties among different employees, an organization decreases the likelihood of fraudulent activity or errors related to the payroll function.
Moreover, internal control procedures must require authorization over hiring, firing or laying off, as well as changes in salary rates, and vacation and leave time. Siegel and Shim (2006, pp. 821- 822) also recommend that time and attendance records be monitored; that payments should be made with pre-numbered checks. They suggest a procedure be in place such that when a payroll amount exceeds a specified limit, it should require two signatures. In each case, having more than one employee be responsible for a given payroll activity makes it less likely that theft or embezzlement will occur.
When an organization lacks internal control, there are indications of potential problem areas. The American Institute of CPAs (AICPA) states that fraud symptoms can generally be classified into one of two categories, either accounting symptoms or analytical symptoms. Accounting symptoms can include:
Source docs that have been manipulated
Counterfeited, altered or photocopied documents
Questionable handwriting on documents
Duplicate payments
You’re 80% through this paper. Sign up to read the full paper.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.