م3

SSRN, 2009 TOP
10 PAPER,
A clear look at
Internal Controls:
[Theory and Concepts]
Hamed Arad (Philee)

Department of accounting, Islamic Azad University, Hamedan, Iran
Babak Jamshedy-Navid
Faculty Member of Islamic Azad University, Kerman-shah, Iran
Research Paper, July 2009, Social Science Research Network
Electronic copy available at: http://ssrn.com/abstract=1342048
March 2010
SSRN Digital Library, History of Accounting
Electronic
Electronic copy
copyavailable
availableat:
at:https://ssrn.com/abstract=1342048
http://ssrn.com/abstract=1342048
SSRN, USA 2010 A Clear Look at Internal Control: Theory and Concepts
Social Science Research Network (SSRN)

UNITED STATES OF AMERICA
Hamed Arad (Philee)* (Corresponding Author)

Department of accounting, Islamic Azad University, Hamedan, Iran
Babak Jamshedy-Navid
Faculty Member of Islamic Azad University, Kerman shah, Iran
JEL Classifications: M41
Submitted February, 2009
Date posted: February 13, 2009; last revised: April, 2010

This paper can be downloaded from the
Social Science Research Network Electronic Paper Collection:
Abstract: internal control is an accounting procedure or system designed to

promote efficiency or assure the implementation of a policy or safeguard
assets or avoid fraud and error. Internal Control is a major part of managing
an organization. It comprises the plans, methods, and procedures used to
meet missions, goals, and objectives and, in doing so, support performance-
based management. Internal Control which is equal with management
control helps managers achieve desired results through effective stewardship
of resources. Internal controls should reduce the risks associated with
undetected errors or irregularities, but designing and establishing effective
internal controls is not a simple task and cannot be accomplished through a
short set of quick fixes. In this paper the concepts of internal controls and
different aspects of internal controls are discussed.
Paper type: General Review

Keywords: Internal Control, management controls, Control
Environment, Control Activities, Monitoring
Top 10 Paper, First Quarterly 2009 1
Electronic
Electroniccopy
copyavailable
availableat:
at:https://ssrn.com/abstract=1342048
1. Introduction
The necessity of control in new variable business environment is not
latent for any person and management as a response factor for
stockholders and another should implement a great control over
his/her organization. Control is the activity of managing or exerting
control over something. The emergence and development of
systematic thoughts in recent decade required a new attention to
business resource and control over this wealth. One of the hot topic a
bout controls over business resource is analyzing the cost-benefit of
each control.
Internal Controls serve as the first line of defense in safeguarding

assets and preventing and detecting errors and fraud. We can say
Internal control is a whole system of controls financial and otherwise,
established by the management for the smooth running of business; it
includes internal cheek, internal audit and other forms of controls.
COSO describe Internal Control as follow. Internal controls are the

methods employed to help ensure the achievement of an objective. In
accounting and organizational theory, Internal control is defined as a
process effected by an organization's structure, work and authority
flows, people and management information systems, designed to help
the organization accomplish specific goals or objectives. It is a means
by which an organization's resources are directed, monitored, and
measured. It plays an important role in preventing and detecting fraud
and protecting the organization's resources, both physical (e.g.,
machinery and property) and intangible (e.g., reputation or intellectual
property such as trademarks). At the organizational level, internal
control objectives relate to the reliability of financial reporting, timely
feedback on the achievement of operational or strategic goals, and
compliance with laws and regulations. At the specific transaction level,
internal control refers to the actions taken to achieve a specific
objective (e.g., how to ensure the organization's payments to third
parties are for valid services rendered.) Internal control procedures
reduce process variation, leading to more predictable outcomes.
Internal controls within business entities are called also business controls.
They are tools used by manager's everyday.
 Writing procedures to encourage compliance, locking

your office to discourage theft, and reviewing your
monthly statement of account to verify transactions are
common internal controls employed to achieve specific
objectives.
All managers use internal controls to help assure that their units
operate according to plan, and the methods they use--policies,
Electronic copy available at: https://ssrn.com/abstract=1342048

procedures, organizational design, and physical barriers-constitute.

Internal control is a combination of the following:
1. Financial controls, and

2. Other controls
According to the institute of chartered accountants of India internal

control is the plan of organization and all the methods and procedures
adopted by the management of an entity to assist in achieving
management objective of ensuring as far as possible the orderly and
efficient conduct of its business including adherence to management
policies, the safe guarding of assets prevention and detection of frauds
and error the accuracy and completeness of the accounting records
and timely preparation of reliable financial information, the system of
internal control extends beyond those matters which relate to the
function of accounting system. In other words internal control system of
controls lay down by the management for the smooth running of the
business for the accomplishment of its objects. These controls can be
divided in two parts i.e. financial control and other controls.
Financial controls:
- Controls for recording accounting transactions properly.

- Controls for proper safe guarding company assets like
cash stock bank debtor etc
- Early detection and prevention of errors and frauds.
- Properly and timely preparation of financial records I e
balance sheet and profit and loss account.
- To maximize profit and minimize cost.
Other controls: Other controls include the following:
Quality controls.
Control over raw materials.
Control over finished products.
Marketing control, etc
2. Definition of internal controls
There are many definitions of internal control, as it affects the various

constituencies (stakeholders) of an organization in various ways and at
different levels of aggregation.
One of the definitions of internal controls is as follow:

"Internal Control is a process affected by an entity's board of

directors, management and other personnel designed to
provide reasonable assurance regarding the achievement of
objectives in the following categories namely.
- Effectiveness and Efficiency of Operations

- Reliability of Financial Reporting
- Compliance with Applicable Laws and Regulations"
In AU Section 319 "Consideration of Internal Control in a Financial

Statement Audit" internal control described as:
Internal control is a process—effected by an entity’s

board of directors, management, and other personnel—
designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:
(a) reliability of financial reporting, (b) effectiveness and
efficiency of operations, and (c) compliance with
applicable laws and regulations.
According AU section 319 internal control consists of five interrelated

components:
a. Control environment sets the tone of an organization,

influencing the control consciousness of its people. It is the
foundation for all other components of internal control,
providing discipline and structure.
b. Risk assessment is the entity’s identification and analysis of
relevant risks to achievement of its objectives, forming a
basis for determining how the risks should be managed.
c. Control activities are the policies and procedures that
help ensure that management directives are carried out.
d. Information and communication systems support the
identification, capture, and exchange of information in a
form and time frame that enable people to carry out their
responsibilities.
e. Monitoring is a process that assesses the quality of internal
control performance over time.
Several key points should be made about this definition:
1. People at every level of an organization affect internal control.

Internal control is, to some degree, everyone's responsibility.

2. Effective internal control helps an organization achieve its

operations, financial reporting, and compliance objectives.
Effective internal control is a built-in part of the management
process (i.e., plan, organize, direct, and control). Internal control
keeps an organization on course toward its objectives and the
achievement of its mission, and minimizes surprises along the
way. Internal control promotes effectiveness and efficiency of
operations, reduces the risk of asset loss, and helps to ensure
compliance with laws and regulations. Internal control also
ensures the reliability of financial reporting (i.e., all transactions
are recorded and that all recorded transactions are real,
properly valued, recorded on a timely basis, properly classified,
and correctly summarized and posted).
3. Internal control can provide only reasonable assurance - not

absolute assurance - regarding the achievement of an
organization's objectives. Effective internal control helps an
organization achieve its objectives; it does not ensure success.
There are several reasons why internal control cannot provide
absolute assurance that objectives will be achieved:
cost/benefit realities, collusion among employees, and external
events beyond an organization's control.
Under the COSO Internal Control-Integrated Framework, a widely-

used framework in the United States, internal control is broadly defined
as a process, effected by an entity's board of directors, management,
and other personnel, designed to provide reasonable assurance
regarding the achievement of objectives in the following categories: a)
Effectiveness and efficiency of operations; b) Reliability of financial
reporting; and c) Compliance with laws and regulations.
COSO defines internal control as having five components:
1. Control Environment-sets the tone for the organization,

influencing the control consciousness of its people. It is the
foundation for all other components of internal control.
2. Risk Assessment-the identification and analysis of relevant risks to
the achievement of objectives, forming a basis for how the risks
should be managed
3. Information and Communication-systems or processes that
support the identification, capture, and exchange of information
in a form and time frame that enable people to carry out their
responsibilities
4. Control Activities-the policies and procedures that help ensure
management directives are carried out.

5. Monitoring-processes used to assess the quality of internal control

performance over time.
The COSO definition relates to the aggregate control system of the

organization, which is composed of many individual control
procedures.
Discrete control procedures or controls are defined by the SEC as:

"...a specific set of policies, procedures, and activities designed to
meet an objective. A control may exist within a designated function or
activity in a process. A control’s impact...may be entity-wide or specific
to an account balance, class of transactions or application. Controls
have unique characteristics – for example, they can be: automated or
manual; reconciliations; segregation of duties; review and approval
authorizations; safeguarding and accountability of assets; preventing
or detecting error or fraud. Controls within a process may consist of
financial reporting controls and operational controls (that is, those
designed to achieve operational objectives)."
3. Type of internal control
Most internal controls can be classified as preventive or detective.
Preventive controls are designed to discourage errors or irregularities.
 A computer application which checks validity prevents the

entry of an invalid account number.
 Reading and understanding business Human Resource
policies, such as Work Hours [for PA Staff], helps prevent
violations of the Federal Fair Labor Standards Act. [Human
Resources Professional Staff Policy 2.14]
 A manager's review of purchases for propriety and validity
prior to approval prevents inappropriate expenditures.
Detective controls are designed to identify an error or irregularity after it

has occurred.
 An exception report detects and lists incorrect or invalid

entries or transactions.
 A comparison of validated Cash Receipt Vouchers to
monthly financial statements will detect deposits posted to
erroneous accounts.
 The manager's review of long distance telephone charges
will detect improper or personal calls that should not have
been charged to the account.

Through careful design, the system of internal controls can help our unit
operate more efficiently and effectively and provide a reasonable
level of assurance that the processes and products for which you are
responsible are adequately protected.
 Maintaining written procedures for manual processing will

ensure that operations can continue in the event of
computer failure.
4. The factors of internal controls
Internal control consists of five interrelated components as follows:
· Control (or Operating) environment

· Risk assessment
· Control activities
· Information and communication
· Monitoring
All five internal control components must be present to conclude that

internal control is effective.
A. Control Environment
The control environment sets the tone of an organization, influencing

the control consciousness of its people. It is the foundation for all other
components of internal control, providing discipline and structure.
According to AU section 309, Control environment factors include the
following:
a. Integrity and ethical values

b. Commitment to competence
c. Board of directors or audit committee participation
d. Management's philosophy and operating style
e. Organizational structure
f. Assignment of authority and responsibility
g. Human resource policies and practices
The auditor should obtain sufficient knowledge of the control

environment to understand management's and the board of directors'
attitude, awareness, and actions concerning the control environment,

considering both the substance of controls and their collective effect.

The auditor should concentrate on the substance of controls rather
than their form, because controls may be established but not acted
upon. For example, management may establish a formal code of
conduct but act in a manner that condones violations of that code.
When obtaining an understanding of the control environment, the

auditor considers the collective effect on the control environment of
strengths and weaknesses in various control environment factors.
Management's strengths and weaknesses may have a pervasive effect
on internal control. For example, owner-manager controls may
mitigate a lack of segregation of duties in a small business, or an active
and independent board of directors may influence the philosophy and
operating style of senior management in larger entities. Alternatively,
management’s failure to commit sufficient resources to address
security risks presented by IT may adversely affect internal control by
allowing improper changes to be made to computer programs or to
data, or by allowing unauthorized transactions to be processed.
Similarly, human resource policies and practices directed toward hiring
competent financial, accounting, and IT personnel may not mitigate a
strong bias by top management to overstate earnings.
B. Risk Assessment
An entity's risk assessment for financial reporting purposes is its

identification, analysis, and management of risks relevant to the
preparation of financial statements that are fairly presented in
conformity with generally accepted accounting principles. For
example, risk assessment may address how the entity considers the
possibility of unrecorded transactions or identifies and analyzes
significant estimates recorded in the financial statements. Risks relevant
to reliable financial reporting also relate to specific events or
transactions.
Risks relevant to financial reporting include external and internal

events and circumstances that may occur and adversely affect an
entity's ability to initiate, record, process, and report financial data
consistent with the assertions of management in the financial
statements. Risks can arise or change due to circumstances such as the
following:
 Changes in operating environment

 New personnel
 New or revamped information systems
 Rapid growth
 New technology
 New business models, products, or activities

 Corporate restructurings
 Expanded foreign operations
 New accounting pronouncements
An entity's risk assessment differs from the auditor's consideration of

audit risk in a financial statement audit. The purpose of an entity's risk
assessment is to identify, analyze, and manage risks that affect entity
objectives. In a financial statement audit, the auditor assesses inherent
and control risks to evaluate the likelihood that material misstatements
could occur in the financial statements.
C. Control Activities
Control activities are the policies and procedures that help ensure
that management directives are carried out. They help ensure that
necessary actions are taken to address risks to achievement of the
entity's objectives. Control activities, whether automated or manual,
have various objectives and are applied at various organizational and
functional levels. Generally, control activities that may be relevant to
an audit may be categorized as policies and procedures that pertain
to the following:
 Performance reviews
 Information processing
 Physical controls
 Segregation of duties
The auditor should obtain an understanding of those control activities

relevant to planning the audit. As the auditor obtains an understanding
of the other components, he or she is also likely to obtain knowledge
about some control activities. For example, in obtaining an
understanding of the documents, records, and processing steps in the
financial reporting information system that pertain to cash, the auditor
is likely to become aware of whether bank accounts are reconciled.
The auditor should consider the knowledge about the presence or
absence of control activities obtained from the understanding of the
other components in determining whether it is necessary to devote
additional attention to obtaining an understanding of control activities
to plan the audit. Ordinarily, audit planning does not require an
understanding of the control activities related to each account
balance, transaction class, and disclosure component in the financial
statements or to every assertion relevant to them.
Note: For purposes of evaluating the effectiveness of

internal control over financial reporting, the auditor's
understanding of control activities encompasses a

broader range of accounts and disclosures than what is

normally obtained in a financial statement audit.
The auditor should obtain an understanding of how IT affects control

activities that are relevant to planning the audit. Some entities and
auditors may view the IT control activities in terms of application
controls and general controls. Application controls apply to the
processing of individual applications. Accordingly, application controls
relate to the use of IT to initiate, record, process, and report
transactions or other financial data. These controls help ensure that
transactions occurred, are authorized, and are completely and
accurately recorded and processed. Examples include edit checks of
input data, numerical sequence checks, and manual follow-up of
exception reports.
General controls are policies and procedures that relate to many

applications and support the effective functioning of application
controls by helping to ensure the continued proper operation of
information systems. General controls commonly include controls over
data center and network operations; system software acquisition and
maintenance; access security; and application system acquisition,
development, and maintenance.
d. Information and Communication
Information and communication are essential to effecting control;

information about an organization's plans, control environment, risks,
control activities, and performance must be communicated up, down,
and across an organization.
E. Monitoring
Monitoring is the assessment of internal control performance over time;

it is accomplished by ongoing monitoring activities and by separate
evaluations of internal control such as self-assessments, peer reviews,
and internal audits.
Note: Some of the factors in internal controls are those factors to

ensuring about atmosphere of strong internal control throughout all
agencies. These factors are reasonable assurance, supportive attitude,
competent personnel, control objectives, control techniques and
continuous monitoring.
Reasonable assurance: Internal control systems are to provide

reasonable assurance that management objectives are
accomplished. A sound system recognizes that the cost of

internal control should not exceed the benefits achieved, and

reasonable assurance equates to a satisfactory level of
confidence given the considerations of costs, benefits and risks.
The required determinations call for judgment to be exercised by
agency staff.
In exercising that judgment, agencies should:
a) Identify:
 Risks inherent in agency operations,

 Criteria for determining low, medium, and high risks,
 An acceptable level of risk under varying
circumstances.
b) Assess the quantity and quality of risks.
Costs refer to the financial measure of resources consumed in

accomplishing a specified purpose; costs can also represent a lost
opportunity, a decline in service or low employee morale. A benefit is
measured by the degree that the risk of failing to achieve a stated
objective is reduced. Examples include increasing the chance of
detecting fraud, waste, abuse or error, preventing an improper activity,
or increasing regulatory compliance.
Supportive attitude: This standard requires that management and

employees maintain and show a supportive attitude toward internal
control at all times. Managers and employees are to be attentive to
internal control matters. They need to take steps to promote the
effectiveness of the control. Attitude affects the quality of performance
and the quality of internal control.
A positive and supportive attitude is started and fostered by

management. It is ensured when internal control is consistently a
management priority. Positive attitudes are fostered by managers'
commitment to achieving strong control. This commitment is met
through good organizational structure, personnel practices,
communication, protection and use of resources. Systematic
accountability, monitoring and systems of reporting and general
leadership are required. One important way to prove management's
support for good internal control is emphasizing the value of internal
auditing. The manager also proves commitment by showing
responsiveness to information developed through internal audits.

The organization of an agency provides its management with the

overall framework for planning, directing, and controlling its operations.
Good internal control requires clear separation of duties.
General leadership is critical to maintaining a positive and supportive

attitude toward internal control. Adequate supervision, training, and
motivation of employees in the area of internal control are important.
Competent personnel: Managers and employees are to have personal

and professional integrity. They are to be qualified to perform their
assigned duties, as well as to understand the importance of ensuring
sound internal controls. Personal and professional integrity must be
shown.
Many elements influence the integrity of managers and their staff. For
example, personnel should periodically be reminded of their
obligations under an operative code of conduct.
Hiring and staffing decisions should include proof of education and

experience. Once on the job, the individual should be given formal
and on-the-job training. Managers who have a good understanding of
internal control are vital to effective control systems.
Counseling and performance appraisals are also important. Part of

the appraisal should be based on determining that they support
implementation and maintenance of internal control.
Control objectives: Each internal control has some objectives. Internal

control objectives are to be identified or developed for each agency
activity. They are to be logical, applicable, and reasonably complete.
Internal control objectives should be tailored to an agency's
operations.
We can demonstrate all of any agency operations as agency cycle

that can be grouped into one or more groups. Cycles make up all
specific activities (such as identifying, classifying, recording, and
reporting information) required to process a transaction or event.
Cycles should be compatible with an agency's organization and
division of responsibilities.
Financial cycles cover the traditional control areas concerned with

revenues and expenditures, assets, and financial information. Figure 1
show some of these cycles.

- The financial Reporting Cycle encompasses the year-end

accounting procedures and financial statement preparation.
The cycle includes the recording of accruals and compilation of
financial statement information.
- The Budget Reporting Cycle includes the establishment,

revision, reporting and administration of the budgets as directed
by the entity and Office of State Budget and Management.
- The Cash Receipts Cycle involves the preparation of receipts,

deposits, and special reports for the funds received by an entity.
The cycle could also include petty cash transactions. An entity
may have more than one receipting area. If the processes are
different indicate the variations on the internal control
questionnaire.
- The Accounts Receivable Cycle includes the recording,

collection, billing and aging of accounts receivable. An entity
may have several accounts receivable systems. A separate

internal control questionnaire should be completed for each

accounts receivable cycle.
- The Purchasing/Accounts Payable Cycle records the purchase

and payments for goods and services for all non-salary expense
transactions. The cycle includes the recording of obligations,
issuance of checks and the liquidation of encumbrances. There
could be several different accounts payable systems within an
entity. A separate internal control questionnaire should be
completed for each separate accounts payable and
purchasing system. For example, a university may have university
purchasing/accounts payable and stores purchasing and
payable.
- The Human Resource Cycle pertains to the preparation and

maintenance of payroll and personnel records required by state
and federal governmental agencies for employees within the
entity.
- The Inventory Cycle involves the receiving and maintenance of

various inventory items within an entity. The items may include
supplies, uniforms, food or household items. The cycle would
include the physical inventory of the items. A separate internal
control questionnaire would be needed for each different
inventory method.
- The Capital Assets Cycle should adequately document, control

and account for the expenditure of state and federal funds for
capital items. The capital assets cycle provides history of capital
items from purchase or installation to disposal. The fixed asset
system refers to automated and manual systems within the entity.
- The Computer Security Cycle involves the existence of data

logs, procedures for disaster control and recovery and
authorization codes.
- The Investment Cycle comprises the acquisition, disposal,

record keeping and monitoring of market values of securities
held by the entity.
- The Debt Cycle involves the processing and recording of debt.

The cycle includes the issuance, retirement and redemption of
bonds.
- The Tax/Payroll Compliance Cycle involves the preparation of

information returns required by the Internal Revenue Service for

employees and non-employees of the governmental entity. The

cycle includes the determination of employee status and proper
reporting of employment related moving expense
reimbursements.
- The Major Financial Assistance Cycle for federal and state

programs relates to the administration and financial
management of contracts and grants awarded by federal and
state programs. The internal control questionnaire for the major
financial assistance cycle is divided into nine sections including
eligibility, types of service, and matching or level of effort. A
separate questionnaire is to be completed for each major grant
or award. A major grant or award is defined to be programs
receiving $19 million or more from the federal government.
Control techniques: Internal control techniques are the means by

which control objectives are achieved. Techniques include such things
as policies, procedures, separation of duties, and physical
arrangements. This standard requires that internal control techniques
continually provide a high degree of assurance that the internal
control objectives are being achieved.
To make sure the control objectives are being achieved; the

techniques must be effective and efficient. To be effective, techniques
should fulfill their intended purpose in actual application. They should
provide the coverage and operation as intended. As for efficiency,
techniques should be designed to derive maximum benefit with
minimum effort. Techniques tested for effectiveness and efficiency
should be those in actual operation and should be evaluated over
time.
Continuous monitoring: One of the important factors in designing

internal controls is continuous monitoring and controls. Agency heads
are to set up and maintain a program of internal review that is
designed to identify internal control weaknesses. Needed changes are
to be implemented to correct any weaknesses.
Other factors in internal control systems are:
Documentation: Internal control systems, as well as all transactions and

other significant events are to be clearly documented. Such
documentation is to be readily available for examination. This standard
requires written evidence of an agency's internal control objectives,
techniques and accounting systems.

Documentation of internal control systems should include

identification of the cycles and related objectives and techniques. It
should appear in management directives, administrative policy, and
accounting manuals. Documentation of transactions or other
significant events should be complete and accurate. The transaction
should be traced from its inception through its completion.
Recording of transaction and events: This standard requires that

transactions and other significant events be promptly recorded and
properly classified. Transactions must be promptly recorded if
information is to maintain its value to management in decision-making
and in controlling operations. This standard applies to:
 The entire process or life cycle of a transaction or event,

including the initiation and authorization.
 Its final classification in summary records.
Execution of transaction and events: Transactions and other significant

events are to be authorized and executed only by persons acting
within the scope of their authority. Such authorization deals with
decisions to exchange, transfer, use, or commit resources for specified
purposes and conditions. It is the principal means of assuring that only
valid transactions and other events are entered.
Authorization should be clearly communicated to managers and

employees. Documentation should include the specific conditions and
terms under which authorizations are made. Conforming to the terms
of this standard means employees are carrying out their assigned
duties as set up by management.
Separation of duties: It is necessary to reduce the risk of error, waste, or

wrongful acts as well as the risk of such acts going undetected. This is
achieved by making sure no one individual controls all key aspects of a
transaction or event. Duties and responsibilities should be assigned to
different individuals to be sure those effective checks and balances
exist.
Key duties include the following: authorizing, approving, and

recording transactions, issuing and receiving assets, making payments,
and reviewing or auditing transactions. Collusion can reduce or destroy
the effectiveness of this internal control standard.

Supervision: Qualified and continuous supervision is to be provided to

ensure that internal control objectives are achieved. This requires
supervisors to review and approve the assigned work of their staffs. It
also requires that staffs are provided with the necessary guidance and
training to reduce errors, waste, and wrongful acts. Specific
management directives must be achieved.
Assignment, review, and approval of a staff's work require that duties

be clearly communicated to each staff member. Each staff member's
work must be reviewed to the extent necessary. The work must be
approved at critical points to be sure that work flows as intended.
Assignment, review, and approval of a staff member's work should

result in the proper processing of transactions and events. This includes
following approved procedures and requirements. Errors,
misunderstandings, and improper practices must be detected and
eliminated. Wrongful acts must be prevented from occurring or
recurring.
Access to assets and accountability for assets: An individual is to be

assigned custody, accountability, and maintenance for assets.
Periodic comparison should be made of the assets with the records to
determine whether the two agree.
The basic concept behind restricting access to assets is to reduce

the risk of unauthorized use or loss, and to help achieve management
goals. Restricting access to assets depends upon the vulnerability of
the assets and the perceived risk of loss. These two factors should be
assessed periodically. For example, access to and accountability for
documents, such as checks, can be achieved by:
 Locking them in a safe,

 Assigning a sequential number,
 Assigning custodial responsibility.
Assigning and maintaining accountability for assets involves directing

and communicating responsibility to specific individuals within an
agency.
5. What is the manager's responsibility about internal controls?
Managers are responsible for ensuring that internal controls are

established and functioning to achieve the mission and objectives of
your unit. To evaluate internal controls, in first managers should think

about some objectives and then identify his/her unit's specific

objectives.
 Propriety of Transactions for all activity within accounts for

which the manager is
 Reliability and Integrity of Information for internal
management decisions and external agency reports
 Compliance with Policies and Government Regulations,
including but not limited to: Human Resources, Financial,
Purchasing, granting agencies, and state and federal
government
 Safeguarding Assets, including physical objects and
business data
 Economy and Efficiency of Operations to optimize the use
of limited resources in accomplishing the mission of the unit
and organization
Then management should identify what controls currently exist (or

should be established) to reasonably assure the achievement of each
specific objective for your unit.
6. PARTIES RESPONSIBLE FOR AND AFFECTED BY INTERNAL

CONTROL
While all of an organization's people are an integral part of internal

control, certain parties merit special mention. These include
management, the board of directors (including the audit commit tee),
internal auditors, and external auditors.
The primary responsibility for the development and maintenance of

internal control rests with an organization's management. With
increased significance placed on the control environment, the focus of
internal control has changed from policies and procedures to an
overriding philosophy and operating style within the organization.
Emphasis on these intangible aspects highlights the importance of top
management's involvement in the internal control system. If internal
control is not a priority for management, then it will not be one for
people within the organization either.
As an indication of management's responsibility, top management at

a publicly owned organization will include in the organization's annual
financial report to the shareholders a statement indicating that
management has established a system of internal control that

management believes is effective. The statement may also provide

specific details about the organization's internal control system.
Internal control must be evaluated in order to provide management

with some assurance regarding its effectiveness. Internal control
evaluation involves everything management does to control the
organization in the effort to achieve its objectives. Internal control
would be judged as effective if its components are present and
function effectively for operations, financial reporting, and
compliance. The boards of directors and its audit committee have
responsibility for making sure the internal control system within the
organization is adequate. This responsibility includes determining the
extent to which internal controls are evaluated. Two parties involved in
the evaluation of internal control are the organization's internal auditors
and their external auditors.
Internal auditors' responsibilities typically include ensuring the

adequacy of the system of internal control, the reliability of data, and
the efficient use of the organization's resources. Internal auditors
identify control problems and develop solutions for improving and
strengthening internal controls. Internal auditors are concerned with
the entire range of an organization's internal controls, including
operational, financial, and compliance controls.
Internal control will also be evaluated by the external auditors.

External auditors assess the effectiveness of internal control within an
organization to plan the financial statement audit. In contrast to
internal auditors, external auditors focus primarily on controls that affect
financial reporting. External auditors have a responsibility to report
internal control weaknesses (as well as reportable conditions about
internal control) to the audit committee of the board of directors.
7. What can endanger internal controls?
While many circumstances may compromise the effectiveness of

internal control structure, a few of the most common and serious of
these warrant special mention:
Inadequate Segregation of Duties - Separating responsibility for

physical custody of an asset from the related record keeping is a
critical control.

 Persons who can authorize purchase orders (Purchasing)

should not be capable of processing payments (Accounts
Payable).
 The person who prepares the deposit should not post the
receipts to the customer accounts.
 The person who prepares the payroll voucher should not
distribute or have custody of the payroll checks.
Inappropriate Access to Assets - Internal controls should provide

safeguards for physical objects, restricted information, critical forms,
and update applications.
 An employee who only needs to view computer

information should be restricted to Read and File Scan
access and should not be granted Write and Create
access.
 Only authorized individuals should be issued keys for
restricted areas.
Form Over Substance - Controls can appear to be well designed but

still lack substance, as is often the case with required approvals.
 The account manager's signature attests to the accuracy

of the payroll voucher information, but if the account
manager does not have assurance that the supporting
time records are accurate, the approval process lacks
substance.
Control Override - Exceptions to established policies are sometimes

necessary to accomplish a specific task, but can pose a significant risk
if not effectively monitored and limited.
 Thorough documentation and approval of all exceptions

will help management ensure the availability of a clear
explanation for unusual transactions or events. A periodic
review of these exceptions also helps to identify the need
for policy or procedural changes.
Inherent Limitations - There is no such thing as a perfect control system.

Staff size limitations may obstruct efforts to properly segregate duties,
which requires the implementation of compensating controls to ensure
that objectives are achieved. A limitation inherent in any system is the
element of human error (misunderstandings, fatigue, and stress).
 A manager who encourages employees to take earned

vacation time can improve operations through cross

training while enabling employees to overcome or avoid

stress and fatigue.

8. Limitations of an Entity's Internal Control
Internal control, no matter how well designed and operated, can

provide only reasonable assurance of achieving an entity's control
objectives. The likelihood of achievement is affected by limitations
inherent to internal control. These include the realities that human
judgment in decision-making can be faulty and that breakdowns in
internal control can occur because of human failures such as simple
errors or mistakes. For example, errors may occur in designing,
maintaining, or monitoring automated controls. If an entity’s IT
personnel do not completely understand how an order entry system
processes sales transactions, they may erroneously design changes to
the system to process sales for a new line of products. On the other
hand, such changes may be correctly designed but misunderstood by
individuals who translate the design into program code. Errors also may
occur in the use of information produced by IT. For example,
automated controls may be designed to report transactions over a
specified dollar limit for management review, but individuals
responsible for conducting the review may not understand the purpose
of such reports and, accordingly, may fail to review them or investigate
unusual items.
Additionally, controls, whether manual or automated, can be

circumvented by the collusion of two or more people or inappropriate
management override of internal control. For example, management
may enter into side agreements with customers that alter the terms and
conditions of the entity’s standard sales contract in ways that would
preclude revenue recognition. Also, edit routines in a software program
that are designed to identify and report transactions that exceed
specified credit limits may be overridden or disabled.
Internal control is influenced by the quantitative and qualitative

estimates and judgments made by management in evaluating the
cost-benefit relationship of an entity’s internal control. The cost of an
entity's internal control should not exceed the benefits that are
expected to be derived. Although the cost-benefit relationship is a
primary criterion that should be considered in designing internal
control, the precise measurement of costs and benefits usually is not
possible.
Custom, culture, and the corporate governance system may inhibit

fraud, but they are not absolute deterrents. An effective control
environment, too, may help reduce the risk of fraud. For example, an
effective board of directors, audit committee, and internal audit
function may constrain improper conduct by management.

Alternatively, the control environment may reduce the effectiveness of

other components. For example, when the nature of management
incentives increases the risk of material misstatement of financial
statements, the effectiveness of control activities may be reduced.
9. Balancing Risk and Control
Risk is the probability that an event or action will adversely affect the
organization. The primary categories of risk are errors, omissions, delay
and fraud. In order to achieve goals and objectives, management
needs to effectively balance risks and controls. Therefore, control
procedures need to be developed so that they decrease risk to a level
where management can accept the exposure to that risk. By
performing this balancing act "reasonable assurance” can be
attained. As it relates to financial and compliance goals, being out of
balance can cause the following problems:
Excessive controls Excessive controls

Loss of assets, donor or Increased bureaucracy
grants
Poor business decisions Reduced productivity
noncompliance Increased complexity
Increased regulations Increased cycle time
Public scandals Increased of no-value
activities
In order to achieve a balance between risk and controls, internal

controls should be proactive, value-added, and cost-effective and
address exposure to risk.
10. The topic of cost in internal controls
The cost of implementing a specific control should not exceed the

expected benefit of the control.
 The potential loss of a computer printer may justify the cost

of a door lock but not an alarm system.
 Computer screen savers with passwords are inexpensive,
effective methods of protecting sensitive data on a
computer.

Sometimes there is no out-of-pocket cost to establish an adequate

control. A realignment of duty assignments may be all that is necessary
to accomplish the objective.
 Checks received in the mail are immediately separated

from supporting documentation for restrictive
endorsement and deposit. The supporting documentation
is given to a different employee (with a copy of the check,
if needed) for crediting the payment or filling an order.
 Voided receipts are approved by someone (preferably a
manager) other than the person preparing receipts.
A well-designed internal control structure can enhance operations by

improving your unit's overall efficiency and effectiveness, as well as,
reducing the risk of loss or theft.
 A bank lock box establishes accountability and restricts

access to cash, in addition to streamlining operations by
providing immediate deposits and (possibly) electronic
application updates.
In analyzing the pertinent costs and benefits, managers should also

consider the possible ramifications for business at large and attempt to
identify and weigh the intangible as well as the tangible
consequences.
11. Conclusion:
The concept of internal control and its aspects in any organization is

so important, therefore understanding the components and standards
of internal controls should be attend by management. Internal Control
is a major part of managing an organization. Internal control is an
accounting procedure or system designed to promote efficiency or
assure the implementation of a policy or safeguard assets or avoid
fraud and error. According to custom definition, Internal Control is a
process affected by an entity's board of directors, management and
other personnel designed to provide reasonable assurance regarding
the achievement of objectives in the following categories namely. The
major factors of internal control are Control environment, Risk
assessment, Control activities, Information and communication,
Monitoring. This article reviews the main standards and principles of
internal control and described the relevant concepts of internal control
for all type of company.

Strengthening Compliance with REFRENCE:

the Act and Standards
http://www.osc.state.ny.us/age -COSO Definition of Internal
ncies/ictf/docs/implement_guid Control
e_20060907.pdf http://www.coso.org/publicatio
ns/executive_summary_integrat
-Standards for Internal Control in ed_framework.htm[last access
New York State Government 30/1/2009
http://www.osc.state.ny.us/audi
ts/audits/controls/standards.htm -A Reference Guide for
Managing, University Business
-Internal Control - Integrated Practices, 2008.
Framework (COSO)
http://www.coso.org/publicatio -Internal Controls a Guide for
ns.htm Managers,
[http://www.indiana.edu/~iuau
-New York State Division of the dit/controls.html#Controls] last
Budget – Budget Policy & access, 30/1/2009.
Reporting Manual – Item B-350
Governmental Internal Control -UNDERSTANDING INTERNAL
and Internal Audit Requirements CONTROLS
http://www.budget.state.ny.us/
bprm/b/b-350.pdf -Internal control - Wikipedia, last
access, 30/1/2009.
-Control Objectives for
Information and Related -Internal Controls a Guide for
Technology (COBIT) Managers, 30/1/2009.
http://www.isaca.org/COBIT
-AU Section 319, "Consideration
-Government Accountability of Internal Control in a Financial
Office - Standards for Internal Statement Audit".
Control in the Federal
Government -New York State Internal Control
http://www.gao.gov/special.pu Act
bs/ai2131.pdf http://www.osc.state.ny.us/age
ncies/ictf/docs/Internal%20Cont
-Government Accountability rol%20Act.pdf?cl=39&a=73
Office - Internal Control
Management and Evaluation -New York State Internal Control
Tool Task Force Report – September
http://www.gao.gov/new.items/ 2006
d011008g.pdf New York State Internal Control
Act Implementation Guide:

http://www.cscic.state.ny.us/se -Guidance on Control - The

curity/relevantlaws.htm Canadian Institute of Chartered
Accountants (COCO)
-New York State Office for http://www.cica.ca
Technology
http://www.oft.state.ny.us -Association of Government
Accountants (AGA)
-OMB A-123 Management http://www.agacgfm.org
Accountability and Control
http://www.whitehouse.gov/om -Institute of Internal Auditors (IIA)
b/circulars/a123/a123.html http://www.theiia.org
-Public Company Accounting -New York State Internal Control

Oversight Board (PCAOB) Association (NYSICA)
http://www.pcaobus.org/ http://www.nysica.com
-Special Publications - The -New York State Office of Cyber

National Institute for Standards Security & Critical Infrastructure
and Technology (NIST) Coordination
http://nvl.nist.gov/
About the authors:
Babak Jamshedy-Navid is currently a PHD student at the department

of accounting at the Islamic Azad University Tehran and also he is
Faculty Member of Islamic Azad University, Kerman shah (Iran); he is
professor of accounting and teaches in Islamic Azad University
Hamedan branch, MA level.
* Hamed Arad is a student of accounting, Ph.D level. He is

corresponding author and can be contacted at:
hamed_philee@yahoo.com. His interest research topics are information
systems, BSC, target costing (TC), and he is a young writer in scope of
research methods, and also has a book in this title, "research methods
in accounting" with communion of Alireza isfandyari-moghadam (PHD,
library and information studies), and Saeid Nooriyan.

م3

Uploaded by

Copyright:

Available Formats

You might also like

م3

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

م3

Uploaded by

Copyright:

Available Formats

SSRN, 2009 TOP

Hamed Arad (Philee)

Research Paper, July 2009, Social Science Research Network

Electronic copy available at: http://ssrn.com/abstract=1342048

Social Science Research Network (SSRN)

Hamed Arad (Philee)* (Corresponding Author)

JEL Classifications: M41

Submitted February, 2009

Date posted: February 13, 2009; last revised: April, 2010

Abstract: internal control is an accounting procedure or system designed to

Paper type: General Review

Top 10 Paper, First Quarterly 2009 1

Internal Controls serve as the first line of defense in safeguarding

COSO describe Internal Control as follow. Internal controls are the

 Writing procedures to encourage compliance, locking

Top 10 Paper, First Quarterly 2009 2

Electronic copy available at: https://ssrn.com/abstract=1342048

procedures, organizational design, and physical barriers-constitute.

1. Financial controls, and

According to the institute of chartered accountants of India internal

- Controls for recording accounting transactions properly.

Other controls: Other controls include the following:

2. Definition of internal controls

There are many definitions of internal control, as it affects the various

One of the definitions of internal controls is as follow:

Top 10 Paper, First Quarterly 2009 3

Electronic copy available at: https://ssrn.com/abstract=1342048

"Internal Control is a process affected by an entity's board of

- Effectiveness and Efficiency of Operations

In AU Section 319 "Consideration of Internal Control in a Financial

Internal control is a process—effected by an entity’s

According AU section 319 internal control consists of five interrelated

a. Control environment sets the tone of an organization,

Several key points should be made about this definition:

1. People at every level of an organization affect internal control.

Top 10 Paper, First Quarterly 2009 4

Electronic copy available at: https://ssrn.com/abstract=1342048

2. Effective internal control helps an organization achieve its

3. Internal control can provide only reasonable assurance - not

Under the COSO Internal Control-Integrated Framework, a widely-

COSO defines internal control as having five components:

1. Control Environment-sets the tone for the organization,

Top 10 Paper, First Quarterly 2009 5

Electronic copy available at: https://ssrn.com/abstract=1342048

5. Monitoring-processes used to assess the quality of internal control

The COSO definition relates to the aggregate control system of the

Discrete control procedures or controls are defined by the SEC as:

3. Type of internal control

Most internal controls can be classified as preventive or detective.

Preventive controls are designed to discourage errors or irregularities.

 A computer application which checks validity prevents the

Detective controls are designed to identify an error or irregularity after it

 An exception report detects and lists incorrect or invalid

Top 10 Paper, First Quarterly 2009 6

Electronic copy available at: https://ssrn.com/abstract=1342048

 Maintaining written procedures for manual processing will

4. The factors of internal controls

Internal control consists of five interrelated components as follows: