Internal controls are the systems used by an organization to manage risk and diminish the occurrence of fraud. The internal control structure is made up of the control environment, the accounting system, and procedures called control activities. Several years ago, the Committee of Sponsoring Organizations (COSO), which is an independent, private-sector group whose five sponsoring organizations periodically identify and address specific accounting issues or projects, convened to address the issue of internal control deficiencies in the operations and accounting systems of organizations. They subsequently published a report that is known as COSO’s Internal Control-Integrated Framework. The five components that they determined were necessary in an effective internal control system make up the components in the internal controls triangle shown in Figure 8.3.
Here we address some of the practical aspects of internal control systems. The internal control system consists of the formal policies and procedures that do the following:
- ensure assets are properly used
- ensure that the accounting system is functioning properly
- monitor operations of the organization to ensure maximum efficiency
- ensure that assets are kept secure
- ensure that employees are in compliance with corporate policies
A properly designed and functioning internal control system will not eliminate the risk of loss, but it will reduce the risk.
Different organizations face different types of risk, but when internal control systems are lacking, the opportunity arises for fraud, misuse of the organization’s assets, and employee or workplace corruption. Part of an accountant’s function is to understand and assist in maintaining the internal control in the organization.
Internal control keeps the assets of a company safe and keeps the company from violating any laws, while fairly recording the financial activity of the company in the accounting records. Proper accounting records are used to create the financial statements that the owners use to evaluate the operations of a company, including all company and employee activities. Internal controls are more than just reviews of how items are recorded in the company’s accounting records; they also include comparing the accounting records to the actual operations of the company.
For example, a movie theater earns most of its profits from the sale of popcorn and soda at the concession stand. The prices of the items sold at the concession stand are typically high, even though the costs of popcorn and soda are low. Internal controls allow the owners to ensure that their employees do not give away the profits by giving away sodas and popcorn.
If you were to go to the concession stand and ask for a cup of water, typically, the employee would give you a clear, small plastic cup called a courtesy cup. This internal control, the small plastic cup for nonpaying customers, helps align the accounting system and the theater’s operations. A movie theater does not use a system to directly account for the sale of popcorn, soda, or ice used. Instead, it accounts for the containers. A point-of-sale system compares the number of soda cups used in a shift to the number of sales recorded in the system to ensure that those numbers match. The same process accounts for popcorn buckets and other containers. Providing a courtesy cup ensures that customers drinking free water do not use the soda cups that would require a corresponding sale to appear in the point-of-sale system. The cost of the popcorn, soda, and ice will be recorded in the accounting system as an inventory item, but the internal control is the comparison of the recorded sales to the number of containers used. This is just one type of internal control. As we discuss the internal controls, we see that the internal controls are used both in accounting, to provide information for management to properly evaluate the operations of the company, and in business operations, to reduce fraud.
It should be clear how important internal control is to all businesses, regardless of size. An effective internal control system allows a business to monitor its employees, but it also helps a company protect sensitive customer data. Consider the 2017 massive data breach at Equifax that compromised data of over 143 million people. With proper internal controls functioning as intended, there would have been protective measures to ensure that no unauthorized parties had access to the data. Not only would internal controls prevent outside access to the data, but proper internal controls would protect the data from corruption, damage, or misuse.
Bank Fraud in Enid, Oklahoma
The retired mayor of Enid, Oklahoma, Ernst Currier, had a job as a loan officer and then as a senior vice president at Security National Bank. In his bank job, he allegedly opened 61 fraudulent loans. He used the identities of at least nine real people as well as eight fictitious people and stole about $6.2 million.4 He was sentenced to 13 years in prison on 33 felony counts.
Currier was able to circumvent one of the most important internal controls: segregation of duties. The American Institute of Certified Public Accountants (AICPA) states that segregation of duties “is based on shared responsibilities of a key process that disperses the critical functions of that process to more than one person or department. Without this separation in key processes, fraud and error risks are far less manageable.”5 Currier used local residents’ identities and created false documents to open loans for millions of dollars and then collect the funds himself, without any oversight by any other employee. Creating these loans allowed him to walk up to the bank vault and take cash out of the bank without anyone questioning him. There was no segregation of duties for opening loans, or if there was, he was able to easily override those internal controls.
How could internal controls have helped prevent Currier’s bank fraud in Enid, Oklahoma?
Simply having someone else confirm the existence of the borrower and make the payment for the loan directly to the borrower would have saved this small bank millions of dollars.
Consider a bank that has to track deposits for thousands of customers. If a fire destroys the building housing the bank’s servers, how can the bank find the balances of each customer? Typically, organizations such as banks mirror their servers at several locations around the world as an internal control. The bank might have a main server in Tennessee but also mirror all data in real time to identical servers in Arizona, Montana, and even offshore in Iceland. With multiple copies of a server at multiple locations across the country, or even the world, in the event of disaster to one server, a backup server can take control of operations, protecting customer data and avoiding any service interruptions.
Internal controls are the basic components of an internal control system, the sum of all internal controls and policies within an organization that protect assets and data. A properly designed system of internal controls aims to ensure the integrity of assets, allows for reliable accounting information and financial reporting, enhances efficiency within an organization, and provides guidelines and possible consequences for dealing with breaches. Internal controls drive many decisions and overall operational procedures within an organization. A properly designed internal control system will not prevent all loss from occurring, but it will significantly reduce the risk of loss and increase the chance of identifying the responsible party.
Fraud Controls for Grocery Stores
All businesses are concerned with internal controls over reporting and assets. For the grocery industry this concern is even greater, because profit margins on items are so small that any lost opportunity hurts profitability. How can an individual grocery store develop effective controls?
Consider the two biggest items that a grocery store needs to control: food (inventory) and cash. Inventory controls are set up to stop shrinkage (theft). While it is not profitable for each aisle to be patrolled by a security guard, cameras throughout the store linked to a central location allow security staff to observe customers. More controls are placed on cash registers to prevent employees from stealing cash. Cameras at each register, cash counts at each shift change, and/or a supervisor who observes cashiers are some potential internal control methods. Grocery stores invest more resources in controlling cash because they have determined it to be the greatest opportunity for fraudulent activity.
The Role of Internal Controls
The accounting system is the backbone of any business entity, whether it is profit based or not. It is the responsibility of management to link the accounting system with other functional areas of the business and ensure that there is communication among employees, managers, customers, suppliers, and all other internal and external users of financial information. With a proper understanding of internal controls, management can design an internal control system that promotes a positive business environment that can most effectively serve its customers.
For example, a customer enters a retail store to purchase a pair of jeans. As the cashier enters the jeans into the point-of-sale system, the following events occur internally:
- A sale is recorded in the company’s journal, which increases revenue on the income statement. If the transaction occurred by credit card, the bank typically transfers the funds into the store’s bank account in a timely manner.
- The pair of jeans is removed from the inventory of the store where the purchase was made.
- A new pair of jeans is ordered from the distribution center to replace what was purchased from the store’s inventory.
- The distribution center orders a new pair of jeans from the factory to replace its inventory.
- Marketing professionals can monitor over time the trend and volume of jeans sold in a specific size. If an increase or decrease in sales volume of a specific size is noted, store inventory levels can be adjusted.
- The company can see in real time the exact inventory levels of all products in all stores at all times, and this can ensure the best customer access to products.
Because many systems are linked through technology that drives decisions made by many stakeholders inside and outside of the organization, internal controls are needed to protect the integrity and ensure the flow of information. An internal control system also assists all stakeholders of an organization to develop an understanding of the organization and provide assurance that all assets are being used efficiently and accurately.
Environment Leading to the Sarbanes-Oxley Act
Internal controls have grown in their importance as a component of most business decisions. This importance has grown as many company structures have grown in complexity. Despite their importance, not all companies have given maintenance of controls top priority. Additionally, many small businesses do not have adequate understanding of internal controls and therefore use inferior internal control systems. Many large companies have nonformalized processes, which can lead to systems that are not as efficient as they could be. The failure of the SCICAP Credit Union discussed earlier is a direct result of a small financial institution having a substandard internal control system leading to employee theft. One of the largest corporate failures of all time was Enron, and the failure can be directly attributed to poor internal controls.
Enron was one of the largest energy companies in the world in the late twentieth century. However, a corrupt management attempted to hide weak financial performance by manipulating revenue recognition, valuation of assets on the balance sheet, and other financial reporting disclosures so that the company appeared to have significant growth. When this practice was uncovered, the owners of Enron stock lost $40 billion as the stock price dropped from $91 per share to less than $1 per share, as shown in Figure 8.4.6 This failure could have been prevented had proper internal controls been in place.
For example, Enron and its accounting firm, Arthur Andersen, did not maintain an adequate degree of independence. Arthur Andersen provided a significant amount of services in both auditing and consulting, which prevented them from approaching the audit of Enron with a proper degree of independence. Also, among many other violations, Enron avoided the proper use of several acceptable reporting requirements.
As a result of the Enron failure and others that occurred during the same time frame, Congress passed the Sarbanes-Oxley Act (SOX) to regulate practice to manage conflicts of analysts, maintain governance, and impose guidelines for criminal conduct as well as sanctions for violations of conduct. It ensures that internal controls are properly documented, tested, and used consistently. The intent of the act was to ensure that corporate financial statements and disclosures are accurate and reliable. It is important to note that SOX only applies to public companies. A publicly traded company is one whose stock is traded (bought and sold) on an organized stock exchange. Smaller companies still struggle with internal control development and compliance due to a variety of reasons, such as cost and lack of resources.
Major Accounting Components of the Sarbanes-Oxley Act
As it pertains to internal controls, the SOX requires the certification and documentation of internal controls. Specifically, the act requires that the auditor do the following:
- Issue an internal control report following the evaluation of internal controls.
- Limit nonaudit services, such as consulting, that are provided to a client.
- Rotate who can lead the audit. The person in charge of the audit can serve for a period of no longer than seven years without a break of two years.
Additionally, the work conducted by the auditor is to be overseen by the Public Company Accounting Oversight Board (PCAOB). The PCAOB is a congressionally established, nonprofit corporation. Its creation was included in the Sarbanes-Oxley Act of 2002 to regulate conflict, control disclosures, and set sanction guidelines for any violation of regulations. The PCAOB was assigned the responsibilities of ensuring independent, accurate, and informative audit reports, monitoring the audits of securities brokers and dealers, and maintaining oversight of the accountants and accounting firms that audit publicly traded companies.
Any employee found to violate SOX standards can be subject to very harsh penalties, including $5 million in fines and up to 20 to 25 years in prison. The penalty is more severe for securities fraud (25 years) than for mail or wire fraud (20 years).
The SOX is relatively long and detailed, with Section 404 having the most application to internal controls. Under Section 404, management of a company must perform annual audits to assess and document the effectiveness of all internal controls that have an impact on the financial reporting of the organization. Also, selected executives of the firm under audit must sign the audit report and state that they attest that the audit fairly represents the financial records and conditions of the company.
The financial reports and internal control system must be audited annually. The cost to comply with this act is very high, and there is debate as to how effective this regulation is. Two primary arguments that have been made against the SOX requirements is that complying with their requirements is expensive, both in terms of cost and workforce, and the results tend not to be conclusive. Proponents of the SOX requirements do not accept these arguments.
One available potential response to mandatory SOX compliance is for a company to decertify (remove) its stock for trade on the available stock exchanges. Since SOX affects publicly traded companies, decertifying its stock would eliminate the SOX compliance requirement. However, this has not proven to be a viable option, primarily because investors enjoy the protection SOX provides, especially the requirement that the companies in which they invest undergo a certified audit prepared by CPAs employed by national or regional accounting firms. Also, if a company takes its stock off of an organized stock exchange, many investors assume that a company is in trouble financially and that it wants to avoid an audit that might detect its problems.
The Growing Importance of the Report on Internal Controls
Internal controls have become an important aspect of financial reporting. As part of the financial statements, the auditor has to issue a report with an opinion on the financial statements, as well as internal controls. Use the internet and locate the annual report of a company, specifically the report on internal controls. What does this report tell the user of financial information?
The annual report informs the user about the financial results of the company, both in discussion by management as well as the financial statements. Part of the financial statements involves an independent auditor’s report on the integrity of the financial statements as well as the internal controls.
- 4 Jack Money. “Fraudulent Loans Lead to Enid Banker’s Arrest on Numerous Felony Complaints.” The Oklahoman. November 15, 2017. https://newsok.com/article/5572195/fraudulent-loans-lead-to-enid-bankers-arrest-on-numerous-felony-complaints
- 5 American Institute of Certified Public Accountants (AICPA). “Segregation of Duties.” n.d. https://www.aicpa.org/interestareas/informationtechnology/resources/value-strategy-through-segregation-of-duties.html
- 6 Douglas O. Linder, ed. “Enron Historical Stock Price.” Famous Trials. n.d. https://www.famous-trials.com/images/ftrials/Enron/documents/enronstockchart.pdf