Internal Control Procedures
After companies like Enron, WorldCom, and Tyco decided to turn in dishonest financial statements and resulting with Wall Street being shaken with plumbing (worthless stock). Not to mention employees who were affected by this. Congress had to take immediate action to keep other executives, management, etc. from thinking they could fraud the company. Congress did this by implanting the Sarbanes-Oxley Act of 2002. This act changed the rules of auditor independence and also put more responsibility for management to make sure every employee is following the companies internal controls.
"Internal control is a process effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following thee categories:
- Reliability of financial reporting
- Effectiveness and efficiency of operations
- Compliance with applicable laws and regulations." (Louwers, Ramsey, Sinasom, & Strawer, 2007, p149)
When an auditor comes to do an audit on the company. The auditor will make an internal control checklist(example below). This checklist is to make sure they company is following the internal controls and they are not the auditor will suggest ways to improve this section. There is five components of internal controls.
The five components of internal control are control environment, risk assessment, control procedures, information and communication, and monitoring.
The control environment component sets up the main tone of the organization. "It provides discipline and structure. Control environment factors include the integrity, ethical values, and competence of the company's people. (Louwers, Ramsey, Sinason, & Strawer, 2007, P151) The control environment consist of integrity and ethical values, commitment to competence, managment's philosophy and operating style, organizational structure, assignment of authority and responsibility, and human resource policies and practices. For each of these sub components I will provide examples of questions that will be found on an auditors checklist.
- Integrity and Ethical Values: Are there policies in place that explain acceptable business practices?, Is there a code of conduct?, Does management set a good example of integrity for the employees to follow?, etc.
- Commitment to Competence: Are there clear descriptions of job responsibilities for each level?, Are employees trained to give them knowledge of the job?, Do the office employees (marketing, accounting, etc.) have the required educational background for their position?, etc.
- Management's Philosophy and Operating Style: Does the company have a mission statement, vision statement and guiding principles?, Does the company provide full disclosures of financial statements?, Does the company ensure employees are following government laws?
- Organization Structure: Is there an organizational structure in place?, Do all employees know the organizational structure?, Do managers know who to report to in which order during a situation?, etc.
- Assignment of Authority and Responsibility: Does management understand their responsibilities? Does management know where there authority ends for each level?, etc.
- Human Resource Polices and Practices: Does the company give an ethical pre-assessment for calling potential employees for an interview?, Does the company do a detailed interview?, Are employees always supervised?, etc.
Risk assessment is where the business thinks of the many risks that could happen to keep the company from meeting their objectives. The subcomponents of risk assessment is organizational goals and objectives, and managing change, etc.
- Organizational Goals and Objectives: When directions are changed have they be tested first?, Are budgets detailed and realistic?, Does management know how to achieve budget goals?, etc.
- Managing Change: Does management show support of change? etc.
After a company identifies the risks of the company they must come up with a set of control procedures. The subcomponent of control procedures is written policies and procedures, and controls over information systems.
- Control Procedures: Does the general manager monitor the store's performance against the budget?, In the office is there separation of duties (one person authorize the transaction while another records it)?, Does the company have a disaster plan in place?, etc.
- Written Policies and Procedures: Does management have access to updated government policies and procedures?, Does the company have documentation of the company's policies and procedures?, etc.
- Controls over information systems: Does the company keep their computer software up to date?, Is their virus protection on their computers?. etc.
Information and Communication
This component is necessary to achieve management's objectives. Subcomponents for information and communication is access to information, communication patterns, etc.
- Access to Information: Does the company report their daily sales to the office daily?, Does the company secure information that is not meant for everyone( Ex. Password protecting a document)?, etc.
- Communication Patterns: Does the company foster trust within their staff?, Are employees and lower management encouraged to make recommendations for improvement?, etc.
Lastly internal controls are pointless if the company is not going to monitor them to make sure they are effective.
- Does management do random checks to make sure that records and transactions are meeting expectations?, Are budgets compared to actual result in a timely manner?, etc.
"Some monitoring controls include these:
- Operating managers' comparison on internal reports and published financial statements with their knowledge of the business.
- Analysis of customer complaints of amounts billed
- Analysis of vendor complaints of amounts paid...."(Louwers, Ramsey, Sinason, & Strawser, 2007, p160)
Louwers, T.J., Ramsay, R., & Sinason, D. (2007). Auditing and Assurance
Services: A look beneath the surface (2nd ed.). New York, NY: Mcgraw-Hill