July 9, 2008
 
About the AICPA
Member Service Center
Membership Information
AICPA Mission
Corporate Governance
Understanding the Organization
Frequently Asked Questions
Media Center
People and Places
Jobs at the AICPA
Vision Project
Legal Briefs
Professional Resources
Accounting and Auditing
Accounting and Auditing Technical Help
Accounting Standards
Audit and Attest Standards
Audit Committee Effectiveness Center
Authoritative Standards
Business Reporting Assurance & Advisory Services
Enhanced Business Reporting
GAAP Codification
IFRS
Private Company Financial Reporting
Sarbanes-Oxley Resources
SEC Regulations Committee
XBRL
Tax
Business, Industry, and Government
Financial Management Center
Audit Committee Effectiveness Center
Audit Committee Matching System
Public Accounting Firm Resources
CPA Marketing Toolkit
Center for Audit Quality
Employee Benefit Plan Audit Quality Center
Governmental Audit Quality Center
PCPS Firm Practice Center
Small Firm Corner
Peer Review
AICPA Peer Review Program
Peer Review Public File
Center Peer Review Program
Peer Review Transparency
Professional Ethics/Code of Conduct
Code of Conduct
Disciplinary Actions
Professional Ethics
Personal Financial Planning
Forensic and Valuation Services
Information Technology
Antifraud Resource Center
Financial Literacy
Exposure Drafts
Conferences, Publications, CPE & the AICPA Library
AICPA Conferences
CPE
Publications
AICPA Library
Magazines and Newsletters
The CPA Letter
Journal of Accountancy
Journal of Accountancy Classified Ads
Newsletters
The Tax Adviser
Weekly News Updates
Copyright Information
Becoming a CPA/Academic Resources
Accounting Education Center
CPA Candidates and Students
Minority Initiatives
Start Here. Go Places.
Career Development and Workplace Issues
What's New
Career Advice
Job Search Tools
Mentoring Guidelines
Women in the Profession
Work-Life Balance
Young CPA Network
Consumer Information
360 Degrees of Financial Literacy
Antifraud Resource Center
Audit Committee Effectiveness Center
Audit Committee Matching System
Disciplinary Actions
Find a CPA
Peer Review Public File
Web Trust
Media Center and Video Library
Media Center
Video Library
Legislative Activities and State Licensing Issues
Congressional and Federal Affairs
Mobility and State Licensing Issues
State News and Info
Home > Professional Resources > Business, Industry, and Government > Audit Committee Effectiveness Center > Not-for-Profit Organizations Toolkit >Internal Control: A Tool for the Audit Committee
 
Internal Control: A Tool for the Audit Committee



From The AICPA Audit Committee Toolkit. Copyright © 2005 by the American Institute of Certified Public Accountants, Inc., New York, New York.

Purpose of This Tool. Internal control over financial reporting has always been a major area in the governance of an organization, and this importance has been magnified in recent years. This tool is intended to give audit committees basic information about internal control to understand what it is, what it is not, how it can be used most effectively in the organization, and the requirements of management with respect to the system of internal control over financial reporting. Note that the primary responsibility of the audit committee with respect to internal control is the system of internal control over financial reporting.

Basics of Internal Control

In 1992, the Committee of Sponsoring Organizations (COSO)1 of the National Commission on Fraudulent Financial Reporting (also known as the Treadway Commission) published a document called Internal ControlIntegrated Framework , which defined2 internal control as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in three categories:

  1. Effectiveness and efficiency of operations.
     
  2. Reliability of financial reporting.
     
  3. Compliance with applicable laws and regulations.

Internal control can be judged as effective in each of these categories if the board of directors and management have reasonable assurance that:

  1. They understand the extent to which the entity’s operations objectives are being achieved.
     
  2. Published financial statements are being prepared reliably.
     
  3. Applicable laws and regulations are being complied with.

The COSO Framework consists of five interrelated components as follows:

  1. Control environment. Sometimes referred to as the tone at the top of the organization, meaning the integrity, ethical values, and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility and organizes and develops its people; and the attention and direction provided by the board of directors. It is the foundation for all other components of internal control, providing discipline and structure.
     
  2. Risk assessment. The identification and analysis of relevant risks to achieve the objectives that form the basis to determine how risks should be managed. This component should address the risks, both internal and external, that must be assessed. Before conducting a risk assessment, objectives must be set and linked at different levels.
     
  3. Control activities. Policies and procedures that help ensure that management directives are carried out. Control activities occur throughout the organization at all levels in all functions. These include activities such as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.
     
  4. Information and communication. Addresses the need in the organization to identify, capture, and communicate information to the right people to enable them to carry out their responsibilities. Information systems within the organization are key to this element of internal control. Internal information, as well as external events, activities, and conditions must be communicated to enable management to make informed business decisions and for external reporting purposes.
     
  5. Monitoring. The internal control system must be monitored by management and others in the organization. This is the framework element that is associated with the internal audit function in the organization, as well as other means of monitoring such as general management activities and supervisory activities. It is important that internal control deficiencies be reported upstream, and that serious deficiencies be reported to top management and the board of directors.

These five components are linked together, thus forming an integrated system that can react dynamically to changing conditions. The internal control system is intertwined with the organizations operating activities, and is most effective when controls are built into the organizations infrastructure, becoming part of the very essence of the organization.

Key Terms in Internal Control

A few common internal control terms are described as follows:

Reportable condition. Has the same meaning as the term significant deficiency. These two terms are used to define a significant deficiency in the design or operation of internal control that could adversely affect a company's ability to record, process, summarize, and report financial data consistent with the assertions of management in the company's financial statements. An aggregation of significant deficiencies could constitute a material weakness.

Material weakness. Defined in the auditing literature as a reportable condition in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements caused by errors or fraud in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned duties.

Compensating controls. Some organizations, by virtue of their size, are not able to implement basic controls such as segregation of duties. In these cases, it is important that management institute compensating controls to cover for the lack of a basic control, or if a basic control is not able to function for some period of time.

What Internal Control Cannot Do

As important as an internal control structure is to an organization, an effective system is not a guarantee that the organization will be successful. An effective internal control structure will keep the right people informed about the organization's progress (or lack of progress) in achieving its objectives, but it cannot turn a poor manager into a good one. Internal control cannot ensure success, or even survival.

Internal control is not an absolute assurance to management and the board about the organization's achievement of its objectives. It can only provide reasonable assurance, due to limitations inherent in all internal control systems. For example, breakdowns in the internal control structure can occur due to simple error or mistake, as well as faulty judgments that could be made at any level of management. In addition, controls can be circumvented by collusion or by management override. Finally, the design of the internal control system is a function of the resources available, meaning that there must be a cost-benefit analysis in the design of the system.

Roles and Responsibilities

Everyone in the organization has some role to play in the organization’s internal control system.

Chief executive officer (CEO). The CEO has ultimate responsibility and ownership of the internal control system. The individual in this role sets the tone at the top that affects the integrity and ethics and other factors that create the positive control environment needed for the internal control system to thrive. Aside from setting the tone at the top, much of the day-to-day operation of the control system is delegated to other senior managers in the company, under the leadership of the CEO.

Chief financial officer (CFO). Much of the internal control structure flows through the accounting and finance area of the organization under the leadership of the CFO. In particular, controls over financial reporting fall within the domain of the chief financial officer. The audit committee should use interactions with the CFO, and others, as a basis for their comfort level on the internal control over financial reporting.

This is not intended to suggest that the CFO must provide the audit committee with a level of assurance regarding the system of internal control over financial reporting. Rather, through interactions with the CFO and others, the audit committee should get a gut feeling about the completeness, accuracy, validity, and maintenance of the system of internal control over financial reporting.

Controller/director of accounting or finance. Much of the basics of the control system come under the domain of this position. It is key that the controller understands the need for the internal control system, is committed to the system, and communicates the importance of the system to all people in the accounting organization. Further, the controller must demonstrate respect for the system though his or her actions.

Internal audit. A main role for the internal audit team is to evaluate the effectiveness of the internal control system and contribute to its ongoing effectiveness. With the internal audit team reporting directly to the audit committee of the board of directors and/or the most senior levels of management, it is often this function that plays a significant role in monitoring the internal control system. It is important to note that many not-for-profits are not large enough to employ an internal audit team. Each organization should assess the need for this team, and employ one as necessary.

Board of director/audit committee. A strong, active board is necessary. This is particularly important when the organization is controlled by an executive or management team with tight reins over the organization and the people within the organization. The board should recognize that its scope of oversight of the internal control system applies to all the three major areas of control: over operations, over compliance with laws and regulations, and over financial reporting. The audit committee is the board's first line of defense with respect to the system of internal control over financial reporting.

All other personnel. The internal control system is only as effective as the employees throughout the organization that must comply with it. Employees throughout the organization should understand their role in internal control and the importance of supporting the system through their own actions and encouraging respect for the system by their colleagues throughout the organization.

Compensating Controls

It is important to realize that both the design and compliance with the internal control system is important. The audit committee should be tuned-in to the tone-at-the-top of the organization as a first indicator of the functioning of the internal control system.

In addition, audit committees should realize that the system of internal control should be scaled to the organization. Some organizations will be so small, for example, that they will not be able to have appropriate segregation of duties. The message here is that the lack of segregation of duties is not automatically a material weakness, or even a reportable condition, depending on the compensating controls that are in place.

For example, suppose an organization's accounting department is so small that it is not possible to segregate duties between the person who does the accounts payable and the person who reconciles the bank statements. In this case, it is one and the same person, so the implication is that there are no checks and balances on the accounts payable person, who could be writing checks to a personal account, then passing on them during the bank reconciliation process (that is, there is no one to raise the red flag that personal checks are being written on the company account).

Compensating controls could make up for this apparent breach in the internal control system. Here are some examples of compensating controls in this situation:

  1. All checks are hand signed by an officer of the company, rather than using a signature plate that is in the control of the person that prepared the checks.
     
  2. The bank reconciliation may be reviewed by the person’s manager.
     
  3. A periodic report of all checks that are cleared at the bank could be prepared by the bank and forwarded to an officer of the company for review.

Audit committees should be aware of situations like this and be prepared to ask questions and evaluate the answers when an obvious breach in internal control is surfaced.

Management Override of Controls

Another area that an audit committee needs to focus on is the ability of management to override internal controls over financial reporting to perpetrate a fraud. Examples of techniques used by management in overriding internal controls over the financial reporting function include:

  • Back dating or forward dating documents to a different period.
  • Making adjusting entries during the financial reporting closing process.
  • Reclassifying items improperly between the statement of activity and the statement of financial condition.

Some of these override techniques were used in some of the recent scandals and have gained substantial notoriety.

An audit committee has the responsibility to help prevent or deter a management override of controls. It is important for the audit committee to understand that there is a system to uncover an override, as well as follow-up to determine its appropriateness. Questions about management override, and the controls over management override, as well as audit steps to detect if a management override has occurred, should be addressed to the CEO, CFO, and independent auditor during the respective executive sessions with the audit committee as noted elsewhere in this toolkit.

Conclusion

This tool was intended to provide a summary of what is meant by internal control . The concepts are not complex, but sometimes the application of internal control can be a challenge in an organization, depending on its size and culture. However, it is vitally important to design the system of internal control to achieve the objectives of (1) effectiveness and efficiency of operations, (2) reliability of financial reporting, and (3) compliance with applicable laws and regulations.

Simply stated a strong system of internal control (both in its design and compliance) is good business.

Internal Control—A Tool for the Audit Committee

The following tool, Internal ControlA Tool for the Audit Committee, contains questions modeled on those found in the COSO Report, Internal ControlIntegrated Framework .

Internal Control — A Tool for the Audit Committee

Instructions for Using This Tool. This tool is created around the five interrelated components of an internal control structure. Within each component is a series of questions that the audit committee should focus on to assure itself that controls are in place and functioning. These questions should be discussed in an open forum with the individuals who have a basis for responding to the questions. The audit committee should ask for detailed answers and examples from the management team, including key members of the financial management team, internal auditors, and independent auditors to assure itself that the system is operating as management represents. Evaluation of the internal control structure is not a one-time, but rather a continuous, event for the audit committeethe audit committee should always have its eyes and ears open for potential weaknesses in internal control and should continuously probe the responsible parties regarding the operation of the system. These questions are written in a manner such that a no response indicates a weakness that must be addressed.

Control EnvironmentTone at the Top

Yes

No

Not Sure

Comments

Integrity and Ethical Values
  1. Does the organization have a comprehensive code of conduct, and/or other policies addressing acceptable business practice, conflicts of interest, and expected standards of ethical and moral behavior?

  1. Is the code distributed to all employees?

  1. Are all employees required to annually acknowledge that they have read, understood, and complied with the code?

  1. Does management demonstrate through actions its own commitment to the code of conduct?

  1. Are dealings with clients and other constituents, customers, suppliers, employees, and other parties based on honesty and fair business practices?

  1. Does management take appropriate action in response to violations of the code of conduct?

  1. Is management explicitly prohibited from overriding established controls? What controls are in place to provide reasonable assurance that controls are not overridden by management? Are deviations from this policy investigated and documented? Are violations (if any) and the results of investigations brought to the attention of the audit committee?

  1. Is the organization proactive in reducing fraud opportunities by (1) identifying and measuring fraud risks, (2) taking steps to mitigate identified risks, (3) identifying a position within the organization to own the fraud prevention program, and (4) implementing and monitoring appropriate preventative and detective internal controls and other deterrent measures?

  1. Does the company use an anonymous ethics and fraud hotline and, if so, are procedures in place to investigate and report results to the audit committee? (See also the tool Sample Whistleblower Tracking Report, in this toolkit.)

Commitment to Competence

  1. Are the level of competence and the requisite knowledge and skills defined for each job in the accounting and internal audit organizations?

  1. Does management make an effort to determine whether the accounting and internal audit organizations have adequate knowledge and skills to do their jobs?

Board of Directors and/or Audit Committee

  1. Are the audit committee's responsibilities defined in a charter? If so, is the charter updated annually and approved by the board of directors? (See also the tool Audit Committee Charter Matrix, in this toolkit.)

  1. Are audit committee members independent of the company and of management? Do audit committee members have the knowledge, industry experience, and financial expertise to serve effectively in their role?

  1. Are a sufficient number of meetings held, and are the meetings of sufficient length and depth to cover the agenda and provide healthy discussion of issues?

  1. Does the audit committee constructively challenge managements planned decisions, particularly in the area of financial reporting, and probe the evaluation of past results?

  1. Are regular meetings held between the audit committee and the CFO, the CAE (internal audit), other key members of the financial management and reporting team, and the independent auditors? Are executive sessions conducted on a regular basis? (See also the tool Conducting an Audit Committee Executive Session: Guidelines and Questions, in this toolkit.)

  1. Does the audit committee approve internal audits annual audit plan?

  1. Does the audit committee receive key information from management in sufficient time in advance of meetings to prepare for discussions at the meetings?

  1. Does a process exist for informing audit committee members about significant issues on a timely basis and in a manner conducive to the audit committee having a full understanding of the issues and their implications? (See also the tool Issues Report from Management, in this toolkit.)

  1. Is the audit committee informed about personnel turnover in key functions including the audit team (both internal and the independent auditors), senior executives, and key personnel in the financial accounting and reporting teams? Are unusual employee turnover situations observed for patterns or other indicators of problems?

Managements Philosophy and Operating Style

  1. Is the accounting function viewed as a team of competent professionals bringing information, order, and controls to decision-making?

  1. Is the selection of accounting principles made in the long-term best interest of the organization (as opposed to short-term maximization of income)?

  1. Are assets, including intellectual assets, protected from unauthorized access and use?

4. Do managers respond appropriately to unfavorable signals and reports?

5. Are estimates and budgets reasonable and achievable?

Organizational Structure

  1. Is the organizational structure within the accounting function and the internal audit function appropriate for the size of the organization?

  1. Are key managers in the accounting and internal audit functions given adequate definition of their responsibilities?

  1. Do sufficient numbers of employees exist, particularly at the management levels in the accounting and internal audit functions, to allow those individuals to effectively carry out their responsibilities?

Assignment of Authority and Responsibility

  1. Is the authority delegated appropriate for the responsibilities assigned?