Adequate records and documents 4 Security of assets and documents

5. Independent checks and reconciliations

Authorization of Transactions In any organization, it is important to try to ensure that the organization engage only in transactions which are authorized.

Authorization refers to an approval, or endorsement, from a responsible per-

son or department in the organization that has been sanctioned by top man- agement. Every transaction that occurs must be properly authorized in some manner. For example, some procedure should be followed to determine when it is allowable to purchase goods, or when it is permissible to extend credit. A common example that you may have encountered occurs at some grocery and department stores. If you have ever stood in a long checkout line while the shopper in front tried to pay with an out-of-state check, you probably groaned silently, knowing that the line would be further delayed while the check-out clerk waited for a manager to approve the payment method. Notice that in this example, for the transaction that carries extra risk (the possibility of a bounced out-of-state check), the company has established a procedure to discourage bad check–writing. This procedure is the requirement for a specific authorization from a manager before the transaction can be completed.

The preceding example also helps illustrate the difference between specific authorization and general authorization. General authorization is a set of guide- lines that allows transactions to be completed as long as they fall within estab- lished parameters. In the example of a grocery or department store, the established guidelines are that the checkout clerk can process anyone through the line as long as the customer pays by cash, credit card, debit card, or an in-state check. If any customer is an exception to these payment methods, as in the case of an out-of- state check, the transaction requires specific authorization. Specific authorization means that explicit approval is needed for that single transaction to be completed. Another example of the difference between these two types of authorization can be seen in the procedures that a company uses when making purchases. Management usually has established reorder points for inventory items, and when inventory quantities drop to that predetermined level, purchasing agents have general authority to initiate a purchase transaction. However, if the com- pany needs to purchase a new fleet of vehicles, for instance, a specific authori- zation from upper-level management is likely to be required.

Any organization should establish and maintain clear, concise guidance as to procedures that fall under general authorization as opposed to those requiring

Maintenance of Accounting Internal Controls (Study Objective 10) 103

specific authorization. Not only does such a practice assure that all transactions are properly authorized; it also makes the organization more efficient. In our example of a grocery store, the checkout line can move quickly and efficiently for low-risk transactions involving payment by cash, credit card, debit card, or in-state check. However, when high-risk transactions are encountered, the extra risk warrants a brief inefficiency (the slowdown in the line) to assure that the risk is controlled by a specific authorization. Another important aspect is that the employee must be well trained and must understand when this specific authorization is needed.

In summary, a part of the control procedures is the guidelines regarding general and specific authorization. Top managers must appropriately delegate the authorization of transactions and establish authorization procedures and practices to assure that the guidelines are followed. They must ascertain that managers and employees have been trained to understand and carry out these policies and practices.

Segregation of Duties When management delegates authority and develops guidelines as to the use of that authority, it must assure that the authorization is separated from other duties. This separation of related duties is called segre-

gation of duties. For any transaction, there are usually three component parts:

authorization of the transaction, recording the transaction, and custody of the related asset(s). Ideally, management should separate these three components by assigning each component to a different person or department within the organization. The person or department authorizing a transaction should nei- ther be responsible for recording it in the accounting records nor have custody of the related asset. To understand the possible effect of not segregating these duties, consider a payroll example. If a foreman were allowed to hire employ- ees, approve their hours worked, and also distribute the paychecks, then author- ization would not have been segregated from custody of the checks. This would give a dishonest foreman the perfect opportunity to make up a fictitious employee and collect the paycheck. However, if paychecks were distributed to employees by someone other than the foreman, the opportunity for this kind of payroll theft would be reduced.

When it is reasonably possible to do so, all three components—authorization, recording, and custody—should be segregated. Exhibit 3-6 illustrates this seg- regation of duties.

It may not always be possible or reasonable to segregate all three com- ponents. This is especially true in small organizations where there may not be enough workers to adequately segregate. However, in smaller companies there is usually much closer supervision by the owner or manager, which helps compensate for the lack of segregation. Thus, supervision is a compen-

sating control that lessens the risk of negative effects when other controls are

lacking. Supervision as a compensating control is appropriate in larger organ- izations, too, where there may be situations in which it is difficult to fully segregate duties.

Adequate Records and Documents When management is conscientious and thor- ough about preparing and retaining documentation in support of its accounting transactions, internal controls are strengthened. Accounting documents and records are important, because they provide evidence and establish responsibility.

In general, a good system of internal controls includes the following types of documentation:

Supporting documentation for all significant transactions, including orders, invoices, contracts, account statements, shipping and receiving forms, and checks. Whenever possible, original documentation should be retained as ver- ification of authenticity. Specific types of documentation are discussed in sub- sequent chapters within the presentations of the various business processes. Schedules and analyses of financial information, including details of account balances; reconciliations; references; comparisons; and narrative explana- tions, comments, and conclusions. These documents should be independently verified from time to time in order for their accuracy to be assessed. Accounting cycle reports, including journals, ledgers, subledgers, trial bal- ances, and financial statements.

Documents and records provide evidence that management’s policies and pro- cedures, including internal control procedures, are being carried out. They also provide an audit trail, which presents verifiable information about the accuracy of accounting records. If accurate, sufficient documentation is maintained, then an audit trail can be established, which can re-create the details of individual transactions at each stage of the business process in order to determine whether proper accounting procedures for the transaction were performed.

All paper documentation should be signed or initialed by the person(s) who authorized, recorded, and/or reviewed the related transactions. This practice establishes responsibility within the accounting function. When records are maintained in electronic format, the organization should take steps to control access to the related files and ensure that adequate backup copies are avail- able in order to reduce the risk of alteration, loss, or destruction. In a com- puterized system, the audit trail usually includes a detailed transaction log, because the computer system automatically logs each transaction and the

Exhibit 3-6

Segregation of Duties Segregation of Duties

Recording

Custody Authorization

Maintenance of Accounting Internal Controls (Study Objective 10) 105

source of the transaction. In today’s business world, where many records are maintained within computerized systems, managers and auditors must under- stand, access, and control those accounting records maintained within an elec- tronic environment.

In addition to accounting documents and reports, business organizations should maintain thorough documentation on their policies and procedures. In order to provide clarity and promote compliance within the organization, both manual and automated processes and control procedures should be formalized in writing and made available to all responsible parties.

Security of Assets and Documents Organizations should establish control activ- ities to safeguard their assets, documents, and records. These control activities involve securing and protecting assets and records so that they are not misused or stolen. In the case of assets, physical protection requires limiting access to the extent that is practical. For example, cash must be on hand for a company to operate, but this cash can be locked in safes or cash registers until needed. Assets such as inventory should be protected by physical safeguards such as locks, security cameras, and restricted areas requiring appropriate ID for entry. In addition to physical safeguards of assets, it is also important to limit access to documents and records. Unauthorized access or use of documents and records allows the easy manipulation of those documents or records, which can result in fraud or cover-up of theft. For example, unauthorized access to blank checks can lead to fraudulent checks being written. All blank documents must be controlled by limiting access to only those who require access as part of their job duties.

In both cases—protecting physical assets and protecting information—there is a trade-off between limited access and efficiency. The more access is limited, the harder it becomes to do a job efficiently. This is why controls must have a benefit greater than their cost. For example, a company could have all employ- ees searched as they leave at the end of their shifts in order to discourage inven- tory theft. However, the cost of this intrusion in terms of its impact on employee morale and turnover may be greater than the savings from theft avoidance. This concept of the cost–benefit comparison of controls is discussed later in the chap- ter in terms of reasonable assurance.

Independent Checks and Reconciliation Independent checks on performance are an important aspect of control activities. Independent checks serve as a method to confirm the accuracy and completeness of data in the accounting system. While there are many procedures that accomplish independent checks, exam- ples are as follows:

Reconciliation

Comparison of physical assets with records Recalculation of amounts

Analysis of reports Review of batch totals

An example of each of these independent checks on performance follows. A

reconciliation is a procedure that compares records from different sources.

company records to ensure the accuracy and completeness of cash records. Similarly, a comparison of physical assets with records occurs when a company takes a physical count of inventory and compares the results to the inventory records. Any differences are recorded as adjustments to inventory and result in correct inventory records. Recalculation of amounts can help uncover math or program logic errors. For example, recalculating price times quantity may uncover errors in invoices that were caused by either human error or bad pro- gram logic. Analysis of reports is the examination of a report to assess the accuracy and reliability of the data in that report. A manager who regularly reviews reports is likely to notice errors that crop up in the reports; the man- ager may not always notice such errors, but many times will. Finally, review of

batch totals is an independent check to assure the accuracy and completeness

of transactions processed in a batch. Batch processing occurs when similar transactions are grouped together and processed as a group. For example, time cards can be collected from all employees within a department and processed simultaneously as a batch. In batch processing, it is possible to calculate a

batch total, which is merely a summation of key items in the batch (such as

hours worked), and compare this batch total along various stages of process- ing. If at some stage of processing the batch totals no longer match, this means that an error has occurred in processing.

These descriptions of independent checks are examples of control activi- ties, but they only scratch the surface of the number and types of independ- ent checks that may be necessary in an organization. Such independent checks can serve as both detective and preventative controls. They are detec- tive in that they uncover problems in data or processing; they are preventive in the sense that they may help discourage errors and fraud before they occur. For example, employees know that when a company regularly takes a physical inventory and compares the counts with records, shortages are more likely to come to light. Therefore, employees may be less likely to steal inven- tory, because they presume they will get caught. This preventive effect becomes more obvious if you consider the opposite environment, in which a company never takes a physical inventory. When employees know this, they recognize that it would be easier to carry out a fraudulent act without get- ting caught.

Information and Communication

To assess, manage, and control the efficiency and effectiveness of operations of an organization, management must have access to feedback information and reports. The feedback consists of operational and financial information, much of it generated by the accounting system. An effective accounting system will provide accurate and complete feedback. Therefore, the better the accounting system, the better management can assess and control operations.

The entire accounting system is therefore a very important component of the internal control system. An ineffective accounting system can generate inaccu- rate or incomplete reports, and this leads to more difficulty in properly controlling activities. An effective accounting system must accomplish the fol- lowing objectives:

1. Identify all relevant financial events (transactions) of the organization.