FUNDAMENTALS OF INTERNAL CONTROLS

To effectively review internal controls, an internal auditor needs to have a good basic understanding of the nature of controls, a definition of a control system, as well as the overall concept of the types and nature of an organization’s operating internal control processes. The first of these two concepts, the idea of a control

system, is perhaps the easier. This concept goes back to the basic principles of mechanical and paperwork procedures that exist throughout one’s everyday life.

Control systems are necessary for all areas of activity, both inside and outside today’s organization, and the concepts and principles used are the same no mat-ter where the control system is encounmat-tered. The automobile can provide a good analogy of a control system. When the accelerator is pressed, the automobile goes faster. When the brake is pressed, the automobile slows or stops. When the steering wheel is turned, the vehicle turns. The driver controls the automobile. If the driver does not use the accelerator, brake, or steering wheel properly, the automobile will operate out of control.

An organization is similar to an automobile. There are a variety of systems at work, such as the manufacturing and sales processes, information systems, and accounting operations. If management does not operate or direct these systems or process components properly, the organization may operate out of control.

The effective control of an organization, of course, is much more complicated, but a significant failure of one or another component can cause the entire organi-zation to operate out of control. An internal auditor should first develop an understanding of these control systems and then assess them to determine if the components of the system are properly connected and if management is prop-erly operating the controls that allow it to manage the system. This type of sys-tem or process is often referred to as the organization’s syssys-tem of internal controls.

Internal auditors are often called on to describe control systems to their management and to convince them of the importance of controls even when management may have other priorities. An internal auditor must be a spokes-person for the importance of internal controls, but to be effective, must have a good understanding of basic internal control objectives and components. The purpose of any control system is to attain or maintain a desired state or condi-tion. The system of internal control should be able to satisfy various objectives established by management for that control area. A basic control system has four elements:

1. Detector or Sensor Element. There must be some type of measuring device that detects what is happening in the particular element of the sys-tem being controlled (e.g., a thermostat in the home that connects to the furnace). An internal auditor often is the sensor who observes some prob-lem as part of a normal audit review.

2. Selector or Standard Element. The detector that reports on current con-ditions must have some type of a standard to compare what is actually happening to what should be happening. The thermostat is set to a desired temperature and linked to a thermometer measuring the actual tempera-ture. Fluctuations above or below the user-supplied temperature setting cause the furnace to take action. Internal audit will make recommenda-tions based on standards and best practices as discussed in Chapter 14,

“Directing and Performing Internal Audits.”

3. Controller Element. This element alters the behavior of the area under control based on a comparison between the detector and standard results.

The thermostat turns off the furnace when the heat reaches some certain predetermined level and restarts the furnace again when the level drops.

4. Communications Network Element. The control system communications network is simply a vehicle for transmitting messages between the control sensor and the entity being controlled. A home heating thermostat has a connection between the sensor on the furnace—usually away from the liv-ing area—and the measurliv-ing unit in the home livliv-ing space.

These four elements can be called a control system because they are separate but interrelated components of an overall control process. Exhibit 4.1 illustrates such a conceptual control system. There are many other examples of these types of control systems in everyday life. The same elements repeat themselves in more complex systems.

Many business processes do not have this level of automatic control system in place because their formal detector and even selector controls are limited. Never-theless, even manual systems have some control elements, and an internal audi-tor should look for these elements when reviewing internal controls. Of course, internal auditors themselves often serve as a type of control system detection ele-ment by helping to make sure that the control system is working effectively.

(a) Detective, Protective, and Corrective Control Techniques

Following the system described in Exhibit 4.1, control techniques can be further categorized as preventive, detective, corrective, or a combination of the three. The

EXHIBIT 4.1

Elements of a Control System

Monitor or Measure Control Element

Are the Controls Within

Standards?

Correct

Control Element Take No Action

Monitor to Make Certain Corrections

Are Working

Continue Monitoring Control Element Yes

No

sum of these three basic control techniques should provide management with reasonable assurance that a particular process is operating properly:

• Preventive controls are built into a system to prevent an error or undetec-ted event from happening. A very elementary type of preventive control is an organization structure that establishes a separation of duties over certain functions. Another is a locked door to prevent unauthorized access to critical equipment.

• Detective controls are designed to alert management of errors or problems as they occur, or shortly after. A cash count and reconciliation of cash reg-ister sales at the end of the day is an example of such a detective control.

An alarm that sounds when the locked door is forced open is another.

• Corrective controls are used in conjunction with detective controls to recover from the consequences of the undesired events. An insurance pol-icy to pay for losses is one type of corrective control. A guard to appre-hend the intruder who forced open the locked door and sounded the alarm is another corrective control technique.

Preventive, detective, and corrective control techniques are important ele-ments in an overall system of control. While it is often more cost-effective to install preventive controls in a system, detective controls are also needed, and detective controls are usually of little value unless some form of corrective action or control is also in place. Internal audit acts as a type of detective control to determine, among other matters, that the preventive controls are working prop-erly. Because internal auditors are not “police officers,” however, management must implement the corrective actions to respond to any reported control find-ings. Since these controls should always be tied directly or indirectly to control objectives that may vary widely in nature and scope, the manner in which con-trol is exercised can also vary. Preventive, detective, and corrective concon-trols can be considered to operate on three different levels:

1. Steering Controls. This level of control identifies events that will prompt interim action to aid in the achievement of larger objectives.

These interim events can be very precise or broad. The common charac-teristic of steering controls is that they are usually preventive and call attention to the need to take managerial action on a timely basis. Various types of gauges in a manufacturing process indicate conditions that require particular processing actions. A drop in dealer orders may high-light the problem of declining market acceptance and the related need to adjust production schedules. In other cases, a broad index of economic trends can alert management to changing conditions that should spark protective or other opportunity-oriented actions.

2. Yes-No Controls. These controls are designed to function more auto-matically, to be protective, and to assure the accomplishment of desired results. In their simplest form, a yes-no control could be a quality-control gauge on a mechanized assembly line that checks product parts for exact specifications. Parts that are out of tolerance are routed to a rework area.

This control could also be a required approval signature on a business form to help ensure that an authorized individual has reviewed the docu-ment. The common element here is a pre-established control device or arrangement that, under normal conditions, will more or less automati-cally assure desired protective or improved actions.

3. Post-Action Controls. A third control somewhat overlaps with the other two discussed, but is distinctive because managerial action comes later and takes the form of after-the-fact corrective action. The action may be taken to repair a product that has been damaged or to dismiss or reassign an employee. That after-the-fact action happens immediately or may require extended analysis. The analyses done by internal auditors are typ-ically directed to recommending the most effective type of after-the-fact action, even though that action may be very much future-oriented. This recommendation can be directed to correcting established preventive, detective, or corrective types of control.

An internal auditor should try to develop an understanding of these very basic control systems concepts. These concepts are useful whenever an auditor is asked to evaluate, document, and understand an internal control system or pro-cess. This type of internal control systems thinking will allow an auditor to break down and analyze any process, whether a large complex process or a simple almost manual procedures into its internal control components. The next step is to map these internal controls concepts against a recognized and accepted frame-work. This leads to what is called the COSO frameframe-work. The following sections will define and discuss the COSO internal control framework in greater detail.

4.3 INTERNAL CONTROLS STANDARDS: BACKGROUND