Internal Control 1
Internal Control 1
Internal Control 1
Internal control has become a highly pertinent and topical business issue at the beginning of the
21st century due to a series of large corporate scandals and failures (IFAC, 2006). It has been
acknowledged to a growing extent that failure to set up company’s internal controls properly
may lead to serious intra-company issues and even business failure. The most well-known
accounting scandals over the past decades have probably been the cases of Enron and WorldCom.
In the aftermath of the Enron debacle, it turned out that auditors had long neglected several
internal control deficiencies which contributed significantly to the downfall of the company in the
end (Cunningham & Harris, 2006).
The fact that effective internal controls are in the best interests of the management, shareholders
and other stakeholders (KPMG, 2008: 37) is sometimes obscured when new rules and costly
compliance programs are imposed on companies as a result of high-profile organizational failures 1.
The right kind of internal controls enable an organization to capitalize on opportunities while
mitigating the risks, and can actually save time and money as well as promote the creation and
preservation of value (IFAC, 2012).
Organization’s internal controls consist of policies, procedures and activities that strive to
promote operational efficiency, reduce risk of asset loss, and help ensure the reliability of financial
statements and compliance with laws and regulations (COSO, 1992: 3). Internal control thus
covers a wide range of company’s activities and has a crucial role in managing the risks
and challenges companies face on a daily basis. Different companies emphasize different aspects
of internal control in their operations, in accordance with their specific needs (KPMG, 2008: 36) –
a “one size fits all” solution to internal control does not exist (Coyle, 2004: 190).
Nonetheless, there is no denying that the recent uncertainty and volatility in the global economy
have amplified the importance of efficient and properly controlled sales process (Mukerji, 2012).
Company’s sales process includes all the revenue related activities ranging from the creation of a
1
www.economist.com/node/3984019 (referred to on 10.12.2013)
sales contract to shipping a product, billing the customer, and collecting cash
for sale (Ahokas, 2012: 102). It is clear that if internal controls are not in
place to ensure proper functionality of these essential activities, fraud and
error may pose a significant cost and risk to the business. This can manifest
itself in several detrimental ways, such as the impairment of profit margins, a
reduction in cash flow and operational inefficiency (FSN & Oracle, 2013).
The case company has undergone a variety of considerable changes over the
past years. Changes in key personnel, time and resource constraints and
changed operating circumstances may have affected the effectiveness of the
company’s internal controls in its key processes. The management team felt
that under the current operating conditions a project should be initiated to
ensure that the sales process doesn’t carry any unmitigated risks that
might hinder the company’s value creation. Hence, this study aims to
discover the main risks in the case company’s sales process, evaluate
whether effective internal controls exist to mitigate these risks and to
suggest improvements to internal controls where considered necessary.
Another important trend involves the rapid automation of manufacturing processes and an increasing
reliance on integrated IT systems throughout the manufacturing sector. For instance, new supply chain
management
systems allow manufacturers, suppliers, and customers to share information on orders, production
schedules, and
inventory levels in order to reduce costs and ensure timely order fulfillment. (First Research, 2013). An
outcome of
these trends is a growing dependency on IT systems and declining employee headcounts. While such
trends are
likely to provide cost savings and increased efficiencies in some areas, managers and auditors must
consider the
Audit standards require that independent auditors obtain a thorough understanding of their clients
including
their respective business objectives, risks, and internal control activities; a task made more challenging
given some
of the significant trends referenced above. For instance, a manufacturing sector client may decide to
offshore a key
business function as a cost saving function, but may in turn find it difficult to implement a key internal
control
activity within their new foreign operations. Auditors may in turn conclude that the “offshored” business
function
represents a control weakness requiring additional attention and audit effort. The referenced
manufacturing sector
trends also present unique challenges to managers who must be nimble in responding to any new
environmental
risks that may arise. Managers must also examine their entity’s internal control activities to evaluate
whether the
implemented policies and procedures effectively mitigate the risks that might prevent the company
from achieving
In May of 2013, COSO issued an updated internal control framework. This framework defines internal
control as a process designed to provide reasonable assurance regarding the achievement of objectives
relating to
operational effectiveness and efficiency, reliability of financial reporting, and compliance with applicable
laws and
regulations (COSO, 2013). According to the framework, internal control consists of five integrated
components: (1)
Control Environment; (2) Risk Assessment; (3) Control Activities; (4) Information and Communication;
and (5)
Monitoring. The tool provided in this paper should be useful to independent auditors and manufacturing
sector
managers as a “memory jogging” resource when assessing key risks and identifying related control
activities that
have been implemented to mitigate the identified risks. Thus, the tool fits within the context of the “Risk
Assessment” and “Control Activities” components of internal control as identified within the integrated
framework.
Table 1 lists seven key control principles identified by COSO which pertain to these two control
components and
Table 1: Key Principles for the Risk Assessment and Control Activities Components
objectives.
objectives.
As highlighted in Table 1, managers must carefully identify objectives with sufficient clarity to enable the
identification and assessment of risks to achieving these objectives. In addition, auditors must evaluate
whether
their client’s internal control over financial reporting is effective in order to mitigate the risk of misstated
and/or
fraudulent financial statements (AS 5). To perform this evaluation, auditors must also consider the COSO
framework and perform their own independent assessment of the risk of misstatement in the client’s
financial
reporting. Weaknesses in their client’s internal control would entail heightened control risk and
increased risk of
material misstatement and subsequently, auditors have to exert additional audit effort to achieve a
reasonably low
level of audit risk. Thus, both independent auditors and corporate managers must develop a robust
understanding of
strategic objectives, perform a comprehensive assessment of the risks to achieving these objectives, and
evaluate the
design and effectiveness of control activities currently in place to mitigate the assessed risks. The
evaluation tool
provided in the following section should assist auditors and managers alike in performing these
important
has become a highly pertinent and topical business issue at the beginning of the
21
st
century due to a series of large corporate scandals and failures (IFAC, 2006). It has been
acknowledged to a growing extent that failure to set up company’s internal controls properly may
lead to serious intra-company issues and even business failure. The most well-known accounting
scandals over the past decades have probably been the cases of Enron and WorldCom. In the
aftermath of the Enron debacle, it turned out that auditors had long neglected several internal
control deficiencies which contributed significantly to the downfall of the company in the end
The fact that effective internal controls are in the best interests of the management, shareholders
and other stakeholders (KPMG, 2008: 37) is sometimes obscured when new rules and costly
The right kind of internal controls enable an organization to capitalize on opportunities while
mitigating the risks, and can actually save time and money as well as promote the creation and
Organization’s internal controls consist of policies, procedures and activities that strive to promote
operational efficiency, reduce risk of asset loss, and help ensure the reliability of financial
statements and compliance with laws and regulations (COSO, 1992: 3). Internal control thus
covers a wide range of company’s activities and has a crucial role in managing the risks and
challenges companies face on a daily basis. Different companies emphasize different aspects of
internal control in their operations, in accordance with their specific needs (KPMG, 2008: 36) – a
“one size fits all” solution to internal control does not exist (Coyle, 2004: 190).
Nonetheless, there is no denying that the recent uncertainty and volatility in the global economy
have amplified the importance of efficient and properly controlled sales process (Mukerji, 2012).
sales contract to shipping a product, billing the customer, and collecting cash for sale (Ahokas,
2012: 102). It is clear that if internal controls are not in place to ensure proper functionality of
these essential activities, fraud and error may pose a significant cost and risk to the business. This
can manifest itself in several detrimental ways, such as the impairment of profit margins, a
reduction in cash flow and operational inefficiency (FSN & Oracle, 2013).
The case company has undergone a variety of considerable changes over the past years. Changes
in key personnel, time and resource constraints and changed operating circumstances may have
affected the effectiveness of the company’s internal controls in its key processes. The
management team felt that under the current operating conditions a project should be initiated to
ensure that the sales process doesn’t carry any unmitigated risks that might hinder the company’s
value creation. Hence, this study aims to discover the main risks in the case company’s sales
process, evaluate whether effective internal controls exist to mitigate these risks and to suggest
COSO internal control framework was selected to function as the main guideline for this study due
to the fact that it is widely adopted by both public and private corporations across the US and
Europe in their efforts to organize internal control (Jokipii, 2006). However, it should be noted that
the “Information and communication” dimension of COSO framework has been left out from the
scope of this study due to case company’s request and its indistinctive nature. In addition to COSO
framework, a variety of academic and professional literature was reviewed in order to build a
This study can be described as a descriptive single-case study. The aim of the study is to describe
and understand the risks and the controls in the case company’s sales process and to suggest
improvements to internal controls where necessary. Majority of the data collection was
performed through theme interviews with different level employees of the case company. These
employees were working in the fields under examination and thus considered knowledgeable to
evaluate the existing risks and controls in these areas. Conversations with the case company’s
finance director also played an important role in developing understanding of the company’s sales
Theme interviews and conversations were not the only methods utilized for data collection,
however. One internal control questionnaire was sent out to the Accounts Receivable Manager in
Estonia and some specific verbal inquiries that cannot be classified as interviews were conducted
when considered necessary. I was also capable of extracting information from the case company’s
internal materials and IT systems when these sources were considered to provide valuable data.
Moreover, my active participation in the activities of the case company’s financial administration
team during the study allowed me to make valuable observations about company’s every day
operations.
It was noticed in an early phase of this study that the literature that gives actual recommendations
on how to arrange internal controls in a sales process is rather scarce. For this reason, internal
control documentation of three Finnish medium-size companies was obtained in the hopes of
getting a better picture of how internal controls (in sales process) are set up in other companies of
Sales process
Sales process consists of all the activities through which a company markets, delivers, invoices and
cashes in its products (Vahtera, 1986: 288). Every organization’s sales process is individual,
depending on the nature of its business and a variety of other factors, and thus involves somewhat
different risks and approaches to internal control. Company’s sales process often begins with
signing a sales contract and entering customer master data to organization’s information system
and it reaches its conclusion with a customer payment or reclamation (Ahokas, 2012: 102).
2. Internal control
In this chapter internal control and its role in company’s sales process are discussed. First, a
general look will be taken into the evolution and expanding scope of internal control and why it
has become such an important issue in today’s business environment. After that, a description of
COSO internal control framework is provided and its different components are discussed along
with relevant literature. At the end of this chapter, the foundation for the case study is laid in the
sense that company’s sales process and its inherent risks and suggested controls are examined.
At the level of individual controls, making the distinction between preventive and detective
controls can help the evaluator identify missing controls over a given risk (Roth & Espersen, 2004).
Preventive control activities aim to deter the instance of errors or fraud from happening in the
first place, and they are often built into the system of internal control (Ahokas, 2012: 35).
Preventive controls often require a lot of effort in the implementation phase, but maintaining
them is often less resource-consuming. Below are listed some examples of preventive control as
illustrated by Ahokas (2012: 35) and Brown (1995):
Segregation of duties
Physical controls aiming to deter occurrence of theft and improper behavior (locks etc.)
Credit authorization system that checks customer’s credit worthiness before goods are
shipped
Hiring qualified personne Detective controls are often expensive or time-consuming to maintain, but
they are considered
essential for achieving effective internal control. Some examples of detective controls are listed
Stock inventories
Analytical checkups
Reconciliations and inventory checkups are traditional examples of detective controls whereas
analytical and monitoring controls have increased their popularity lately. Analytical checkups refer
to the analysis of different types of key business ratios (e.g. accounts receivable in relation to total
assets). For example, if inexplicable deviations occur in certain key ratios they are analyzed and
their causes are investigated. Monitoring controls are normally quarterly or monthly checkups that
aim to ensure that certain control targets have been met during the given period, and they are
often targeted at ensuring the appropriateness of (specific types of) individual transactions.
(Ahokas, 2012: 36)
Another useful categorization is dividing control activities into automatic and manual controls.
Identifying controls as automated or manual can help in designing possible control tests (Roth &
Espersen, 2004). A control activity is manual when a person participates in the execution. For
example, different types of verifications and analytical checkups are manual control activities.
Evidently, automatic control is in question when the control activity is executed by computer
The nature and extent of the internal controls in an organization will depend to a large extent on
the size of the organization, what controls it can afford and whether the benefits obtained from
any particular measure are sufficient to justify its cost (Coyle, 2004: 191). It is important emphasize that
control activities are to be put in place as responses to observed risks, i.e. they are
derived from company’s risk assessment and serve as risk responses. Risks and control activities
are inseparable. The figure 3 below illustrates the relationship between these internal control
components:
Management mitigates risks by designing and implementing internal controls and procedures that
will reduce risks to an acceptably low level. The amount of risk left over, after internal controls
have been designed and implemented, is referred to as residual risk. In terms of financial
reporting, residual risk is the risk of material misstatement realizing in financial statements. (IFAC,
2010b: 130)
Objective
customers
Risk
•Credit losses
Control
ERP system
The effort to comply with the Sarbanes-Oxley Act (SOX) has focused management attention on the im
portance of assessing, developing and maintaining an effective and efficient internal control system. ERP
systems are a crucial factor in developing such a system. Despite the attention this has attracted in prac
tice, little academic research has focused on this area. This chapter addresses the question: How are
ERP systems implicated in Sarbanes-Oxley compliance? It aims to show how SOX requirements regard
ing assessment and improvement of internal controls are related to the functionalities of an ERP system
both in local and global implementations. It examines a solution (mySAP ERP) offered by one specific
vendor (SAP) and what functionalities are relevant to global SOX compliance. Based on this, the chapter
discusses likely developments regarding compliance functionalities in future releases of ERP systems