Internal Control 1

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 13

Internal control

Internal control has become a highly pertinent and topical business issue at the beginning of the
21st century due to a series of large corporate scandals and failures (IFAC, 2006). It has been
acknowledged to a growing extent that failure to set up company’s internal controls properly
may lead to serious intra-company issues and even business failure. The most well-known
accounting scandals over the past decades have probably been the cases of Enron and WorldCom.
In the aftermath of the Enron debacle, it turned out that auditors had long neglected several
internal control deficiencies which contributed significantly to the downfall of the company in the
end (Cunningham & Harris, 2006).

The fact that effective internal controls are in the best interests of the management, shareholders
and other stakeholders (KPMG, 2008: 37) is sometimes obscured when new rules and costly
compliance programs are imposed on companies as a result of high-profile organizational failures 1.
The right kind of internal controls enable an organization to capitalize on opportunities while
mitigating the risks, and can actually save time and money as well as promote the creation and
preservation of value (IFAC, 2012).

Organization’s internal controls consist of policies, procedures and activities that strive to
promote operational efficiency, reduce risk of asset loss, and help ensure the reliability of financial
statements and compliance with laws and regulations (COSO, 1992: 3). Internal control thus
covers a wide range of company’s activities and has a crucial role in managing the risks
and challenges companies face on a daily basis. Different companies emphasize different aspects
of internal control in their operations, in accordance with their specific needs (KPMG, 2008: 36) –
a “one size fits all” solution to internal control does not exist (Coyle, 2004: 190).

Nonetheless, there is no denying that the recent uncertainty and volatility in the global economy
have amplified the importance of efficient and properly controlled sales process (Mukerji, 2012).
Company’s sales process includes all the revenue related activities ranging from the creation of a

1
www.economist.com/node/3984019 (referred to on 10.12.2013)
sales contract to shipping a product, billing the customer, and collecting cash
for sale (Ahokas, 2012: 102). It is clear that if internal controls are not in
place to ensure proper functionality of these essential activities, fraud and
error may pose a significant cost and risk to the business. This can manifest
itself in several detrimental ways, such as the impairment of profit margins, a
reduction in cash flow and operational inefficiency (FSN & Oracle, 2013).

The case company has undergone a variety of considerable changes over the
past years. Changes in key personnel, time and resource constraints and
changed operating circumstances may have affected the effectiveness of the
company’s internal controls in its key processes. The management team felt
that under the current operating conditions a project should be initiated to
ensure that the sales process doesn’t carry any unmitigated risks that
might hinder the company’s value creation. Hence, this study aims to
discover the main risks in the case company’s sales process, evaluate
whether effective internal controls exist to mitigate these risks and to
suggest improvements to internal controls where considered necessary.

nternalrisk control is important for all forms of


businesses and is a highly
pertinent issue within the domain of risk management
sincethe beginning of the
21st century. This has been propelled by a series of
large corporate scandals and
failures (Crouch, 2012).The most well-known accounting
scandals over the past
decades have probably been the cases of Enron and
WorldCom (Ndege, 2015). In
theaftermath of the Enron debacle, it turned out that
auditors had long neglected
several internalcontrol deficiencies which contributed
significantly to the
downfall of many companies(Cunningham & Harris,
2006).Manufacturing
SMEs areregarded asvulnerable during their expansion
phases and less likely to
have in-house capabilities for sound control and risk
management systems
(Jocumsen, 2004).
SMEs in manufacturing usually consider risk
management to be for ’large
businesses’ only. Although this subsector isknown for
itsrole in South Africa’s
socio-economic and sustainable development, their
survival is still an issue as
they are still faced by high rate of failure over the
years(Ndege, 2015). The
enhanced knowledge of internal controls is noted for
their contribution on the
growth or survival of the business or organization as
they are known for their
ability to detect and deter risks.
Small and Medium Enterprises contributes in South
African economy and also in
other countries.Small and Medium Enterprise (SMEs)
sector promises significant
benefits to South African economy.Nimrod (2014)
confirmed that South African
Manufacturing SMEs are still considered the key drivers
of GDP growth and
direct employment, contributing immensely to the fight
against poverty through
providing the much needed jobs and consumer
products.According the American

Another important trend involves the rapid automation of manufacturing processes and an increasing

reliance on integrated IT systems throughout the manufacturing sector. For instance, new supply chain
management

systems allow manufacturers, suppliers, and customers to share information on orders, production
schedules, and
inventory levels in order to reduce costs and ensure timely order fulfillment. (First Research, 2013). An
outcome of

these trends is a growing dependency on IT systems and declining employee headcounts. While such
trends are

likely to provide cost savings and increased efficiencies in some areas, managers and auditors must
consider the

risks corresponding with an increased reliance on IT over manual processes.

Audit standards require that independent auditors obtain a thorough understanding of their clients
including

their respective business objectives, risks, and internal control activities; a task made more challenging
given some

of the significant trends referenced above. For instance, a manufacturing sector client may decide to
offshore a key

business function as a cost saving function, but may in turn find it difficult to implement a key internal
control

activity within their new foreign operations. Auditors may in turn conclude that the “offshored” business
function

represents a control weakness requiring additional attention and audit effort. The referenced
manufacturing sector

trends also present unique challenges to managers who must be nimble in responding to any new
environmental

risks that may arise. Managers must also examine their entity’s internal control activities to evaluate
whether the

implemented policies and procedures effectively mitigate the risks that might prevent the company
from achieving

its strategic objectives.

3. INTERNAL CONTROL WITHIN THE REVENUE PROCESS

In May of 2013, COSO issued an updated internal control framework. This framework defines internal

control as a process designed to provide reasonable assurance regarding the achievement of objectives
relating to

operational effectiveness and efficiency, reliability of financial reporting, and compliance with applicable
laws and

regulations (COSO, 2013). According to the framework, internal control consists of five integrated
components: (1)
Control Environment; (2) Risk Assessment; (3) Control Activities; (4) Information and Communication;
and (5)

Monitoring. The tool provided in this paper should be useful to independent auditors and manufacturing
sector

managers as a “memory jogging” resource when assessing key risks and identifying related control
activities that

have been implemented to mitigate the identified risks. Thus, the tool fits within the context of the “Risk

Assessment” and “Control Activities” components of internal control as identified within the integrated
framework.

Table 1 lists seven key control principles identified by COSO which pertain to these two control
components and

relate closely to the evaluation tool.

Table 1: Key Principles for the Risk Assessment and Control Activities Components

Internal Control – Integrated Framework (COSO, 2013)

Risk Assessment Control Activities

The organization specifies objectives with sufficient clarity to

enable the identification and assessment of risks relating to

objectives.

The organization selects and develops control activities that

contribute to the mitigation of risks to the achievement of

objectives to acceptable levels.

The organization identifies risks to the achievement of its

objectives across the entity and analyzes risks as a basis for

determining how the risks should be managed.

The organization selects and develops general control

activities over technology to support the achievement of

objectives.

The organization considers the potential for fraud in

assessing risks to the achievement of objectives.

The organization deploys control activities through policies


that establish what is expected and procedures that put

policies into action.

The organization identifies and assesses changes that could

significantly impact the system of internal control.

As highlighted in Table 1, managers must carefully identify objectives with sufficient clarity to enable the

identification and assessment of risks to achieving these objectives. In addition, auditors must evaluate
whether

their client’s internal control over financial reporting is effective in order to mitigate the risk of misstated
and/or

fraudulent financial statements (AS 5). To perform this evaluation, auditors must also consider the COSO

framework and perform their own independent assessment of the risk of misstatement in the client’s
financial

reporting. Weaknesses in their client’s internal control would entail heightened control risk and
increased risk of

material misstatement and subsequently, auditors have to exert additional audit effort to achieve a
reasonably low

level of audit risk. Thus, both independent auditors and corporate managers must develop a robust
understanding of

strategic objectives, perform a comprehensive assessment of the risks to achieving these objectives, and
evaluate the

design and effectiveness of control activities currently in place to mitigate the assessed risks. The
evaluation tool

provided in the following section should assist auditors and managers alike in performing these
important

responsibilities within the context of a manufacturing business.

has become a highly pertinent and topical business issue at the beginning of the

21

st

century due to a series of large corporate scandals and failures (IFAC, 2006). It has been

acknowledged to a growing extent that failure to set up company’s internal controls properly may

lead to serious intra-company issues and even business failure. The most well-known accounting
scandals over the past decades have probably been the cases of Enron and WorldCom. In the

aftermath of the Enron debacle, it turned out that auditors had long neglected several internal

control deficiencies which contributed significantly to the downfall of the company in the end

(Cunningham & Harris, 2006).

The fact that effective internal controls are in the best interests of the management, shareholders

and other stakeholders (KPMG, 2008: 37) is sometimes obscured when new rules and costly

compliance programs are imposed on companies as a result of high-profile organizational failures

The right kind of internal controls enable an organization to capitalize on opportunities while

mitigating the risks, and can actually save time and money as well as promote the creation and

preservation of value (IFAC, 2012).

Organization’s internal controls consist of policies, procedures and activities that strive to promote

operational efficiency, reduce risk of asset loss, and help ensure the reliability of financial

statements and compliance with laws and regulations (COSO, 1992: 3). Internal control thus

covers a wide range of company’s activities and has a crucial role in managing the risks and

challenges companies face on a daily basis. Different companies emphasize different aspects of

internal control in their operations, in accordance with their specific needs (KPMG, 2008: 36) – a

“one size fits all” solution to internal control does not exist (Coyle, 2004: 190).

Nonetheless, there is no denying that the recent uncertainty and volatility in the global economy

have amplified the importance of efficient and properly controlled sales process (Mukerji, 2012).

sales contract to shipping a product, billing the customer, and collecting cash for sale (Ahokas,

2012: 102). It is clear that if internal controls are not in place to ensure proper functionality of

these essential activities, fraud and error may pose a significant cost and risk to the business. This

can manifest itself in several detrimental ways, such as the impairment of profit margins, a

reduction in cash flow and operational inefficiency (FSN & Oracle, 2013).
The case company has undergone a variety of considerable changes over the past years. Changes

in key personnel, time and resource constraints and changed operating circumstances may have

affected the effectiveness of the company’s internal controls in its key processes. The

management team felt that under the current operating conditions a project should be initiated to

ensure that the sales process doesn’t carry any unmitigated risks that might hinder the company’s

value creation. Hence, this study aims to discover the main risks in the case company’s sales

process, evaluate whether effective internal controls exist to mitigate these risks and to suggest

improvements to internal controls where considered necessary.

COSO internal control framework was selected to function as the main guideline for this study due

to the fact that it is widely adopted by both public and private corporations across the US and

Europe in their efforts to organize internal control (Jokipii, 2006). However, it should be noted that

the “Information and communication” dimension of COSO framework has been left out from the

scope of this study due to case company’s request and its indistinctive nature. In addition to COSO

framework, a variety of academic and professional literature was reviewed in order to build a

theoretical foundation for answering the research questions.

1.3. Research method of the study

This study can be described as a descriptive single-case study. The aim of the study is to describe

and understand the risks and the controls in the case company’s sales process and to suggest

improvements to internal controls where necessary. Majority of the data collection was

performed through theme interviews with different level employees of the case company. These

employees were working in the fields under examination and thus considered knowledgeable to

evaluate the existing risks and controls in these areas. Conversations with the case company’s

finance director also played an important role in developing understanding of the company’s sales

process and its risks and controls.

Theme interviews and conversations were not the only methods utilized for data collection,

however. One internal control questionnaire was sent out to the Accounts Receivable Manager in

Estonia and some specific verbal inquiries that cannot be classified as interviews were conducted
when considered necessary. I was also capable of extracting information from the case company’s

internal materials and IT systems when these sources were considered to provide valuable data.

Moreover, my active participation in the activities of the case company’s financial administration

team during the study allowed me to make valuable observations about company’s every day

operations.

It was noticed in an early phase of this study that the literature that gives actual recommendations

on how to arrange internal controls in a sales process is rather scarce. For this reason, internal

control documentation of three Finnish medium-size companies was obtained in the hopes of

getting a better picture of how internal controls (in sales process) are set up in other companies of

Sales process

Sales process consists of all the activities through which a company markets, delivers, invoices and

cashes in its products (Vahtera, 1986: 288). Every organization’s sales process is individual,

depending on the nature of its business and a variety of other factors, and thus involves somewhat

different risks and approaches to internal control. Company’s sales process often begins with

signing a sales contract and entering customer master data to organization’s information system

and it reaches its conclusion with a customer payment or reclamation (Ahokas, 2012: 102).

2. Internal control

In this chapter internal control and its role in company’s sales process are discussed. First, a

general look will be taken into the evolution and expanding scope of internal control and why it

has become such an important issue in today’s business environment. After that, a description of

COSO internal control framework is provided and its different components are discussed along

with relevant literature. At the end of this chapter, the foundation for the case study is laid in the

sense that company’s sales process and its inherent risks and suggested controls are examined.

At the level of individual controls, making the distinction between preventive and detective

controls can help the evaluator identify missing controls over a given risk (Roth & Espersen, 2004).

Preventive control activities aim to deter the instance of errors or fraud from happening in the

first place, and they are often built into the system of internal control (Ahokas, 2012: 35).

Preventive controls often require a lot of effort in the implementation phase, but maintaining

them is often less resource-consuming. Below are listed some examples of preventive control as
illustrated by Ahokas (2012: 35) and Brown (1995):

 Segregation of duties

 Proper authorization of payments in accordance with pre-established acceptance limits

 Matching invoices against the (sent/received) bill of lading documents

 Usage of price lists in customer invoicing

 Allowing purchases only from accepted suppliers/vendor

 Physical controls aiming to deter occurrence of theft and improper behavior (locks etc.)

 Restricting access to sensitive data and files (passwords etc.)

 Credit authorization system that checks customer’s credit worthiness before goods are

shipped

 Hiring qualified personne Detective controls are often expensive or time-consuming to maintain, but
they are considered

essential for achieving effective internal control. Some examples of detective controls are listed

below (Ahokas, 2012: 36; Brown; 1995):

 Reconciliation of balance sheet’s cash account against bank’s balance statement

 Stock inventories

 Comparing accounts payable against creditors’ verifications

 Comparing accounts receivable against debtors’ verifications

 Ensuring validity of salary payments through random sampling

 Analytical checkups

 Monitoring controls in general

 Verifying proper use of pre-numbered documents

Reconciliations and inventory checkups are traditional examples of detective controls whereas

analytical and monitoring controls have increased their popularity lately. Analytical checkups refer

to the analysis of different types of key business ratios (e.g. accounts receivable in relation to total

assets). For example, if inexplicable deviations occur in certain key ratios they are analyzed and

their causes are investigated. Monitoring controls are normally quarterly or monthly checkups that

aim to ensure that certain control targets have been met during the given period, and they are

often targeted at ensuring the appropriateness of (specific types of) individual transactions.
(Ahokas, 2012: 36)

Another useful categorization is dividing control activities into automatic and manual controls.

Identifying controls as automated or manual can help in designing possible control tests (Roth &

Espersen, 2004). A control activity is manual when a person participates in the execution. For

example, different types of verifications and analytical checkups are manual control activities.

Evidently, automatic control is in question when the control activity is executed by computer

software. An example of such a control would be setting an automated checkup of customer’s

credit balance when an order is received (Ahokas, 2012: 37).

The nature and extent of the internal controls in an organization will depend to a large extent on

the size of the organization, what controls it can afford and whether the benefits obtained from

any particular measure are sufficient to justify its cost (Coyle, 2004: 191). It is important emphasize that
control activities are to be put in place as responses to observed risks, i.e. they are

derived from company’s risk assessment and serve as risk responses. Risks and control activities

are inseparable. The figure 3 below illustrates the relationship between these internal control

components:

Management mitigates risks by designing and implementing internal controls and procedures that

will reduce risks to an acceptably low level. The amount of risk left over, after internal controls

have been designed and implemented, is referred to as residual risk. In terms of financial

reporting, residual risk is the risk of material misstatement realizing in financial statements. (IFAC,

2010b: 130)

Objective

•Proper credit limits are

established for new

customers

Risk

•Credit losses

Control

• Controller conducts a credit

analysis and, based on that,


establishes a credit limit to the

ERP system

Figure 3: Illustration of the relationships between objectives,

risks and controls

The effort to comply with the Sarbanes-Oxley Act (SOX) has focused management attention on the im

portance of assessing, developing and maintaining an effective and efficient internal control system. ERP

systems are a crucial factor in developing such a system. Despite the attention this has attracted in prac

tice, little academic research has focused on this area. This chapter addresses the question: How are

ERP systems implicated in Sarbanes-Oxley compliance? It aims to show how SOX requirements regard

ing assessment and improvement of internal controls are related to the functionalities of an ERP system

both in local and global implementations. It examines a solution (mySAP ERP) offered by one specific

vendor (SAP) and what functionalities are relevant to global SOX compliance. Based on this, the chapter

discusses likely developments regarding compliance functionalities in future releases of ERP systems

You might also like