Understand the framework for systems of internal controls

Amanda White; Mitchell Franklin; Patty Graybeal; and Dixon Cooper

Internal controls are the systems used by a business to manage risk and diminish the occurrence of fraud. The internal control structure is made up of the control environment, the accounting system, and procedures called internal control activities. Several years ago, the Committee of Sponsoring Organizations (COSO), which is an independent, private-sector group whose five sponsoring organisations periodically identify and address specific accounting issues or projects, convened to address the issue of internal control deficiencies in the operations and accounting systems of organisations. They subsequently published a report that is known as COSO’s Internal Control-Integrated Framework. The five components that they determined were necessary in an effective internal control system make up the components in the internal controls triangle shown below:

Triangle with Internal Controls at the top, then each level going down is: Control of environment, Assessment of risk, Control of operational activities, Monitoring of control processes, and at the base is Accurate communication of information.

The above diagram is the official worldwide depiction of internal controls – but I find the diagram below a bit more understandable as it better represents how all of the components fits together. This diagram is one you’ll see in auditing and assurance textbooks across the world.

A triangle cut into segments with each segment containing a part of the system of internal control

Understanding the components of a system of internal controls

Control environment

The control environment is the environment in which the business and its employees operate – it is the culture that management create, the business’s operating philosophy, how it hires and remunerates employees. It can be difficult to measure in a quantifiable way – but the control environment strongly influences employee attitudes in relation to fraud. For example, if you’ve ever worked for a tyrannical manager or boss, you’re unlikely to work hard to help the business achieve its goals – you may even work as slow as is acceptable because management does not inspire you to do well and follow the policies and procedures of the business. The reason it is the base of the triangle is that it forms the foundation of the business.

Risk assessment

The reason risk assessment is placed on top of the control environment, is that risk assessments are conducted on the business and its environment. Every business should conduct regular risk assessments – an assessment of their operating environment to identify any potential risks (or threats) to the business and their ability to achieve their goals. Risks may arise from the structure of the business itself, the nature of the industry, a change in government regulation, the actions of employees or the actions of competitors. For example, many hospitality businesses faced changing restrictions during COVID-19 lockdowns – resulting in the need to pivot to takeaway only during a lockdown, then needing to try and hire more staff when they were able to resume more regular trade. A business should engage in regular risk assessments, in some industries more frequently than others. In some circumstances such as during the COVID-19 pandemic, many businesses are likely to conduct more frequent risk assessments than in non-pandemic times.

Internal control activities

In response to risks, a business should implement internal controls. Internal controls are policies, procedures, systems and processes to ensure that all employees engage in a manner that helps the business achieve its objectives. Internal controls aim to prevent, detect, or insure that risks do not create significant business disruption. A business cannot implement controls to prevent or detect every single risk to the business, that would be prohibitively expensive. Instead the business must conduct a cost-benefit analysis to determine where controls are most necessary, that is where there is greatest risk of loss or fraud, and where they may decide not to implement controls – that is the business accepts the possibility of some loss as a result of that risk. The reason that internal controls sit on top of the risk assessments is the recognition that internal controls don’t cover risk entirely – but a sub-set that we think are at greatest risk of occurring.

An example is the supermarket industry. A supermarket cannot prevent absolutely all theft of inventory by customers, instead they implement some controls to try and prevent and detect theft. This includes security cameras and supervisors at self-service checkouts. However they accept that some theft will occur, especially for small items like chewing gum or small tins of tuna. For higher value inventory such as expensive cuts of meat, supermarkets have started adding RFID tags to these items. This will alert the business if a customer attempts to remove one of these items from the store without making payment.

Fun fact: the retail industry actually created an accounting estimate for theft of inventory that is called “shrinkage”.

Internal control activities are typically embedded within business processes and systems. For example, to reduce the risk that a supermarket checkout operator or cashier may steal cash from the register, a count of cash before and after the operator’s shift may be conducted. The register will record sales and which sales were paid for electronically, and those that used physical cash. The cash in the register at the start of the shift, plus any cash received from customer payments should equal the cash in the register at the end of the shift. This checking of the cash is called a reconciliation and acts as an internal control to detect any cash that might be missing from the register. The cashier must count their cash, and usually a shift supervisor or store manager will check their work and sign off on the reconciliation.

We will delve into internal control activities in greater detail in the next section of this chapter.

Communication and information systems

It is important for businesses to gather data about their business processes. This data may be collected in accounting systems, point of sale systems, ordering systems, timesheet systems and many others. The business will be collecting financial (accounting) and non-financial data. In today’s businesses, these systems are likely to be highly integrated to allow businesses to use all of this data to help them make optimal decisions in their day to day operations. For small to medium sized businesses, Xero is one of the most popular accounting software products that connects to apps of every type imaginable.

Information systems can also be used to alert business management when an internal control is attempting to be breached – examples include notifying bank management when an incorrect passcode or PIN for an account is used multiple times, or access of a secured system from an un-registered IP address. Hence communication and information systems on the diagram spans the entire side of the triangle as it collects data on the environment, risk assessments and control activities.

Monitoring of internal controls

It is critical that businesses monitor the performance of their internal controls and it sits at the top of the triangle because it oversees all of the other components. It is important that an internal control is operating, but it is also important for management of a business to know when that control STOPS operating as it should – that is, the control begins to fail. This is because a failing control increases the opportunity for fraud, or unintentional error. Imagine if the self-service checkout machine at the supermarket stops weighing the items customers are scanning and putting into their shopping bag and no longer provides the “unexpected item in bagging area” message. Customers could engage in theft by simply adding un-scanned items and the staff member supervising the area would have no idea that theft is occurring.

Note that monitoring and information systems are adjacent to each other – this is because to engage in monitoring – the business will rely on its information systems to gather the data required and summarise or collate it so that management can monitor. It could be argued that if a business does not monitor internal controls, then there may not be much point in having them.

Overall goals of a system of internal controls

What are the goals of a system of internal controls? The primary goal is to protect the equity of shareholders – the value of the business. That can be broken down further into the following aspects:

  • ensure assets are properly used
  • ensure that the accounting system is functioning properly
  • monitor operations of the business to ensure maximum efficiency
  • ensure that assets are kept secure
  • ensure that employees are in compliance with business policies and procedures and government regulations

Our system of internal controls is not just about accounting – but across all facets of the business.

Different businesses face different types of risk, but when internal control systems are lacking, the opportunity arises for fraud, misuse of the business’s assets, and employee or workplace corruption. Accountants, managers and owners all have a role to play in understanding the risks faced by businesses and implementing and maintaining a system of internal controls to protect the business.

In future chapters we will use some of the information collected within financial and non-financial systems to be able to evaluate business performance and identify areas for improvement.


Icon for the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License

Understand the framework for systems of internal controls Copyright © by Amanda White; Mitchell Franklin; Patty Graybeal; and Dixon Cooper is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License, except where otherwise noted.

Share This Book