Internal Controls - Prevention and Detection Overview

Every company should have sound internal controls in place to ensure the integrity of the financial statements.

What Are Internal Controls in Accounting?

Internal controls consist of policies and procedures put in place by a company to guide the activities of the financial reporting department. Internal controls are necessary because every company faces risks ranging from reporting errors, to misappropriation of company assets. 

There are two main types of internal controls, preventive controls and detective controls.

Prevention Controls

These are designed to prevent the misstatements in the financial reporting process. Preventive controls need to be the focus when designing internal procedures in the accounting function. Some examples of these controls include the following:

Access Controls

These controls can prevent the unauthorized entry of employees or transactions into the company's accounting software and access to assets.  

Access controls are important as they are the first line of defense in protecting the integrity of the financial statements and other assets. Access controls can be physical or technological.

Examples of physical access controls include:

• Physically locking up paper check copies so a limited amount of people have access.
• Keeping keys for certain rooms, file cabinets, and equipment locked up.
• Locked doors that require electronic badges for entry - this restricts access to only authorized employees.
• Warehouses with fences and specific consideration for key distribution.

Examples of technological access controls include: 

• Computer login credentials and passwords for each individual that needs to access a computer.
• Login credentials for software, which are limited to those people how need to use that software including correct access to certain modules. (i.e. an A/P clerk does not necessarily need to have access to the whole general ledger)
• Duel authentication for accessing software.
• Automatic computer/software log outs after a period of no activity.

Edit Controls 

In accounting software, edit controls prevent certain types of transactions that fall outside of approved parameters. For example, the software may prevent journal entries from being posted to a prior period.

Edit controls are important because they restrict activity of authorized people, preventing errors or misappropriation of company assets. Some examples are as follows: 

• Journal entries over a certain dollar amount may need a second approver before they are posted to the books.
• Allowing different levels of access and edits only to authorized people in the accounting software.
  • Some employees may need to review accounts receivable activity to make collection calls but they don't necessarily need to have the ability to edit that account. That person may be skilled at collections, but not at accounting or using the accounting software.
• The ability to trace back to the origin of an entry or the person who made the entry.
• The ability to edit the employee access controls in a software should be managed by an owner or other member of management.

Segregation of Duties

The concept underlying segregation of duties is that individuals should not be put in situations in which they could both perpetrate and cover up fraudulent activity by manipulating the accounting records. Proper segregation of duties requires that at least two employees be involved in a process so that one individual does not have both the processing authority and the custodial authority of an asset.

Physical controls prevent the unauthorized use of assets. Blank checks, signature stamps, and any other banking information should be kept locked up in a safe place and the key should be retained by an approved person.

Employee Education

Employee education is important in the financial reporting process because when an employee understands the accounting concepts, the internal controls surrounding reporting on those concepts, and the importance of their role, the probability of errors in the financial reporting function decreases. 

Detection Controls

These are designed to identify problems that have occurred in the financial reporting process.

Regular Review of Financial Statements

Balance sheet and select income statement accounts should be reconciled monthly to substantiate the balances. 

Monthly financial statement review procedures should be implemented to provide an additional layer of oversight. The reviewer should be either an owner, an accounting manager who is not working in the details of the general ledger making daily or monthly entries, the company’s accounting firm, or a combination of the above. 

Comparing financial statements to prior periods can reveal material or unusual variances that should be investigated, and the findings should be documented. Issues that may be identified include, inconsistencies of the recognition of revenues and expenses, gross profit margin fluctuations, inconsistencies in account usage, errors either accidental or intentional, etcetera. 

Routine Inventory Counts

Physical inventory counts are procedures that should be performed at a minimum, annually at year end. Inventory on the books should then be adjusted to what is actually on hand. This type of detection control is common among many industries and substantiates the value of inventory reported on the financial statements. 

Depending on the frequency of counts, the patterns of adjustments made may require further investigation. For example, if you sell smaller valuable ready to use products, and your inventory counts are consistently lower than what’s on the books, you may have theft in the inventory holding facilities. 

Internal Audit Procedures

Using internal audit procedures as a detection control to find errors can be useful in multiple accounting functions. One example of this may be to pull the accounts payable listing at month end and haphazardly select 5% of the transactions to audit. 

Another example would be auditing individuals who are on the payroll. This audit would include:

• Verify that the employee is an actual employee.
• Checking that each employee’s salary or hourly wage matches what their employment agreement says.
• Verifying that their requested retirement contributions and health savings account deductions are being withheld and remitted accurately.
• Verifying that income tax withholdings for both federal and state are correct.
• If they are hourly employees, reviewing timesheets and recalculating wages paid. 
• Reviewing paid time off policies and usage by the selected employees.

Finally, a whistleblower hotline should be implemented and communicated to employees.

A whistleblower hotline is designed to allow people to report unethical behavior. 

Anytime there is a change of accounting software, or a change in an accounting process, the internal controls should be reviewed and updated as needed. Once sound internal controls are in place, the company will need to implement ongoing monitoring activities to identify any control weaknesses or failures. These activities will include having processes documented and updated as needed, employee education, and monitoring the results of the detective controls. For more like this, subscribe to our blog.