1 / 7100%
The Value Proposition for Internal Controls
ACCT 2002 - Managerial Accounting: Introduction to Financial Planning and Analysis
Walden University
According to Campbell et al (2009) the basic benefits of internal controls include: increasingly
effective operations, highly reliable financial reporting, and industry-leading compliance
programs. The Institute of Internal Auditors’ (IIA) Research Foundation published a detailed
report titled “Sarbanes-Oxley Section 404: Looking at the Benefits,” by Larry E. Rittenberg and
Patricia K. Miller. This report highlighted significant additional benefits from control
improvements brought about by section 404:
It added structure in the year-end closing process and recording of journal entries,
resulting in recognition of the additional complexity in these areas.
It increased anti-fraud activities, including defined processes, which include
responsibility for follow-up.
It improved the documentation of controls and control processes evaluation.
It improved the definition of controls across the organization, including the crucial
relationship between these controls and risk.
It spurred a return to the foundation of basic controls (e.g., segregation of duties, periodic
reconciliation of accounts, and authorization processes) that had eroded as organizations
downsized or consolidated operations in order to drive costs down and remain
Organizations derive additional value from their internal controls work, whether it is done for
section 404 or for the stakeholders of a not-for-profit organization. In addition, the report found
that market leaders can leverage the knowledge base built during the assessment process,
documentation development, and the relationships defined across business processes to create
measurable value across the entire organization. When this occurs, the true organizational return
on investment in SOX compliance can be realized (Campbell et al 2009)
Campbell et al continues to note that two areas of particular value enhancement are business
process improvement and risk management assessments. Combining business process
improvement with SOX internal control efforts allows companies to benefit from reengineered
business processes, resulting in fewer controls and better downstream business performance. The
SEC’s recent emphasis on a more risk-based approach to the identification of key processes, key
controls, and appropriate testing has many organizations focused on the broader value produced
through enterprise risk management. Here the organization uses risk assessment as a strategy to
boost its bottom line, much like cost containment.
Many companies without a chief risk officer or risk council are considering implementation of
these concepts to deliver greater corporate value. Companies at the leading edge of discovering
additional value in internal controls have developed techniques proven to drive more predictable
revenue, minimize outstanding receivables, reduce operational costs, and even improve a
company’s performance. (Campbell et al 2009)
The COSO Internal Control Model
The COSO internal control framework was first introduced in 1992, and in 1994 a
comprehensive four-section report on internal controls was issued, consisting of an executive
summary, a framework, guidance to public companies on reporting on internal controls to third
parties, and evaluation tools to help a company comprehensively assess its current control
Campbell et al (2009) notes that the COSO framework is relevant to achieving company
objectives in three areas; Operational goals, the framework relates to the effective and efficient
usage of all of a company’s resources, financial reporting goals, the construct gives guidance on
the consistent production of reliable financial reports and compliance goals. The guidance
creates a topology of the company’s compliance requirements as they relate to industry
regulations or legal requirements for public entities.
Control Activities
Market leaders have focused controls on prevention rather than detection. They have
reengineered business processes, where needed, to incorporate prevention. Automating control
checks by utilizing software features that can complete checks without any specific action is also
beneficial. Internal auditing can help provide direction to business process owners searching for
the best approach to use. Working closely with the board helps the internal audit functions
receive the company-wide exposure necessary for business process owners to recognize the
value delivered to the organization (Campbell et al 2009).
Leading-edge companies in internal controls implementation effectively utilize technology in
several ways. First, they build in controls wherever cost-effective, because this one-time change
activates a continual and long-lasting process of control testing. Automated control testing also
brings about a quicker response time to potential problems and needed corrections.
Limitations of Internal Control
Strauss (2003) identifies a series of limitations to internal control. Among them is that internal
control can provide reasonable, not absolute, assurance that the objectives of an organization will
be met. The concept of reasonable assurance implies a high degree of assurance, constrained by
the costs and benefits of establishing incremental control procedures.
Effective internal control implies the organization generates reliable financial reporting and
substantially complies with the laws and regulations that apply to it. However, whether an
organization achieves operational and strategic objectives may depend on factors outside the
enterprise, such as competition or technological innovation. These factors are outside the scope
of internal control; therefore, effective internal control provides only timely information or
feedback on progress towards the achievement of operational and strategic objectives, but cannot
guarantee their achievement.
There is no such thing as a perfect control system. Staff size limitations may obstruct efforts to
properly segregate duties, which requires the implementation of compensating controls to ensure
that objectives are achieved. A limited inherent in any system is the element of human error,
misunderstandings, fatigue and stress. Employees are to be encouraged to take earned vacation
time in order to improve operations through cross training while enabling employees to
overcome or avoid stress and fatigue.
The cost of implementing a specific control should not exceed the expected benefit of the
control. Sometimes there are no out-of-pocket costs to establish an adequate control. A
realignment of duty assignments may be all that is necessary to accomplish the objective. In
analyzing the pertinent costs and benefits, managers also need to consider the possible
ramifications for the University at large and attempt to identify and weigh the intangible as well
as the tangible consequences.
Internal controls should reduce the risks associated with undetected errors or irregularities, but
designing and establishing effective internal controls is not always a simple task and cannot
always be accomplished through a short set of quick fixes. However, we hope this chapter has
helped to explain the basic internal control concepts and given you some ideas for improving
your department's controls.
Fraud and internal control
Internal control plays an important role in the prevention and detection of fraud. Under the
Sarbanes-Oxley Act, companies are required to perform a fraud risk assessment and assess
related controls. This typically involves identifying scenarios in which theft or loss could occur
and determining if existing control procedures effectively manages the risk to an acceptable
level. The risk that senior management might override important financial controls to manipulate
financial reporting is also a key area of focus in fraud risk assessment. (Wikipedia as at 24
October, 2011)
Elements of Internal Control
Strauss (2003) notes that internal control systems operate at different levels of effectiveness.
Determining whether a particular internal control system is effective is a judgment resulting from
an assessment of whether the five components - Control Environment, Risk Assessment, Control
Activities, Information and Communication, and Monitoring - are present and functioning.
Effective controls provide reasonable assurance regarding the accomplishment of established
Arens, A., Best, P., Schailer, G., Fiedler, B.,Elder, R., & Beasley M.,(2007) Auditing and
Assurance Services in Australia, an Integrated Approach, 7th Edn., Pearson Education
Australia, Sydney
Altamuro, J., Beatty, A., 2007. Do internal control reforms improve earnings quality? Working
Paper, The Ohio State University.
Ashbaugh-Skaife, H., Collins, D., Kinney, W., 2007. The discovery and reporting of internal
control deficiencies prior to SOX-mandated audits. Journal of Accounting and
Economics 44, 166-192.
Ashbaugh-Skaife, H., Collins, D., Kinney, W., LaFond, R., 2008. The effect of SOX internal
control deficiencies and their remediation on accrual quality. The Accounting Review 83,
Ball, R., 2004. Corporate governance and financial reporting at Daimler-Benz (DaimlerChrysler)
AG: From a “Stakeholder” toward a “Shareholder Value” Model. In: Leuz, C., Pfaff, D.,
Hopwood, A., (Eds.). The Economics and Politics of Accounting. London: Oxford
University Press, 103-145.
Campbell, Mary Campbell, and Gary W. Adams (2009) Adding Significant Value with Internal
Controls, New York State Society of CPAs
Wright R (2009) Internal Audit, Internal Control and Organizational Culture, Unpublished PhD
Students also viewed