Internal

Controls
ACC 100
Learning Objectives
1. Understanding internal control structure.
2. Understanding internal control objectives.
3. Understanding control activities.
1

What are the Internal Control Objectives?

To ensure the accuracy
To safeguard assets of and reliability of
the firm. accounting records and
information.

To measure compliance
To promote efficiency in with management’s
the firm’s operations. prescribed policies and
procedures.
Summary of Comments on ACC 100 - Day 7 - Internal
Control.pdf
Page: 3
Number: 1 Author: Presenter Notes Subject: Presentation Notes Date: 1/13/2025 12:09:48 PM
The management is responsible for establishing and maintaining the internal control system.
1

Modifying Assumptions to the Internal

Control Objectives

Management Reasonable Assurance Methods of Data

Responsibility Processing
Page: 4
Number: 1 Author: Presenter Notes Subject: Presentation Notes Date: 1/13/2025 12:09:48 PM
Management Responsibility – this concept holds that the establishment and maintenance of a system of internal control is a
management responsibility.
Reasonable assurance – the internal control system should provide reasonable assurance that the four broad objectives of internal
control are met in a cost-effective manner. This means that no system of internal control is perfect and the cost of achieving
improved control should not outweigh its benefits.
Methods of data processing – internal controls should achieve the four broad objectives regardless of the data processing method
used. The control techniques used to achieve these objectives will, however, vary with different types of technology.
Limitations of Internal
Controls
1. Possibility of errors – no system is perfect.
2. Circumvention – personnel may circumvent the
system through collusion or other means.
3. Management override – management is in a
position to override control procedures by personally
distorting transactions or by directing a subordinate
to do so.
4. Changing conditions – conditions may change over
time and render existing controls ineffective.
Internal Control Weaknesses and Risks

DESTRUCTION OF THEFT OF ASSETS CORRUPTION OF DISRUPTION OF THE

ASSETS INFORMATION OR THE INFORMATION SYSTEM
INFORMATION SYSTEM
The Internal
Control Shield
The PDC
Internal
Control
Model
Control
Functionalities
Preventive Controls
1. The first line of defense in the internal
control structure.
2. These controls are passive techniques
designed to reduce the frequency of
occurrence of undesirable events.
3. These controls force compliance with
prescribed or desired actions and thus
screen out aberrant events.
Detective Controls
1. The second line of defense in the internal
control structure.
2. These are devices, techniques, and procedures
designed to identify and expose undesirable
events that elude preventive controls.
3. These controls reveal specific types of errors by
comparing actual occurrences to pre-
established standards.
4. When the detective control identifies a
departure from standard, it sounds an alarm to
attract attention to the problem.
Corrective Controls
1. These are actions taken to reverse the
effects of errors detected in the previous
step.
2. These controls actually fix the problem
detected by detective controls.
1

Deterrent Controls
1. These are administrative mechanisms
that are used to guide security within an
organization and discourage potential
intruders.
2. They are intended to complement other
controls, such as preventative and
detective controls.
Page: 13
Number: 1 Author: Presenter Notes Subject: Presentation Notes Date: 1/13/2025 12:09:49 PM
Examples of deterrent controls include: Signage, Fencing, Visible security cameras, "Under surveillance" signs, and Warning signs.
1

Recovery Controls
1. These are a way to restore a system to
normal operations after an incident
2. They can be used to respond to a
security breach, rather than prevent it.
Page: 14
Number: 1 Author: Presenter Notes Subject: Presentation Notes Date: 1/13/2025 12:09:49 PM
Here are some examples of recovery controls:
Backups
System restoration
Rebooting
Key escrow
Insurance
Redundant equipment
Fault-tolerant systems
Failovers
Contingency plans (BCP)
1

Compensating
Controls
1. These are a security measures that are
implemented when it is too difficult or
impractical to implement the primary
control.
2. These are also known as alternative
controls.
3. These are usually less desirable than
primary controls because they are often
implemented after a transaction is
complete.
Page: 15
Number: 1 Author: Presenter Notes Subject: Presentation Notes Date: 1/13/2025 12:09:49 PM
Some examples of compensating controls include:
Management review
Independent reconciliations
Dual authorizations
Automation of financial processes
Forced vacations
Cross training
Positive payment system
Components of Internal Control

CONTROL RISK ASSESSMENT INFORMATION MONITORING CONTROL

ENVIRONMENT AND ACTIVITIES
COMMUNICATION
Control Environment
1. Integrity and ethics of management
2. Organizational structure
3. Role of the board of directors and the audit
committee
4. Management’s policies and philosophy
5. Delegation of responsibility and authority
6. Performance evaluation measures
7. External influences—regulatory agencies
8. Policies and practices managing human resources
Risk Assessment
Identify, analyze and manage risks relevant to
financial reporting:
1. changes in external environment
2. risky foreign markets
3. significant and rapid growth that strain internal
controls
4. new product lines
5. restructuring, downsizing
6. changes in accounting policies
Information and
Communication
The AIS should produce high quality information
which:
1. identifies and records all valid transactions
2. provides timely information in appropriate detail
to permit proper classification and financial
reporting
3. accurately measures the financial value of
transactions
4. accurately records transactions in the time
period in which they occurred
Monitoring
The process for assessing the quality of internal control
design and operation
1. Separate procedures—test of controls by internal
auditors
2. Ongoing monitoring:
• computer modules integrated into routine
operations
• management reports which highlight trends and
exceptions from normal performance
Control Activities
1. Policies and procedures to ensure that the
appropriate actions are taken in response to
identified risks
2. Fall into two distinct categories:
• IT controls—relate specifically to the
computer environment
• Physical controls—primarily pertain to
human activities
IT Controls

General IT Controls (GITCs) Application Controls

pertain to the entity wide computer ensure the integrity of specific systems
environment
General IT Controls (GITCs)

These are policies and procedures that relate to many applications

and support the effective functioning of application controls.

GITCs maintain the integrity of information and security of data.

GITCs over the following

Data center and System software

network acquisition, change Program change
operations and maintenance

Application system
acquisition,
Access security
development and
maintenance
Application
Controls
• Application controls operate at a business process
level (higher level controls or process level controls).
• Designed to ensure the integrity of information.
• Application controls may be automated controls or
manual controls with an automated component.
• Application controls help ensure that transactions
occurred, are authorized, and/or are completely and
accurately recorded and processed.
• Application controls do not only reside in IT
applications.
• Automated components of application controls may
also be programmed into databases and other
operating system components to consistently apply
predefined business rules and perform complex
calculations directly related to the input, processing,
preservation of integrity, and output of information
Application
Controls
1

Types of Application Controls

SYSTEM CONFIGURATION INTERFACE CONTROLS SYSTEM ACCESS

CONFIGURATION/ACCOUNT CONTROLS OVER
MAPPING EXCEPTION/EDIT REPORTS
Page: 27
Number: 1 Author: Presenter Notes Subject: Presentation Notes Date: 1/13/2025 12:09:51 PM
Exception or edit reports usually work in combination with manual control to review the report.
System access includes enforcing segregation of duties.
Examples of Application Controls
• Restricting system access to selected
business functions, such as the ability to
approve purchase orders over an
established limit or enforcing the
segregation of duties among different
accounting responsibilities, such as an
ability to create a vendor, authorize an
order and release payment.
• Automated controls such as edit checks
of input data and numerical sequence
checks.
1

Physical Controls
• Transaction Authorization
• Segregation of Duties
• Supervision
• Accounting Records
• Access Control
• Independent Verification
Page: 29
Number: 1 Author: Presenter Notes Subject: Presentation Notes Date: 1/13/2025 12:09:51 PM
Transaction authorization – the purpose of transaction authorization is to ensure that all material transactions processed by the
information system are valid and in accordance with management’s objectives.
General authorization (everyday procedures)
Specific authorization (non-routine transactions)
Segregation of duties – the most important control activities is the segregation of duties to minimize incompatible functions.
In manual system, separation between (1) authorizing and processing a transaction; (2) custody and recordkeeping of the asset; (3)
subtasks.
In computerized system, separation between (1) program coding; (2) program processing; (3) program maintenance.
Supervision – often called a compensating control. A compensation for lack of SOD; some may be built into computer systems.
Accounting records – provides an audit trail.
Access control – the purpose of access controls is to ensure that only authorized personnel have access to the firm’s assets.
Independent verification – verification procedures are independent checks of the accounting system to identify errors and
misrepresentations. Verification differs from supervision because it takes place after the fact, by an individual who is not directly
involved with the transaction or task being verified.
What
questions do
you have?