Chapter 9

Introduction to Internal Control Systems

Discussion Questions
9-1.
The primary provisions for the 1992 COSO Report and the 2004 Report are outlined
in Figure 9-1.
9-2.
The primary provisions of the original version of COBIT, as well as the current
version (5), are outlined in Figure 9-1.
9-3.
COSO stands for Committee of Sponsoring Organizations, which was established by
the Treadway Commission to work on a common definition for internal control. COBIT stands
for Control Objectives for Information and Related Technology. It was a project undertaken by
the Information Systems Audit and Control Foundation that involved an extensive examination
of the internal control area.
An important role played by COSO in the internal control area was to come up with a definition
of internal control along with a description of five interrelated components (control environment,
risk assessment, control activities, information and communication, and monitoring) that should
be included within an internal control system. Regarding COBIT and its role in the internal
control area, COBIT adapted its definition of internal control based on the COSO report. COBIT
(as well as COSO) emphasizes that people at every level of an organization are a very
important part of the organizations internal control system.
COSO is an important framework that management of organizations might use to help ensure
that they have effective corporate governance. This is the case because the COSO framework
presents criteria to evaluate an organizations internal control systems. According to SOX,
Section 404, management must now document the effectiveness of their internal controls and
then issue a report that accompanies the companys annual report. Similarly, COBIT is used by
managers to ensure effective IT governance.
9-4.
The control environment establishes the tone of a company, influencing the control
awareness of the companys employees. It is the foundation for all the other internal control
components. Risk assessment recognizes the fact that every organization faces risks to its
success and that risks which appear to affect the accomplishment of a companys goals should
be identified, analyzed, and acted upon. Control activities reflect the policies and procedures
that help ensure that management directives are carried out. Regarding information and
communication, the former refers to the accounting system, which includes the methods and
records used to record, process, summarize, and report a companys transactions as well as
maintain accountability for the companys assets, liabilities, and equity. The latter,
communication, refers to providing a companys personnel with an understanding of their roles
and responsibilities in regard to internal control over financial reporting. Finally, monitoring is
the process that assesses the quality of internal control performance over time. Performance
reports prepared on a timely basis contribute to the monitoring component of an internal control
system.
Concerning which component is the most important, this is a matter of opinion. Most students
indicate that the control environment is the most important component of an internal control

SM 9.1

system because, as mentioned in the textbook, it is the foundation for all the other internal
control components, providing discipline and structure.
9-5.
Accountants should be concerned that their organizations financial resources are
protected from activities such as loss, waste, or theft. To protect organizational assets, an
internal control system must be developed and implemented within a companys AIS as well as
within other parts of the companys system. In addition to safeguarding assets, an efficient and
effective internal control system should also:
1) Check the accuracy and reliability of accounting data
2) Promote operational efficiency
3) Encourage adherence to prescribed managerial policies.
Accountants should be concerned that all of these objectives are accomplished by their
organizations internal control system.
9-6.
Preventive control procedures are designed and implemented before an activity is
performed to prevent some potential problem (e.g., the inaccurate handling of cash receipts)
from occurring that relates to the activity. Detective control procedures are designed and
implemented to provide feedback to management regarding whether or not operational
efficiency and adherence to prescribed managerial policies have been achieved. In other
words, preventive controls should be developed prior to operating activities taking place and
detective controls should be developed to evaluate if operating efficiency and adherence to
policies of management have occurred after operating activities have taken place. Corrective
control procedures come into play based on the findings from the detective control procedures.
That is, through detective controls, corrective control procedures should be developed to identify
the cause of an organizations problem, correct any difficulties or errors resulting from the
problem, and modify the organizations processing system so that future occurrences of the
problem will hopefully be eliminated or at least minimized.
Examples of each type of controls are as follows:
Preventive:
scenario planning, risk management, segregation of duties, controlling access to
assets
Detective:
duplicate check of calculations, bank reconciliations, monthly trial balances
Corrective:
backup copies of transactions and master files, training personnel to perform
their jobs
9-7.
Competent employees are definitely important to an organization's internal control
system because employees will be working continually with the organization's various asset
resources. The employees will be, for example, handling cash, acquiring and disbursing
inventory, and operating expensive production equipment. If the organization has incompetent
employees, there is a strong likelihood that inefficient use of the firm's asset resources will
result. This inefficiency will lead to overall operating inefficiency within the organization, thereby
preventing the adherence to management's prescribed policies.
9-8.
The separation of duties element of an organizations internal control system
means that, for instance, employees who are given responsibility for the physical custody of
specific company assets (e.g., handling cash or inventory) should not also be given
responsibility for the record-keeping functions relating to the assets (e.g., recording cash or
inventory transactions in the company's journals and ledgers). Otherwise, an employee could
misappropriate company assets and then attempt to conceal this fraud by falsifying the
accounting records.

SM 9.2

Through the separation of duties, one employee acts as a check on the work of another
employee. Thus, if an employee attempts to embezzle cash from a customer payment, but
does not have access to the accounts receivable subsidiary ledger to cover up this theft, he or
she would likely be detected. The other employee who performs the record-keeping activities
for accounts receivable would not have recorded the customer's payment since it was
embezzled by the employee handling cash. Consequently, the customer would complain to the
company upon receiving a subsequent billing statement which would not reflect his or her recent
payment. Upon investigating this complaint, the dishonest employee would likely be caught. It
should be noted, however, that through collusion among the employees handling assets and
recording assets, irregularities are usually not detected as quickly as when individuals work
alone (as described earlier).
In addition to detecting irregularities, separation of duties can also be helpful in detecting
accidental errors. If the same employee performs all accounting functions related to a specific
activity (e.g., handling inventory items and recording the inventory transactions), an accidental
human error by this employee, such as incorrectly recording an inventory transaction, may not
be detected. However, with two or more employees handling the accounting functions relating
to a specific activity, an accidental human error made by one employee should be detected by
another employee involved with the same activity.
9-9.
Many organizations have a large volume of cash disbursement transactions. In
order to detect any errors and irregularities relating to cash disbursements, a good audit trail for
cash issuances is essential. If an organization uses both a voucher system and prenumbered
checks for cash disbursement transactions, its audit trail of cash outlays can easily be traced.
The use of prenumbered checks for making authorized cash disbursements enables a company
to maintain accountability over its issued checks and its unissued checks. After the issued
checks clear the bank in a particular month and are returned to the organization with the
monthly bank statement, these checks represent evidence of the actual cash disbursements
that were made. Two advantages of employing a voucher system along with prenumbered
checks are (1) the number of cash disbursement checks that are written is reduced, since
several invoices to the same vendor can be included on one disbursement voucher, and (2) the
disbursement voucher is an internally generated document; thus, each voucher can be
prenumbered to simplify the tracking of all payables, thereby contributing to an effective audit
trail over cash disbursements.
Sometimes, prenumbered checks are not efficient for an organization to use. For example, for
expenditures of small dollar amounts (e.g., spending a few dollars to have the company
president's car washed) cash payment might be a better choice. Because of the time and effort
involved in processing checks, it is normally more efficient to use a petty cash fund for making
various small, miscellaneous expenditures. However, to exercise good internal control over the
petty cash fund's use, one employee (called the petty cash custodian) should be given the
responsibility for handling petty cash transactions.
9-10.
Under the cost-benefit concept, an analysis is performed on each potential control
procedure (i.e., compare the expected costs of designing, implementing, and operating each
control to its expected benefits). Only those controls whose benefits are expected to be greater
than, or at least equal to, the expected costs should be implemented into the companys
system. Cost-effective controls are those whose anticipated benefits exceed their anticipated
costs.

SM 9.3

Ideal control procedures (i.e., those that would reduce the risk to practically zero of any
undetected errors and irregularities occurring) may be impractical for a company because the
expected costs may be larger than their expected benefits. The implementation of controls
whose costs are expected to exceed the controls benefits would not contribute to a companys
overall operating efficiency. In these cases, control procedures which are less than ideal for
detecting errors and irregularities (but whose expected benefits exceed the expected costs)
should be implemented within the companys internal control system.
From the standpoint of evaluating a companys internal control system, a performance report is
a type of report that provides information to management on how efficiently and effectively its
companys internal controls are functioning. Based on accurately prepared performance
reports, management receives feedback on the success or failure of the previously implemented
package of internal controls. The preparation of a performance report is a detective control
procedure.
Performance reports should be an essential element within a companys internal control system
because they are the major means of communicating to management regarding the actual
operations of the companys internal control systems. For specific controls that are not
operating the way they were originally planned, as indicated by a performance report,
management can then take action to correct identified problems.
Timely information to managers, regarding internal control problems, is critical so that mangers
can initiate action to correct the problems. Thus, performance reports should be prepared on a
timely basis in order that a minimum period elapses between the occurrence of operational
problems with certain controls and the feedback to management on these poorly functioning
controls.
9-11.
Discussion question 9-5 identifies a number of reasons why accountants are so
concerned about their organizations internal control systems. However, the managers of these
organizations are particularly concerned about the effectiveness and efficiency of internal
controls due to the SOX legislation. Under Section 302 of this legislation, the CEO and CFO are
legally responsible for establishing and maintaining internal controls in the organization. In
addition, they must have evaluated the effectiveness of the companys internal controls and
submitted their report to the external auditors, who evaluate the sufficiency of those internal
controls. Further, when we talk about the control environment of an organization, we know that
managements support of a strong internal control system is critical.
9-12.
COSOs 2008 Guidance on Monitoring Internal Control Systems (COSOs Monitoring
Guidance) was developed to clarify the monitoring component of internal control. It does not
replace the guidance first issued in the COSO Framework or in COSOs 2006 Internal Control
over Financial Reporting Guidance for Smaller Public Companies (COSOs 2006 Guidance).
Rather, it expounds on the basic principles contained in both documents, guiding organizations
in implementing effective and efficient monitoring.
To read the entire document Guidance on Monitoring Internal Control Systems, go to this site:
http://www.coso.org/documents/COSO_Guidance_On_Monitoring_Intro_online1.pdf

SM 9.4

Problems
9-13.

Weaknesses

Recommended Improvements

1. Raw materials may be

removed from the storeroom
upon oral authorization from
one of the production
foremen.

1. Raw materials should be removed from the

storeroom only upon written authorization from an
authorized production foreman. The authorization
forms should be prenumbered and accounted for,
list quantities and job or production number, and be
signed and dated.

2. Alden's practice of monthly

physical inventory counts does
not compensate for the lack of
a perpetual inventory system.
Quantities on hand at the end
of one month may not be
sufficient to last until the next
month's count. If the company
has taken this into account in
establishing reorder levels,
then it is carrying too large an
investment in inventory.

2. A perpetual inventory system should be established

under the control of someone other than the
storekeepers. The system should include quantities
and values for each item of raw material. Total
inventory value per the perpetual records should be
compared with the general ledger at reasonable
intervals. When physical counts are taken, they too
should be compared to the perpetual records.
Where differences occur, they should be
investigated, and if the perpetual records are in
error, they should be adjusted. Also, controls should
be established over obsolescence of stored
materials.

3. Raw materials are purchased

at a predetermined reorder
level and in predetermined
quantities. Since production
levels may often vary during
the year, quantities ordered
may be either too small or too
great for the current
production demands.

3. Requests for purchases of raw materials should

come from the production department management
and be based on production schedules and
quantities on hand per the perpetual records.

4. The accounts payable clerk

handles both the purchasing
function and payment of
invoices. This is not a
satisfactory separation of
duties.

4. The purchasing function should be centralized in a

separate department. Prenumbered purchase
orders should originate from and be controlled by
this department. A copy of the purchase order
should be sent to the storeroom clerks.
Consideration should be given as to whether the
storeroom clerks copy should show quantities.

5. Raw materials are always

purchased from the same
vendor.

5. The purchasing department should be required to

obtain competitive bids on all purchases over a
specified amount.

SM 9.5

6. There is no receiving
department or receiving
report. For proper separation
of duties, the individuals
responsible for receiving
should be separate from the
storeroom clerks.

6. A receiving department should be established.

Personnel in this department should count or weigh
all goods received and prepare prenumbered
receiving reports. These reports should be signed,
dated, and controlled. Copies should be sent to the
accounting department, purchasing department, and
storeroom.

7. There is no inspection
department. Since high cost
electronic components are
usually required to meet
certain specifications, they
should be tested for these
requirements when received.

7. An inspection department should be established to

inspect goods as they are received. Prenumbered
inspection reports should be prepared and
accounted for. Copies of these reports should be
sent to the accounting department.

9-14.
a. The separation of duties is meant to safeguard assets; in this case, cash receipts.
b. Signature plates are used to authenticate checks. Keeping them secure is a means of
preventing their unauthorized use.
c. Matching the vendor invoice with a receiving report (or similar document) ensures payment
for goods or services actually received.
d. Separating these functions helps ensure payment only for legitimate obligations of the
organization.
e. This procedure would help ensure that disbursements are made only for authorized
purchases.
f. Prenumbered documents have to be securely stored if this preventive control is to be
effective.
g. Using an imprest or special account for payroll limits the loss due to incorrectly printed
checks associated with each periods total payroll.
h. Separation of functions prevents one person from diverting cash assets and subsequently
concealing the wrongdoing.
i. Check protectors use a number of methods which make it difficult to successfully change the
check amount.
j. Both the surprise counts and the knowledge of their likelihood deter the unauthorized use of
cash.
k. Approved vendor lists help prevent unauthorized purchases (irregularities or embezzlement
of assets).
l. Such separation of duties helps prevent unauthorized purchases.
9-15.
a) As a member of the companys management, you would hopefully reject the control
recommendations. Specific internal controls should not be implemented into a companys
system unless the anticipated benefits from the controls are expected to exceed the
anticipated costs of the controls. In the case of Sandras recommendations, it is obvious
that the costs to operate these suggested controls would exceed the benefits from having
the controls. The maximum monthly benefit from Sandras recommended controls would be
the $350 estimated monthly loss that could be eliminated; however, to achieve this benefit, a
separate room for storing supplies would have to be used and an employee would have to

SM 9.6

be assigned the full-time job of supervising the issuance of supplies. The costs of using a
separate room and having an employee work full-time in handling office supplies would
definitely be much greater than the $350 estimated monthly loss that could be eliminated.
A couple of possible control procedures that the company might wish to implement to reduce
the monthly loss from employee theft of office supplies are mentioned below.
b)

Rather than storing the supplies on shelves at the back of the office facility whereby
employees have easy access to these supplies, they could be locked in a cabinet. An
authorized company employee (such as a secretary) would be given the responsibility for
issuing supplies when requested by various employees. The authorized employee in
charge of the supplies would have this new job responsibility along with his or her existing
job responsibilities. When an individual needs office supplies, he or she would go to the
authorized employee's desk and indicate the request. The employee in charge of supplies
would then unlock the cabinet and issue the requested supplies. The person receiving the
supplies would have to sign a supplies-received voucher, which serves as evidence of the
specific supplies issued.
Another suggestion might be to use a separate room for storing the supplies (as suggested
by Sandra). This room would be kept locked throughout the day except for possibly one
hour each day. Company employees would be made aware of the specific time every day
during which the supply room is open. As a result of this procedure, an employee would not
be used full-time in issuing the supplies. Rather, the employee assigned the responsibility
for supervising the issuance of supplies could still perform his or her other job functions
throughout the day. Approximately one hour each day away from his or her other job
functions would be required to issue office supplies. As in the preceding suggestion, each
person receiving supplies would have to sign a supplies-received voucher.

9-16.
1.

Most students believe that Ron Mitchells method of stealing cash receipts will be detected
by the movie theater's manager assuming that the manager uses a few internal control
procedures.
First, the tickets issued by Ron to theater patrons should be prenumbered and controlled by
the manager. At the beginning of Ron's work shift, he should be made accountable for a
specific quantity of prenumbered tickets and not have access to any other tickets. At the
end of Ron's work shift, the manager should count the total number of ticket-halves that he
has accumulated from customers who have entered the theater. From multiplying the
selling price per ticket by the number of ticket-halves in his possession, the manager can
determine the total cash receipts that should have been collected by Ron. If there is more
than one price for tickets, such as children prices and adult prices, the differently
priced-tickets can be color-coded to enable the manager to compute the total cash receipts
that should have been collected. The manager can then count the total actual cash that
Ron collected during his work shift. (Of course, the amount of change fund that Ron was
provided at the start of his shift should be subtracted from his total cash.) Through this
procedure, the manager can determine if the actual cash receipts collected by Ron are
equal to the cash receipts that should have been collected (based on the manager's
accumulated ticket-halves). The cash receipts that were pocketed by Ron should thus be
detected, since the manager's count of actual cash receipts would fall short of the cash
receipts that should have been collected.

SM 9.7

2. An additional control procedure that the theater manager may want to implement is to
periodically observe Ron while he is performing his work functions. This procedure should
take place without Ron being aware that he is being observed. If, as a result of observing
Ron's work activities, the manager is suspicious of irregular acts, he can watch Ron even
closer until his suspicions are fully confirmed.
9-17.
a. Cost-benefit analysis:

Cost of reproducing production

cost data
Risk of data errors
Reprocessing cost expected
($12,000 * risk)
Cost of validation control
procedure
(an incremental cost)
Net estimated benefit from
validation control procedure

Without
Control
Procedure

With Control
Procedure

$12,000

$12,000

16%
$ 1,920

2%
$ 240

$0

$ 800

Net Expected
Difference

$1,680
($ 800)
$ 880

b. Management should implement the data validation control procedure because of the $880
net estimated benefit that is projected with this procedure.

Case Analyses
9-18.

Gayton Menswear (Risk Assessment and Control Procedures)

1. (a) The risk is that merchandise is stolen.

(b) Shoplifting is a very large problem for retailers. There should be better inventory
controls. These might include closed circuit cameras, tags that are removed at the end
of the sales process, and security personnel.
2. (a) The risk is that stolen merchandise (perhaps at the same two stores in point #4) is being
returned for cash.
(b) Returns should require a sales receipt. The store may also consider a policy of allowing
returns for merchandise credit only.
3. (a) The risk is that the store is losing income.
(b) Either revenues are down or cost of sales has increased. Management needs to inspect
these numbers closely to see where the problem lies. At least part of it could be
attributable to poor inventory control.
4. (a) The risk is that cash was not deposited.

SM 9.8

(b) This can easily be controlled by requiring daily reconciliations by an employee not
involved in receiving or depositing cash.
5. (a) The risk is that cash was not collected from customers.
(b) The employee should be reprimanded. Either all checks or checks exceeding a specific
dollar amount should be approved by someone other than the salesperson.
6. (a) The risk is that petty cash was pilfered.
(b) There should be a custodian over petty cash who has sole responsibility for it. The
custodian should never disburse cash without obtaining a receipt.
9-19.

Cuts-n-Curves Athletic Club (Analyzing Internal Controls)

Weaknesses

Recommended Improvements

1. The employee at the desk could 1.

allow friends to enter at no
charge.

There needs to be some separation of duties.

There could be another person at the front desk
where the visitor completes the waiver form and
obtains a daily pass. The first employee would
then require a pass and would not handle cash.
(Note - this may be cost prohibitive)

2. The employee at the desk could 2.

pocket cash.

The same control as #1.

3. The cash receipts are not

controlled.

3.

The cash receipts should be kept in a file. They

should also be sequentially numbered.

4. There may be many different

desk employees throughout the
day. If cash is missing, there will
be no accountability.

4. There should be a log of employees and their

working hours. They need to sign in and out.

5. There does not appear to be a

procedure for comparing the
cash receipts journal entry and
bank deposit with the cash
receipts given to employees at
the desk.

5. Someone other than the accountant and the desk

employees should periodically compare the cash
receipts journal entries, bank deposit slips, and
cash receipts kept on file.

9-20.

Emerson Department Store (Control Suggestions to Strengthen Payroll

System)

1. The use of currency rather than checks for paying employees makes it essential that
effective separation of duties exist in both the payroll preparation and the payroll distribution
functions.
Regarding payroll preparation, Morris is responsible for submitting payroll information to the
computer center for data processing. Therefore, Morris should not be involved in the work
of placing currency in each employee's pay envelope. Another company accountant and a
secretary could perform this function. Also, the individuals responsible for placing currency

SM 9.9

in employees pay envelopes should be provided with the exact amount of currency
necessary to cover the total net pay for all employees. Using the information from the
payroll register, each employee's gross wages, individual deductions, and net pay should be
printed on the outside of the employee's pay envelope. This information could be prepared
by the computer in the form of an individual printed label for each employee, which would
then be affixed to the employee's envelope. The two employees would then insert in each
wage earner's envelope the correct amount of currency.
Regarding payroll distribution, the completed pay envelopes should not be given to the
department managers for distribution to their employees because these managers are
involved in the payroll record-keeping functions (e.g., the managers submit their employees
time cards to Morris). Rather, an individual who has no other payroll related duties should
be designated as paymaster and be responsible for distributing pay envelopes. At
preestablished times on Monday afternoon, pay envelopes should be distributed to the
employees from a central payroll window. The employees would line up at this window and
upon each employee showing proper identification (such as a driver's license or social
security card), he or she would be issued a pay envelope by the paymaster. The employee
should also be required to count immediately his or her currency within the envelope and
then sign his or her name on the payroll register. The employee's signature verifies that he
or she received the correct amount of currency in the pay envelope. Any unclaimed pay
envelopes should be returned to the accounting department and should be locked in the
company safe until the employees come in person and sign for their envelopes.
Regarding all company employees involved in the payroll process, a further control would be
to have fidelity bond coverage for these employees.
2. Now that management is willing to change from cash payroll disbursements, students will
recommend that checks or direct deposit are better alternatives. Other arguments for these
options are:
Freeing up the payroll employees from inserting cash into 500 envelopes every week
saving valuable time
When the information is sent to the computing center, that department can write the
checks and stubs
Use an imprest account for payroll
Continue to have employees come to the payroll office to pick up their wages
Continue to put unclaimed checks in the safe
Continue to use separation of duties

SM 9.10