6.4 The Need for Internal Control

Learning Objectives

At the end of this section, students should be able to meet the following objectives:

  1. Define “internal control.”
  2. Explain a company’s need for internal control policies and procedures.
  3. Describe the effect that a company’s internal control has on the work of the independent auditor.

Question: In the previous discussions, the role of the independent auditor is described as adding credibility to financial statements. The reported figures, though, are still the responsibility of management. How do a company and its officials make certain that the information displayed in a set of financial statements is fairly presented?

Companies like Barnes & Noble and RadioShack participate in millions of transactions in geographically distant store locations as well as internationally through their Web sites. Working with that amount of data, gathered from around the world, can be a daunting technological challenge. Some organizations are able to accumulate massive quantities of information with few—if any—problems; others seem to be overwhelmed by the task. The reliability of the numbers gathered for reporting purposes impacts the amount and type of testing that the independent auditor considers necessary. How do companies make certain that their own information is free of material misstatements?


Answer: The human body is made up of numerous systems that perform specific tasks, such as the breathing of air, the circulation of blood, and the digestion of food. Organizations operate in much the same manner. Systems are designed and set in place by management to carry out essential functions, such as paying employees, collecting cash from customers, managing inventory levels, and monitoring receivable balances. Within each system, individuals are charged with performing specific tasks, often in a preordained sequence. For example, a cash payment received in the mail from a customer should be handled in a set way every time that it occurs to ensure that it is properly recorded and protected from theft.

To be efficient and effective, these systems must be carefully designed and maintained. They need to keep company assets secure at a minimum cost. In addition, appropriate record keeping is a required aspect of virtually every system. Thus, employees are properly paid when their salary comes due, but also adequate documentation is maintained of the amounts distributed. The entire function is performed according to company guidelines and a record is maintained.

Well-designed systems generate information that poses a reduced threat of material misstatements. However, simply having systems in place—even if they are properly engineered and constructed—is not sufficient to guarantee both the effectiveness of the required actions and the reliability of the collected data. Thus, extra procedures are built into every system by management to help ensure that every operation is performed as intended and the resulting financial data are reliable. All the redundancies added to a system to make certain that it functions properly are known collectively as internal control. For example, a rule requiring two designated employees to sign any check for over $5,000 (or some other predetermined amount) is part of a company’s internal control. There is no inherent necessity for having a second signature; it is an added safeguard included solely to minimize the chance of theft or error. All actions like this comprise a company’s internal control.

Internal control policies and procedures can be found throughout the various systems of every company.

  • One person counts cash and a second verifies the figure.
  • One person requests the purchase of an asset and a second authorizes the request.

Internal control is made up of all the procedures that are performed purely to help make certain that each system operates as intended. Systems cannot be considered well designed without the inclusion of adequate internal control. Management is responsible for the development of effective systems but also for all the internal control rules and requirements to ensure that these systems accomplish their stated objectives.


Question: If a company creates and then maintains good operating systems with appropriate internal control, the financial information that is produced is less likely to contain material misstatements. In performing an audit, is the work of the independent CPA affected by the company’s internal control? Does the quality of internal control policies and procedures impact the amount and type of audit testing?


Answer: As a preliminary step in an audit examination, the CPA gains an understanding of the internal control procedures included within each of these systems that relate to reported financial accounts and balances1. The auditor then makes an evaluation of the effectiveness of those policies and procedures. In cases where internal control is both well designed and appears to be functioning as intended, a reduction is possible in the amount of audit testing that is needed. The likelihood of a material misstatement is reduced by the company’s own internal control.

To illustrate, assume that a company claims to hold accounts receivable totaling $12.7 million. The auditor plans to confirm one hundred of the individual balances directly with the customers to substantiate the separate amounts listed in the accounting records. A letter will be written to each of these individuals asking them whether the specified balance is correct. A stamped return envelope will be included.

Although effective, this confirmation process is slow and expensive. During the year, the reporting company applied several internal control procedures within those systems that maintain the receivables balances. These controls are evaluated by the independent CPA and judged to be excellent. As a result, the auditor might opt to confirm only thirty or forty individual accounts rather than the one hundred that had originally been determined. Because of the quality of internal control in the receivable area, the risk of a material misstatement is already low. Less audit testing is necessary.

Thus, at the beginning of an independent audit, the design of the reporting company’s internal control and the effectiveness of its procedures are assessed. Only then does the auditor start to seek sufficient evidence to substantiate that each account balance is presented fairly because no material misstatements are included according to U.S. GAAP.


Link to multiple-choice question for practice purposes: http://www.quia.com/quiz/2092650.html

Key Takeaway

All companies operate by means of numerous systems that carry out designated tasks, such as the collection of cash and the payment of purchases. These systems need to be well designed and operating as intended to reduce the chance of material misstatements. Additional policies and procedures are included at important junctures in the construction of these systems to ensure that they function appropriately. All such safeguards make up the company’s internal control system. The independent auditor evaluates the quality of the internal control found in the various systems. If the risk of material misstatement has been reduced as a result of the internal control in a particular system, less audit testing is required.

1Some internal controls have nothing to do with a company’s financial statement accounts and are not of importance to the work of the independent auditor. For example, a company might establish a review procedure to ensure that only deserving employees receive promotions. This guideline is an important internal control for the operating effectiveness of the company. However, it does not relate to a reported account balance and is not evaluated by the independent auditor.

This is a derivative of Financial Accounting by a publisher who has requested that they and the original author not receive attribution, which was originally released and is used under CC BY-NC-SA. This work, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.