Internal controls are the policies and procedures that are put in place by a
local auditee 
to safeguard its assets against loss due to errors, abuse, fraud or misappropriation.
Internal controls also encompass the policies and procedures that are put into place
to ensure that a local auditee’s financial transactions are processed and reported in a timely manner, and in accordance with laws and regulations and
generally accepted accounting principles .
When a CPA audits a local auditee’s financial statements, he or she will consider the different ways the financial statements can be misstated, either by error or fraud; and whether the local auditee’s internal controls will prevent these errors from occurring, or will detect them once they have occurred. The CPA’s consideration takes into account not only the local auditee’s internal controls over the physical preparation of its financial statements, but also the internal controls over its operations and its compliance with applicable laws and regulations, which will ultimately affect its financial statements.
Internal controls over operations can affect the amounts that are reported in a local auditee’s financial statements. For example, a town with poor controls over its utility collections:
Ø May not be making daily deposits. The lag in the town’s deposits may cause errors in its cash, utility revenue, and utility receivable accounts.
Ø May not be updating individual customer accounts in a timely manner, or reconciling the total amount of the individual customer accounts to the accounts receivable control account. This could also cause errors in the town’s utility receivable accounts.
Ø May not be reconciling its bank accounts every month. This could cause the errors in the cash account not to be detected in a timely manner.
Finally, the existence of the poor controls may tempt the utility clerk to steal utility receipts. The clerk may try to conceal the theft by adjusting the town’s financial records, causing additional errors in the affected accounts.
A
local auditee’s management is responsible for developing and implementing the local auditee’s system of internal controls. There are five components to developing a system of internal controls -
Ø Control environment – The local auditee’s management should establish and maintain an environment that sets a positive and supportive attitude toward internal control. This includes setting high standards for agency-wide ethical behavior and competence for the entity’s employees, and communicating these standards to employees. It also means that members of the local auditee’s management adhere to the same standards of ethical behavior and competence that they expect from employees.
Ø Risk assessment – The local auditee’s management should identify anything and everything that could go wrong in the local auditee’s operations that will ultimately affect what is reported in its financial statements, and the actions or controls that can be put in place to address these possible risks.
During the risk assessment process management needs to ask, where is it likely that errors could be made? Under what circumstances would it be possible for an employee to steal money or other agency assets?
Risk assessment also means taking into consideration changes that may disrupt an agency’s normal operations, such as a change in management, a change in legislation, a downturn in the economy, or a natural disaster.
Ø Information and communication – the local auditee needs to consider both the manual and automated (computerized) accounting processes it uses in determining a system of suitable internal controls. There is a common misconception that a computerized system can’t make decisions on its own and therefore doesn’t make mistakes; however, the people who enter information into a computerized system can and do make mistakes. And, there is the risk of losing all of the agency’s data if a natural disaster, hacking event, or equipment malfunction occurs. It would be difficult for a local auditee to process its transactions, or for the CPA firm to perform its audit, if the local auditee’s computer system was compromised. The local auditee should back up up its data on a regular basis, and maintain the backups in a location away from the agency’s principal place of business.
The local auditee’s management also needs to determine how internal controls that are put in place will be communicated to its employees – ideally, through a policies and procedures manual that is available to all employees.
Ø Control activities – the local auditee’s management must determine the activities or controls it will put into place to address the risks identified during this process. Controls may be preventive in nature (prevent errors and fraud from occurring) or detective in nature (detect errors and fraud that have occurred). Ideally, controls should be designed so that the custody, recording, and authorization of each type of transaction are divided between different employees. For instance, if a utility clerk who collects receipts and makes deposits (custody) can also enter the transactions into the accounting system (recording) and make adjustments to customer accounts (authorization), the clerk could steal utility receipts and conceal the theft by manipulation of the accounting records.
Ø Monitoring – The local auditee should periodically review its internal controls, and change them if needed.
The Legislative Auditor urges all local auditees to use
Internal Control - Integrated Framework and other documents developed by the Committee of Sponsoring Organizations (COSO) as a guide for assessing their agency's system of internal control. These documents may be found on
COSO's website.
QUESTIONS:
Q. How can I implement a good system of internal controls without making my employees think that I don’t trust them?
A. You should explain to your employees that establishing a system of good internal controls won’t just help you to identify which employees are doing things wrong; it will also protect the employees who are doing things right. To use the example of a town with poor controls over its utility receipts, suppose that the town has two utility clerks. Both are working out of the same cash drawer. One clerk is stealing money because she knows that the use of one cash drawer will make it difficult to tell which of the clerks is guilty. If the town changed its controls over cash collections so that each clerk is working out of his or her own drawer, it would either cause the clerk who is stealing money to stop doing it (prevention control), or would make it easier for the town to determine which clerk is stealing money (detection control).
Q. Does the Legislative Auditor (LLA) have a list of internal controls that they recommend local auditees to implement?
A. Because the needs of each local auditee are different, LLA does not maintain a list of internal controls that all local auditees should implement. LLA does have
best practices documents available on its website;
an agency may develop internal controls over its various activities based on these best practices.
A local auditee that has an advocacy agency (such as the Louisiana Municipal Association for cities, towns and villages) may contact the advocacy agency for guidance on developing internal controls, or through the advocacy agency, contact another local auditee of similar size and structure, and borrow ideas from their controls.
A local auditee may also ask the CPA who performs its audit, review/attestation or compilation engagement for assistance in developing good internal controls.
Q. I am the board chairman of a very small utility district. We employ a manager, a maintenance crew, and a clerk. The clerk collects utility receipts, deposits them, enters the transactions into our accounting records, and reconciles the bank account. We would like to employ another person in the office to implement better controls over our cash collections, but we can’t afford it. What should we do?
A. A lack of segregation of duties in accounting functions is a common internal control problem in small agencies such as yours. A simple control that would cost nothing to implement would be for you or another board member to receive the bank statement, unopened; and to review it for unusual transactions before giving it to the clerk for reconciliation purposes. You can ask the CPA firm that performs your annual audit, review/attestation or compilation engagement to recommend other low cost and no cost ways to mitigate or lessen the control risk over cash collections caused by your small staff and limited budget.
Q. My agency worked hard to develop a good system of internal controls. We broke down the accounting functions between two clerks. We recently found out that the clerks conspired together to steal a lot of money. What good was it to develop a system of internal controls that could be circumvented?
A. People who steal money are often very inventive. Even a model system of internal controls can be circumvented if two employees work together to steal money and hide the theft; a condition that is known as collusion. Good internal controls can also be circumvented if the agency’s top management decides to override them. It doesn’t mean that your controls were poor or of no worth. But, you should use the facts and circumstances of the theft to determine if the controls over cash collections can be further strengthened.