This is “The Need for Internal Control”, section 6.4 from the book Business Accounting (v. 2.0). For details on it (including licensing), click here.

For more information on the source of this book, or why it is available for free, please see the project's home page. You can browse or download additional books there. You may also download a PDF copy of this book (20 MB) or just this chapter (161 KB), suitable for printing or most e-readers, or a .zip file containing this book's HTML files (for use in a web browser offline).

Has this book helped you? Consider passing it on:
Creative Commons supports free culture from music to education. Their licenses helped make this book available to you. helps people like you help teachers fund their classroom projects, from art supplies to books to calculators.

6.4 The Need for Internal Control

Learning Objectives

At the end of this section, students should be able to meet the following objectives:

  1. Define internal control.
  2. Explain a company’s need for internal control policies and procedures.
  3. Describe the effect that a company’s internal control has on the work of the independent auditor.

Internal Controls Within an Organization

Question: In the previous discussions, the role of the independent auditor was described as the addition of credibility to financial statements. All reported figures, though, are still the responsibility of management. How can a company and its officials make certain that the information displayed in a set of financial statements is fairly presented?

Businesses like Barnes & Noble and RadioShack participate in millions of transactions each year in geographically distant store locations as well as through their Web sites. Working with that enormous amount of data, gathered from around the world, must be a daunting technological challenge. Some organizations are able to accumulate and organize such massive quantities of information with few—if any—problems; others seem to be overwhelmed by the task. How do companies ensure that their own information is free of material misstatements?


Answer: The human body is made up of numerous systems that perform specific tasks, such as breathing air, circulating blood, and digesting food. Each system serves its own particular purpose that contributes to the good of the body as a whole. Organizations operate in much the same manner. Numerous systems are designed and set in place by management to carry out essential functions, such as paying employees, collecting cash from customers, managing inventory levels, and monitoring receivable balances. Within each system, individuals are charged with performing specific tasks, often in a preordained sequence. For example, a cash payment received in the mail from a customer should be handled in a set way every time that it occurs to ensure that the money is properly recorded and protected from theft.

To be efficient and effective, these systems must be carefully designed and maintained. They need to keep company assets secure and do so at a minimum cost. In addition, appropriate record keeping is a required aspect of virtually every system. For example, if the payroll system is designed properly, employees are paid when their salaries come due, and adequate documentation is maintained of the amounts distributed. The entire function is performed according to guidelines carefully established by company officials.

Well-designed systems generate information with fewer errors, which reduces the threat of material misstatements. However, simply having systems in place—even if they are properly designed and constructed—is not sufficient to guarantee both the effectiveness of the required actions and the reliability of the collected data.

Thus, extra procedures should be built into each system by management to help ensure that every operation is performed as intended and the resulting financial information is reliable. All the redundancies added to a system to make certain that it functions properly are known collectively as internal controlA group of policies and procedures within the accounting and other systems of a company to provide reasonable assurance that they are operating efficiently and effectively as intended by management.. For example, a rule requiring two designated employees to sign any check for over $5,000 (or some other predetermined amount) is part of a company’s internal control. There is no inherent necessity for having a second signature; it is an added safeguard included solely to minimize the chance of theft or error. All actions like this comprise a company’s internal control.

Internal control policies and procedures can be found throughout the various systems of every company.

  • One employee counts cash and a second verifies the figure.
  • One employee requests the purchase of an asset and a second authorizes the request.

Internal control is made up of all the added procedures that are performed so that each system operates as intended. Systems cannot be considered well designed without the inclusion of adequate internal control. Management is responsible for the development of effective systems but also for all internal control rules and requirements created to ensure that these systems accomplish their stated objectives.

Internal Control and the Independent Auditor

Question: If a company creates and maintains good operating systems with appropriate internal control, the financial information that is produced is less likely to contain material misstatements. In performing an audit, is the work of the independent CPA affected by the company’s internal control? Does the quality of internal control policies and procedures impact the amount and type of audit testing that is performed?


Answer: As one of the preliminary steps in an audit examination, the CPA gains an understanding of the internal control procedures included within each of these systems that relates to reported financial accounts and balances.Some internal controls have nothing to do with a company’s financial statement accounts and are not of importance to the work of the independent auditor. For example, a company might establish a review procedure to ensure that only deserving employees receive promotions. This guideline is an important internal control for the operating effectiveness of the company. However, it does not relate to a reported account balance and is not evaluated by the independent auditor. The auditor then makes an evaluation of the effectiveness of those policies and procedures. In cases where internal control is both well designed and appears to be functioning as intended, a reduction is possible in the amount of audit testing that is needed. There is less risk involved; the likelihood of a material misstatement is reduced by the company’s own internal control.

To illustrate, assume that a company claims to hold accounts receivable totaling $12.7 million. The auditor plans to confirm 100 of the individual balances directly with the customers to substantiate the separate amounts listed in the accounting records. A letter will be written and mailed to each of these individuals asking whether the specified balance is correct. A stamped return envelope is included for the response.

This confirmation process is quite common in auditing financial statements. However, although effective, it is slow and expensive. During the year, assume that the reporting company consistently applied several internal control procedures within those systems that maintain the receivables balances. These controls are evaluated by the independent CPA and judged to be excellent. As a result of this assessment, the auditor might opt to confirm only 30 or 40 individual accounts rather than the 100 that had originally been planned. Because of the quality of internal control in the receivable area, the risk of a material misstatement is already low. Less audit testing is necessary. Both time and money are saved.

Thus, at the beginning of an independent audit, the design of the reporting company’s internal control and the effectiveness of its procedures are assessed. Only then does the auditor determine the amount of evidence needed to substantiate that each account balance is presented fairly because no material misstatements are included according to U.S. GAAP.

Test Yourself


Tomlinson and Partners is a local CPA firm that is in the process of auditing the financial statements of Agnew Corporation. Agnew reports both inventory and accounts receivable, and these accounts have approximately the same monetary balances. However, in doing the audit, the independent CPAs spent over twice as much time in testing inventory. Which of the following is the most likely reason for this allocation of effort?

  1. Internal policies for handling accounts receivable are poorly designed.
  2. The individuals within the company who monitor accounts receivable do not appear to follow appropriate guidelines.
  3. Procedures have been established by management for monitoring the company’s inventory, but they appear to be flawed.
  4. Employees who maintain the inventory being held by the company are well trained.


The correct answer is choice c: Procedures have been established by management for monitoring the company’s inventory, but they appear to be flawed.


Here the auditors do more testing of inventory than accounts receivable. Several possible reasons exist. Internal control for inventory might be weaker than that for receivables. Thus, material misstatements are more likely present in inventory. To compensate, added audit testing is needed. In a and b, internal control is poor for the receivables rather than inventory. Answer d indicates that internal control over inventory is actually good. Only c has internal control for inventory as relatively weak.

Key Takeaway

All companies operate by means of numerous systems that carry out designated tasks, such as the collection of cash and the payment of purchases. These systems need to be well designed and function as intended to protect company assets and reduce the chance of material misstatements in the financial records. Additional policies and procedures are included at important junctures in these systems to ensure that they operate appropriately. All such safeguards make up the company’s internal control system. The independent auditor evaluates the quality of the internal control that is found in the various systems. If the risk of material misstatement has been reduced as a result of the internal control in a particular system, less audit testing is required.