Internal controls are the policies and procedures that are put in place by a local auditee to safeguard its assets against loss due to errors, abuse, fraud or misappropriation.

Internal controls also encompass the policies and procedures that are put into place to ensure that a local auditee’s financial transactions are processed and reported in a timely manner, and in accordance with laws and regulations and generally accepted accounting principles.

When a CPA audits a local auditee’s financial statements, he or she will consider the different ways the financial statements can be misstated, either by error or fraud; and whether the local auditee’s internal controls will prevent these errors from occurring, or will detect them once they have occurred. The CPA’s consideration takes into account not only the local auditee’s internal controls over the physical preparation of its financial statements, but also the internal controls over its operations and its compliance with applicable laws and regulations, which will ultimately affect its financial statements.

Internal controls over operations can affect the amounts that are reported in a local auditee’s financial statements. For example, a town with poor controls over its utility collections:

  • May not be making daily deposits. The lag in the town’s deposits may cause errors in its cash, utility revenue, and utility receivable accounts.
  • May not be updating individual customer accounts in a timely manner, or reconciling the total amount of the individual customer accounts to the accounts receivable control account. This could also cause errors in the town’s utility receivable accounts.
  • May not be reconciling its bank accounts every month. This could cause the errors in the cash account not to be detected in a timely manner.

Finally, the existence of the poor controls may tempt the utility clerk to steal utility receipts. The clerk may try to conceal the theft by adjusting the town’s financial records, causing additional errors in the affected accounts.

A local auditee’s management is responsible for developing and implementing the local auditee’s system of internal controls. There are five components to developing a system of internal controls -

  • Control environment – The local auditee’s management should establish and maintain an environment that sets a positive and supportive attitude toward internal control. This includes setting high standards for agency-wide ethical behavior and competence for the entity’s employees, and communicating these standards to employees. It also means that members of the local auditee’s management adhere to the same standards of ethical behavior and competence that they expect from employees.
  • Risk assessment – The local auditee’s management should identify anything and everything that could go wrong in the local auditee’s operations that will ultimately affect what is reported in its financial statements, and the actions or controls that can be put in place to address these possible risks.
    During the risk assessment process management needs to ask, where is it likely that errors could be made? Under what circumstances would it be possible for an employee to steal money or other agency assets?
    Risk assessment also means taking into consideration changes that may disrupt an agency’s normal operations, such as a change in management, a change in legislation, a downturn in the economy, or a natural disaster.
  • Information and communication – the local auditee needs to consider both the manual and automated (computerized) accounting processes it uses in determining a system of suitable internal controls. There is a common misconception that a computerized system can’t make decisions on its own and therefore doesn’t make mistakes; however, the people who enter information into a computerized system can and do make mistakes. And, there is the risk of losing all of the agency’s data if a natural disaster, hacking event, or equipment malfunction occurs. It would be difficult for a local auditee to process its transactions, or for the CPA firm to perform its audit, if the local auditee’s computer system was compromised. The local auditee should back up up its data on a regular basis, and maintain the backups in a location away from the agency’s principal place of business.
    The local auditee’s management also needs to determine how internal controls that are put in place will be communicated to its employees – ideally, through a policies and procedures manual that is available to all employees.
  • Control activities – the local auditee’s management must determine the activities or controls it will put into place to address the risks identified during this process. Controls may be preventive in nature (prevent errors and fraud from occurring) or detective in nature (detect errors and fraud that have occurred). Ideally, controls should be designed so that the custody, recording, and authorization of each type of transaction are divided between different employees. For instance, if a utility clerk who collects receipts and makes deposits (custody) can also enter the transactions into the accounting system (recording) and make adjustments to customer accounts (authorization), the clerk could steal utility receipts and conceal the theft by manipulation of the accounting records.
  • Monitoring – The local auditee should periodically review its internal controls, and change them if needed.

The Legislative Auditor urges all local auditees to use Internal Control - Integrated Framework and other documents developed by the Committee of Sponsoring Organizations (COSO) as a guide for assessing their agency's system of internal control. These documents may be found on COSO's website.

Back to results