Internal control objectives

Internal control objectives help auditors determine how the organization’s controls affect the financial statement assertions. The primary control objectives are:

More detailed descriptions of each of these control objectives are included below.

Control objectives need to be individually tailored to the activities performed by the organization. Organization management needs to select control objectives that relate to the types of assertions that are presented in the entities’ financial statements and the activities related to those transactions.

Auditors also consider the overall control culture, the ‘tone at the top’ at an organization. These controls are system independent and so are not considered here.

Completeness controls

Completeness controls ensure that all relevant transactions are captured and processed.

These controls are often the most difficult to implement and especially to automate. The challenge with a completeness control is that to perform it, you must look to make sure you have not missed anything. The problem is that the most likely reason for missing something is that you never recorded it on the system in the first place. In this case, system-based reports won’t help you find the missing item. Therefore, many completeness controls will have a process element, which is comparing what's recorded on the system to other sources of data, such as a bank statement, supplier statement, or data from another system. Reconciliations to these other data sources are common ways of performing completeness controls.

Completeness controls can often give some assurance over accuracy. For example, while proving that nothing is missing, they also can prove that the total value is accurate. However, be careful of assuming that if the total number is correct that everything else is accurate. While a total might be correct, the value might have been allocated to the wrong accounts.

Completeness controls are very rarely combined with existence controls because their objectives are opposite. Completeness is looking to make sure you have captured everything, and existence controls are looking to make sure that everything you have captured is genuine.

Existence controls

Existence controls ensure that transactions that are captured are genuine.

Existence controls are common throughout processes. Most activities that involve review and approval have some aspect of checking that what's being looked at is genuine. Access controls are another way of achieving comfort over existence; only authorized users are able to perform activities. However, access on its own is rarely sufficient. For example, an employee might be authorized to generate a payment, but generally organizations will want someone else to approve that payment.

Existence controls can often give some assurance over accuracy because a reviewer will usually perform some checks over what they are reviewing.  However, unless these checks are evidenced, then auditors will look for other controls to check accuracy over the transactions that have been reviewed.  This is often a key consideration in designing processes in the Sage Intacct solution.

Existence controls often cover Ownership, which addresses whether the transaction belongs to the organization. In most processes, there's a high degree of overlap. However, in areas such as leases and asset accounting, the ownership question might require additional accounting insight to ensure that the transaction is correctly classified.

Accuracy controls

Accuracy controls ensure that transactions are correctly recorded.

If you are comfortable that all transactions have been recorded (completeness) and they are all genuine (existence), you still need to know that the correct amount has been recorded in the correct way. Typically, the five aspects of accuracy are considered:

  • Date and time. Is the transaction recorded on the correct date. The time is not usually relevant for financial accounting, but might be more important for operational controls.
  • Party. Is the transaction recorded against the correct customer, supplier, business partner, material, and so on.
  • Price. Is the transaction recorded with the correct price or amount. This can also include the currency.
  • Quantity. Is the transaction recorded with the correct quantity.
  • Description and coding. Is the transaction description correct for accounting purposes. This also includes the correct general ledger account, entity, and other organizational information.

One or more controls might be needed to check all of the above aspects. When designing controls, it's important to ensure that across an end-to-end process that all these aspects are considered. Controls designed for completeness and existence can also provide some comfort over accuracy. For example, a reconciliation will often prove that amounts are correct, and review and approval will often involve checking transaction details. However, it is important to ensure that where these control types are used to support control over completeness that the element of the control that relates to accuracy is evidenced (that is, if a reviewer approves something, then what have they checked in performing that review?).

Accuracy controls are often partially automated by deriving values from master data. For example, the selection of a supplier or customer might pre-determine the control account to which transactions are posted.

Valuation controls

Completeness, existence, and accuracy controls operate over transactions, while valuation controls are more focused towards assets and the carrying value of transactions. The three most common areas in which valuation is important are:

  • The carrying value of assets, which includes:
    • The depreciation, impairment, and valuation of fixed assets. These controls might be partially automated through depreciation calculations, but generally still require review.
    • The collectability of debtors and the provision for bad debts. These controls might have some automation through aged debt analysis, but generally require a degree of manual judgment and review.
    • The valuation of inventory, where goods might be impaired because of over-stocking, damage, or obsolescence (including perishable goods that reach their sell-by date).
  • Valuation of transactions denominated in a foreign currency. These are addressed by controls over foreign exchange postings.
  • Controls over accruals, provisions, and other adjustments to asset values, usually through the processing of journal entries.  Where judgment is required, the valuation object is usually met through purely manual controls rather than a system, which can only help in proving that the journal entries are complete, genuine, and accurate.

Presentation controls

Presentation controls ensure that balances are correctly disclosed in the financial statements.

These controls are usually manual and involve review of reports. In traditional systems, most organizations will consider the presentation of accounts when they develop their chart of accounts to ensure that there's a logical grouping of accounts and mapping to disclosure items in the financial statements. These setup considerations greatly reduce the effort that's required for month end reporting and reconciling financial statements to the underlying financial records.

Cut-off controls

Cut-off controls ensure that transactions are recorded in the correct accounting period.

The timing of transactions is one of the components of the accuracy objective, but many auditors consider cut-off to be a control objective on its own.  A key accounting principle is matching, which ensures that revenues and the costs related to those revenues are recorded in the same accounting period.  When matching does not happen, accounts can give a misleading picture. For example, if a sale is recorded just before the end of the month, but the cost of sale is recorder just after the end of that month, the month end accounts show an artificial profit. Artificial profits are particularly sensitive when they happen at quarter-end or year-end. 

Fraud controls

Fraud controls are primarily designed to detect fraud.

Although often considered to be a control objective, fraud is really a motive for misstatement. The other control objectives are ways in which fraud can be prevented or detected.  Here are some examples:

  • A fraud can be conducted by excluding accounts that show a misleading picture or have evidence of fraud (for example, concealing bank statements that show a cash fraud). Completeness controls will often detect this type of fraud.
  • A fraud can be conducted by creating fictitious accounts (for example, faking sales customers and sales invoices to increase revenue or creating purchases for personal purposes on company accounts). Existence controls are often designed to detect this type of fraud. Access controls and permissions also make it more difficult to commit fraud.
  • Many frauds involve collusion with suppliers or customers to achieve favorable commercial terms, where an employee receives a kick-back or other incentive to facilitate that position. This fraud can be achieved by manipulating prices, dates, payment terms, and so on.  Accuracy controls that depend on master data validation can often prevent such fraud.

Presentation controls in reporting can often detect outliers that indicate that someone has tried to commit fraud.  Similarly, ownership and cut-off controls can often be used to prevent or detect frauds.

Occasionally, where there's a particularly prevalent risk of fraud, controls can be implemented to address this risk and can be categorized as having a specific fraud objective.