 Hello and welcome to this session. This is Professor Farhad and this session we would look at Introduction to Internal Control. This topic is covered in financial accounting, yes in financial accounting in an introductory fashion. So if you need more about internal control, please go to my auditing course because in my auditing course I will talk more about internal control because it's used in auditing. Also this topic is covered on the BEC exam as well as the auditing CPA exam. As always I would like you to connect with me on LinkedIn if you haven't done so. YouTube is where you would need to subscribe. I have 1,600 plus accounting, auditing, finance and tax lectures. This is a list of all the courses that I cover. If you like my lectures, please click on the like button. It doesn't cost you anything to share them, especially these days with the coronavirus out there. Many students can use those lectures to help them supplement their education and connect with me on Instagram. If you are studying for your CPA exam or you would like to supplement your accounting education, check out my website. So the first thing we're going to talk about is what is the purpose of internal control and what is the internal control? What does it serve? What is that term internal control? Well believe it or not, you are part of internal control somewhere although you don't know that you are or it doesn't call internal control. So what is internal control? Internal controls are policies and procedures that are implemented by management to do what? Well, to protect the assets. For example, management put locks on doors, protect inventory, they put cameras, they hire security guards, this is to protect assets. So this is part of the internal control. Two, it ensure reliable accounting and this is what we are concerned with the most as accountant. We want to make sure that the numbers that are being recorded in our system are correct, are reliable, are accurate. So how do we do so? Well, we set up procedures and in the next session we'll talk about how we handle cash to make sure cash is properly accounted for. Three, uphold company policies. We want to make sure that company, that employees are following company policies and obviously those company policies are in compliance with the local rules and regulations. So how do we do so? We reward employees that follow company policies and we penalize those who don't. So we want to make sure we do so and promote efficient operation. What is efficient? Every time you hear the word efficient, it means doing the same thing with less resources, doing the same thing with less resources. That's how you become, that's how you are considered efficient. Now how do you do so? Depending on your company, depending on your situation. But to give you an example about efficiency, let's assume I have two students. They both got A on the exam. One student studied for 10 hours. The other student studied for five hours. Well, this student that studied for five hours and earned an A is more efficient. The results is the same, but they're more efficient. So how do we promote efficiency? Well, depending on your company, depending on the situation. But those are the purpose. That's why companies will have internal control to achieve those four major purposes. Now, internal control became a main issue, an important issue, 2000 to 2001 and also up to 2002. Actually, it's still a main issue, but it was a main issue in the news and the financial news. And the reason is because of the series of bankruptcies that took place and brought the stock market down in year 2000, 2001. When the Congress did their investigation, they find out that companies internal control were not functioning properly to do what they're supposed to do. So two senators, Paul Sarbanes and Michael Oxley, they introduced this act, this law called the Sarbanes-Oxley Act. It requires managers and auditors of public companies to document and certify. So basically, managers now they need to set up internal control, make sure it's documented, make sure it's working properly, and the auditor will have to certify. Certify means they test the internal control for public companies, make sure it's working as expected. And the section 404 of the Sarbanes-Oxley, which is SOCs, SOX, requires that managers document and assess the effectiveness of all internal control system that impact financial reporting. So any internal control that deals with financial reporting, that deals with numbers, it will have to be documented and properly assessed by management on regular basis, on regular basis. Now, the COSO, which is the Committee of Sponsoring Organization, COSO, they do have a framework for internal control. So basically, rather than each company trying to create their own internal control, most companies follow this COSO. It's the Committee of Sponsoring Organization. They have the five ingredients of internal control that most companies follow, five ingredients. What are those five ingredients? One is the control environment. Two, risk assessment. Three, control activities. Four, information and communication. Five, monitoring. Now, what do we mean by those five internal control? What is the COSO framework? This is the COSO framework. Although, as a financial accounting students, you don't have to go in depth into the COSO. So I'm going to go over real quick over the COSO framework, then talk a little bit more about principles of internal control. So what is the control environment? The control environment is what we call the tone at the top. So basically, how is top management ethical? Do they have integrity? Do they commit fraud in the past? Because the assumption is, if your top management is not ethical, then the lower management may not act in an ethical fashion. So simply put, if the top management, they value ethics, most likely they will enforce this policy. They will enforce this philosophy on lower management. So that's what we mean by control environment. Two, risk assessment. Does the company identify their risks? Does the company, do they have a risk assessment policy? Do they look at what is a threat to their business, analyze that risk and mitigate that risk? Do they have a policy? That's what risk assessment is. Three, control activities. We're going to talk about control activities a little bit more. What do they do? What policies and procedures do they do to reduce that risk? Information and communication. How do information flow in the company? Does it flow only upward, only downward, in all direction? How do we communicate information and is it free to communicate information upward to tell management what's going on? And last is monitoring. Monitoring basically is do companies review their internal control? Do company go back and making sure that those previous four functions are working properly? Are working properly? So again, the COSO framework is beyond the scope of this course, but it's in my auditing course. But in this course, we need to know the principles. What are some of the principles? Principles means rules that all companies usually follow when they have internal control. There are common to all companies. So those are common to all companies. And we're going to look at seven common principles. And we're going to discuss each one of them a little bit in details, just a little bit. One, establish responsibilities. Two, maintaining adequate record. Three, ensure assets and bond key employees. Separate record keeping from custody of assets. Divide responsibility for related transaction. Apply technological control. And perform regular and independent reviews. So we're going to go through each one very briefly. Again, this is not an auditing course. This is a financial accounting just to introduce you to the concept, to the idea of control. So the first one is establish responsibilities. Now think about it. No one's going to come and forward and say, I'm 100% completely responsible for this. So what companies will have to do, they will have to establish responsibilities. So tasks should be clearly established. So each individual should know exactly what they are responsible for. And we should be able to make sure we can hold them responsible for that. So tasks should be assigned to one person. And we can determine who's at fault. For example, if we have two individuals working the register, well, for example, we should have two registers or one individual work at the register for three hours, close the register, then transfer all the funds to the following person. Because both individuals are using the same register, especially if there's no specific code every time they log in, then who knows who's responsible for what. So establishing responsibility is a good principle of internal control. That's the first one. Maintain adequate record. We need to have record because if something went missing, if we don't have a record, how would we know something is missing? Well, if we have a record of it, we can protect our assets. Because at the end of the quarter, at the end of the month, we can go through a list, count all the assets, look at the record, make sure we have record. So it helps manager monitor the company's activities. So we have to have detailed records of assets, detailed records, especially of transactions. We need to use chart of accounts. So transactions are properly reported in the proper chart of account. Preprinted forms. Why? Because it's making it easier for the person that's collecting the information to collect the information and make less mistakes when the form is already preprinted with certain information. So we can record it with fewer errors and fewer errors is better. Pre-number sales slips. Pre-numbered means we don't have unlimited number of slips, we only have a certain number of slips, and those numbers are accounted for. So if something went missing, so if somebody says, I made a sale, I need to account for that sale through the pre-number sales slip. Well, if you did not make a sale, give me back those slips, and I will count them and make sure you did not make any sale. So you cannot make a sale, pocket the money, and no one would know, because if you make a sale, the sales slip is pre-numbered. I need to account for that. And computerized point of sale system basically helps tremendously in this maintaining the document, because it's a computerized system and we'll talk about technology shortly. Three is you want to make sure your assets are insured, in case something happened, and the employees are bonded. And we're going to talk about what does it mean bonded. Certain employees will need to be bonded. Assets are insured, it's pretty straightforward, you want to make sure you buy insurance against your property, plant, and equipment. Why? Because if in case something happened, losses, fire, theft, anything like this, you can replace it, you don't have to absorb the loss. Employee who handles a lot of cash. For example, if you work in a bank, if you work with these companies that collect cash from businesses and take them to the bank, usually those employees are bonded. Bonded means in case something happened, if they run away with the money, an insurance company will reimburse the company and they will go after the person that stole the money. So that person is less likely to steal, because someone is going to be looking over their shoulder and going to follow that money. Bonded means company has purchased insurance against theft by that employee. And usually people that handle cash are usually bonded. Now, this is an important control, separate record keeping from custody of asset. Think of record keeping accounting, because this is what we do accounting and custody of asset, people in operation, people who have access to the asset. Those two, those two should be separate. So assets, if you handle the assets, if you handle the assets, you cannot handle the record keeping, you cannot have both. So people who has control or who has access to the asset must not have access to the accounting record and vice versa. Why? Because this reduces the risk of theft by employees and being able to cover that theft. In this situation, employees would need to collude with each other to agree in order to commit fraud, because now you have two individuals, one in accounting and one in operation and those two will have to agree together to commit fraud. Dividing responsibility, that's another important internal control. Responsibility of related transaction should be divided into two or more individuals. It means don't let one individual go over, complete the transaction from A to Z. For example, the person that purchased the asset should not be able to pay for the asset, should not be able to receive the asset. And we'll work an example later on when we talk about cash disbursement. And we need to ensure that one person act as a check on the other person. So if you divide responsibilities, you want to do it in a way where one individual is checking over the other individual. This is also called separation of duties or SOD, separation of duties. It's used heavily in your audit course when you take all the things. Also, we need to apply technological control. For example, cash register should have electronic file recording each sale and it's not easy to delete sales if that happened. Another example, time clock records the exact time of employee work rather than writing them. So they can basically scan their ID, personal scanners also limit access to authorized individuals and authorized inventory as well. And last but not least, perform regular and independent reviews and everything. So help ensure procedures are followed. You might have the procedures down, but if they're not being followed and how would you know they're not being followed, you will need to go back and determine if they are being followed or not. Check them. Usually it's a good thing. Usually it's a good thing when an external auditor, check on that, not the internal people, the external auditor. And the auditor evaluate the effectiveness and efficiency of internal control. And if you're a public company, that's part of your internal control. This should be one, two and three, not one, three and four. One, three and four. Last but not least, we could use technology to prevent fraud and strengthen our internal control. How would technology help? It reduces processing errors. It doesn't eliminate the error, but it reduces it if you're using technology. But error may be produced, may be mass produced. So if you, let's assume the computer system, our sales tax supposed to be six, but we programmed it as four. Well, guess what? Every transaction will be correct. So the error will be mass, will be mass produced. Technology allows more extensive testing of record because now, because the record is electronically, it's an Excel sheet, it's in a database, we can retrieve it and test the data on a large scale, which is, it's good. It helps us with internal control, rather than just testing small amount of data, we could test an extensive amount of data. No evidence of processing. Well, additional transaction details will be provided with technology, for example, what time it took place, the transaction, who processed the transaction, what's the source of the sale, what's the source of the purchase, so on and so forth. And we have less reliance on paperwork. Now, remember here, we have to back up our system in the cloud. Otherwise, if we lose it, then it's not good. Last but not least, technology helps with separation of duties because you can limit who can access what through password-protecting tasks. So if you're not responsible for buying or inputting a vendor into the system, then that's it. You can't do so. Now, talking about internal control is good, but internal control has its own limitation. One limitation of internal control is human errors. You could have proper internal control, but people may not be following the internal control. They could be carelessness, misjudgment, confusion, tired, simply don't, they did not get the proper training. Also, human fraud, and this is the most problem with internal control, is when people intentionally defeat the internal control for personal gain, they overcome the internal control by often time by colluding with other people, after time by colluding. And here where we introduce the concept of the fraud triangle. So there is a human fraud triple threat. And that's the fraud triangle. And the fraud triangle is opportunity, rationalization, and pressure. What are those three things? Well, to commit fraud, you have to have some sort of a pressure. There's a need of money if you're committing fraud for personal gain. Maybe you want to maintain your lifestyle. Maybe the company is not doing well. Maybe you want to cook the books. This is the pressure. The rationalization is somehow you tell yourself it's okay to commit fraud. Okay, so the pressure, you know, all people have pressure, all companies under pressure, so that always exist. Rationalization, it's hard to control because each individual, the rationalization is different than the other, depending on their ethics, depending on many factors, how they grow up, family, education, lifestyle, many things influence your rationalization, your philosophy in life. But what internal control can do is eliminate the third part of the fraud triangle, which is opportunity. If you take the opportunity out, if you take the opportunity out, even if you have pressure and you don't have good ethics, or you could justify it yourself committing fraud, if you cannot commit fraud, fraud cannot be committed. So internal control would help eliminate the opportunity. This is what would help eliminate. It would eliminate the opportunity. And at the end of the day, we have to make sure that the cost of the internal control must exceed the benefit. So the cost of the internal control must exceed the benefit. And I still remember, maybe I shouldn't say this, but I'm going to go ahead and say it. When I took my auditing exam, one of the questions was it was like some sort of an essay explain the cost benefit of internal control. And I that's a long time ago, over 10 years ago. And basically, the idea is, yes, you can, if you spend a lot of money, you could have strong internal control, but the key is you're going to be spending a lot of money. So there is a cost benefit relationship that the company will have to weigh before implementing costly internal control. And I remember I wrote a paragraph and luckily I passed the exam. So that's that. The reason I said I shouldn't say this because you're not supposed to reveal information about the exam, but that's long, long time ago. I'm not really sure if they still test that way. Anyhow, as always, if you like my recording, please like them, subscribe, share them. If you look, if you're looking for additional supplementary information, visit my website, especially if you're studying for your CPA exam. Accounting is a good career CPA exam is will open many doors for you. It's worth it. Invest wisely in your career. Good luck. Stay safe and study hard.