Chapter 7
Chapter 7
Chapter 7
2. Risk assessment
Internal control should provide for an assessment of the risks the organization faces from both
external and internal sources. A precondition to risk assessment is the establishment of clear,
consistent objectives.
3. Control activities
Internal control activities help ensure that management’s directives are carried out. The control
activities should be effective and efficient in accordance with the organization’s control
objectives. Control activities are the policies, procedures, techniques, and mechanisms that
enforce management’s directives.
Examples of Control Activities
Top level reviews of actual performance
Reviews by management at the functional or activity level
Management of human capital
Controls over information processing
Physical control over vulnerable assets
Establishment and review of performance measures and indicators
Segregation of duties
Proper execution of transactions and events
Accurate and timely recording of transactions and events
Access restrictions to and accountability for resources and records
Appropriate documentation of transaction and internal control
Specific control activities for information systems
Once an audit is complete, managers must promptly determine proper actions in response to
findings and recommendations, and then complete such actions within an established time
frame.
Common Fraud Methods
Fraud can be perpetuated in a wide variety of ways, which are ever expanding and changing.
We cannot hope to cover all circumstances in this guide. However, some more common
include:
Failure to account for cash receipts by:
Failure to record sales on cash register or pre-numbered sales slips
Altering or voiding cash register totals or sales slips totals
Failure to record receipts received from sources not controlled by cash registers
Falsifying the bank statement and bank reconciliation to cover up a shortage
Abstracting checks received and forging endorsements
Writing off good account receivable to bad debts and retaining cash and receipts when
collected
Managers must be aware of these various methods of fraud so as to know whether their
internal controls will help prevent such occurrences.
Key Internal Control Terms
Annual Statement of Assurance – an annual report in memorandum format, providing a broad
assessment of internal controls within the organization.
Area of Concern – a problem with internal controls that does not meet the criteria of a material
weakness, and will be corrected internally by the identifying organization.
Comptroller General or GAO Standards – the five principles (see above) issued by the
Comptroller General to be applied to all Federal managers in developing, establishing, and
maintaining internal controls.
Fraud – any intentional violation of directives and policies or conscious deception that
adversely affects the interest of MWR/Services. Losses resulting from fraud do not solely
impact MWR/Services assets, but include the loss of productive time, and lower the
effectiveness of the operation.
Internal Control Plan – the written plan that describes how and when an organizational unit
will conduct required formal internal control evaluations.
Internal Control Weakness – a deficiency in an organization’s process, function, or procedure
that could lead to harm (e.g., waste, fraud or abuse of resources; unwanted media attention;
safety concerns; hampered mission; etc.), but is not considered systemic or of headquarters-
level significance.
Key Internal Controls – the essential rules, procedures, and techniques that must be executed
and sustained within daily operations to ensure the organization operates safely, efficiently,
and effectively, in compliance with laws and regulations, and without unreasonable risk of
significant harm.
Material Weakness – a deficiency in an organization’s process, function, or procedure that is
systemic and could lead to severe harm (e.g., waste, fraud, or abuse of resources; media
scandal and damage to an organization’s credibility; accident, injury, or death; and mission
failure). The weakness must be out of the organization’s capability or jurisdiction to fix and
warrant the action of the next level of command.
Reasonable Assurance – the minimum level of quality acceptable for an internal control
system. Absolute assurance does not exist, nor can any organization afford to seek absolute
assurance in every function. Reasonable assurance is a management judgment within the
bounds of common sense, experience, education, and training.
Risk Assessment – an analysis to identify the significance or likelihood of a problem occurring
and its probable impact. Managers decide how to manage risk, and identify specific actions to
be taken to minimize or deter unwanted occurrences. The greater the risk, the greater the need
for effective controls.
Statutory Requirements – The Federal Manager’s Financial Integrity Act of 1982 requires that
all managers implement adequate controls to prevent fraud, waste, and mismanagement of
government resources. It further requires implementation of the Comptroller General
Standards.
Validation – a process used to certify that all corrective actions were completed, justifying the
closure of an internal control weakness.
Summary Chapter 7
Internal control is a major part of managing an organization, and effective internal controls are
mandated by the United States General Accounting Office. There are three fundamental
concepts of internal control and they are that it is a continuous built-in component of
operations, it is affected by people, and it provides reasonable assurance, not absolute
assurance.
The five standards for internal control, as promulgated by the Comptroller General, are:
1. Control environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring