Accounting control

Accounting control refers to the policies, procedures and methods that organizations implement to ensure the accuracy, integrity and reliability of financial records and reports ^[1]. These controls form a critical component of the broader system of internal controls designed to safeguard assets prevent and detect fraud and ensure compliance with laws and regulations. Accounting controls provide management, stakeholders and regulators with reasonable assurance that financial information accurately reflects the economic reality of business transactions.

Historical development

The formalization of accounting controls evolved alongside the growth of modern corporations and capital markets. During the 1970s and 1980s numerous corporate fraud cases eroded public confidence in corporate financial reporting and exposed serious weaknesses in the mechanisms for ensuring accurate financial statements ^[2]. These scandals prompted regulators and professional bodies to develop more rigorous frameworks for internal control.

In 1985 the National Commission on Fraudulent Financial Reporting was established to investigate the causes of fraudulent financial reporting. This body became known as the Treadway Commission after its first president James C. Treadway Jr. who had served as a Commissioner of the U.S. Securities and Exchange Commission ^[3]. The Commission conducted a two-year analysis and published its findings in the Report of the National Commission on Fraudulent Financial Information which identified weak internal controls as the primary factor enabling fraudulent reporting.

Following the Treadway Commission's work five professional accounting associations formed the Committee of Sponsoring Organizations (COSO) to develop comprehensive guidance on internal control ^[4]. These founding organizations were the American Accounting Association, the American Institute of Certified Public Accountants, Financial Executives International, the Institute of Internal Auditors and the Institute of Management Accountants. The collaborative effort resulted in the landmark 1992 publication Internal Control Integrated Framework which became the most widely adopted internal control framework globally.

The early 2000s brought another wave of accounting scandals including the collapse of Enron and WorldCom which demonstrated that existing controls remained insufficient to prevent major frauds. In response the United States Congress enacted the Sarbanes-Oxley Act of 2002 which established new requirements for internal control over financial reporting ^[5]. Sections 302 and 404 of this legislation mandated that management assess and report on internal controls annually and required independent auditors to review these assessments.

COSO updated the Internal Control Integrated Framework in 2013 to incorporate new business practices including technological changes, increased regulatory requirements and the growing complexity of business operations ^[6]. Further updates in 2017 addressed enterprise risk management and in 2023 COSO released guidance on internal control over sustainability reporting reflecting the growing importance of environmental social and governance matters.

Definition and objectives

According to the COSO framework internal control is a process effected by an entity's board of directors management and other personnel designed to provide reasonable assurance regarding the achievement of objectives in three categories ^[7]. The first category is operations referring to the effectiveness and efficiency of operations. The second is reporting which covers the reliability of financial and non-financial reporting. The third is compliance meaning adherence to applicable laws and regulations.

Accounting controls specifically focus on the financial reporting objectives though they necessarily overlap with operational and compliance goals. The primary objectives of accounting controls include ensuring that transactions are properly authorized before execution, verifying that all transactions are recorded accurately and completely, confirming that assets are safeguarded against unauthorized access or use, and providing for the proper valuation and disclosure of assets liabilities revenues and expenses.

The COSO framework

The COSO Internal Control Integrated Framework provides the foundation for designing implementing and evaluating accounting controls in most organizations ^[8]. The framework consists of five interrelated components that together create an effective system of internal control.

Control environment

The control environment sets the tone of an organization influencing the control consciousness of its people. It provides the foundation for all other components of internal control and includes factors such as the integrity and ethical values demonstrated by management, the organization's commitment to competence, the structure and functioning of the board of directors and audit committee, management's philosophy and operating style, and how the organization assigns authority and responsibility.

Risk assessment

Risk assessment involves identifying and analyzing relevant risks to achieving the organization's objectives as a basis for determining how risks should be managed. For accounting controls this means identifying the risks that could result in material misstatement of financial statements whether through error or fraud. The assessment considers both the likelihood of occurrence and the potential impact of identified risks.

Control activities

Control activities are the specific policies and procedures that help ensure that management directives are carried out. They occur throughout the organization at all levels and in all functions. Control activities include approvals authorizations verifications reconciliations reviews of operating performance security of assets and segregation of duties ^[9].

Information and communication

Relevant information must be identified captured and communicated in a form and timeframe that enables people to carry out their responsibilities. Effective communication must occur in a broad sense flowing down across and up the organization. All personnel must receive clear messages from management that control responsibilities are to be taken seriously.

Monitoring activities

Internal control systems must be monitored through ongoing activities and separate evaluations to assess the quality of the system's performance over time. Ongoing monitoring occurs in the course of operations and includes regular management and supervisory activities. Separate evaluations such as internal audits assess whether controls are present and functioning as designed.

Types of accounting controls

Accounting controls are typically classified into three categories based on their function in preventing or responding to errors and irregularities ^[10].

Preventive controls

Preventive controls are proactive measures designed to deter errors or fraud from occurring in the first place. These controls operate before transactions are processed and aim to ensure that only valid properly authorized transactions enter the accounting system. Examples of preventive controls include segregation of duties which ensures that no single individual can initiate authorize record and reconcile a transaction, authorization requirements that mandate management approval before transactions above certain thresholds proceed, access controls that restrict system access to authorized personnel based on their roles and responsibilities, and physical controls that limit access to assets such as inventory cash and equipment.

Detective controls

Detective controls are designed to identify errors irregularities and fraud that have already occurred. These controls operate after transactions have been processed and serve as a second line of defense when preventive controls fail. Detective controls include reconciliations that compare records from different sources such as bank statements to general ledger balances, variance analysis that investigates significant deviations from budgets or prior periods, internal audits that independently review transactions and controls, physical inventory counts that verify recorded quantities against actual assets, and exception reports that identify transactions outside normal parameters.

Corrective controls

Corrective controls address deficiencies identified by detective controls and restore the accounting system to proper operation. These controls focus on fixing problems mitigating their impact and preventing recurrence. Corrective controls include adjusting entries that correct errors in the accounting records, updates to policies and procedures based on control weaknesses identified, training programs to address competency gaps that contributed to errors, and disciplinary actions when control violations result from misconduct.

Key control activities

Several specific control activities are fundamental to accounting control systems in virtually all organizations ^[11].

Segregation of duties

Segregation of duties is a cornerstone of internal control requiring that critical functions be divided among different individuals so that no single person can both perpetrate and conceal errors or fraud. The four key functions that should be separated are authorization of transactions, custody of assets, recording of transactions and reconciliation of records. For example the person who authorizes purchases should not be the same person who receives goods, records invoices or reconciles vendor statements.

When complete segregation is not possible due to limited staff mitigating controls such as detailed supervisory review become essential. Small organizations often struggle with this control but compensating procedures can reduce though not eliminate the associated risks.

Authorization and approval

Authorization controls require that transactions be approved by appropriate personnel before execution. General authorization establishes policies for routine transactions such as credit limits or spending authorities while specific authorization is required for transactions outside normal parameters. Documentation of authorizations creates an audit trail demonstrating that controls operated as intended.

Account reconciliation

Reconciliation compares related records from independent sources to verify their agreement. Common reconciliations include bank reconciliations comparing cash records to bank statements, intercompany reconciliations between related entities, accounts receivable reconciliations comparing subledgers to control accounts, and inventory reconciliations comparing perpetual records to physical counts. Timely reconciliation enables prompt identification and correction of discrepancies.

Physical controls

Physical controls protect assets from unauthorized access or use. Examples include secure storage for cash inventory and sensitive documents, locks and access cards restricting entry to facilities or areas, surveillance systems monitoring asset locations, and documentation requirements for asset movements. Physical controls complement accounting records by providing independent verification of asset existence and condition.

Information technology controls

As organizations increasingly rely on computerized accounting systems information technology controls have become essential. These include general controls governing the overall technology environment such as access security change management and backup procedures as well as application controls embedded in specific software to ensure accurate complete and authorized transaction processing.

Applications across industries

While the fundamental principles of accounting control apply universally specific applications vary based on industry characteristics and regulatory requirements ^[12].

In financial services organizations must implement extensive controls over trading activities customer funds and regulatory capital calculations. Controls address risks unique to banking insurance and investment management including credit risk market risk and operational risk.

Manufacturing organizations focus controls on inventory management including accurate costing allocation of overhead and valuation of work in progress. Controls also address fixed asset management including depreciation calculations and impairment assessments.

Retail businesses implement controls over point of sale systems cash handling and inventory shrinkage. The high volume of transactions requires automated controls supplemented by statistical monitoring and exception reporting.

Healthcare organizations must comply with specific regulations regarding patient privacy and billing practices. Controls address the complex revenue cycle including charge capture coding billing and collections.

Advantages of accounting controls

Effective accounting controls provide substantial benefits to organizations and their stakeholders ^[13]:

• Ensure the accuracy and reliability of financial statements supporting informed decision making
• Detect and prevent fraud protecting organizational assets from misappropriation
• Facilitate compliance with laws regulations and contractual requirements
• Build confidence among investors creditors and other stakeholders in financial reporting
• Support operational efficiency through standardized processes and clear accountabilities
• Reduce the cost and disruption of external audits through well documented controls
• Enable timely identification and correction of errors before they compound
• Provide management with reliable information for planning and monitoring performance
• Establish clear expectations for employee conduct reducing ambiguity and conflict

Limitations of accounting controls

Despite their importance accounting controls cannot provide absolute assurance and have inherent limitations ^[14]:

• Human error can result in control failures regardless of system design
• Collusion among employees can circumvent segregation of duties
• Management override can defeat controls when those in authority choose to bypass them
• Cost constraints may limit the extent of controls that can be implemented
• Controls designed for routine transactions may not address unusual situations
• Changing conditions may render existing controls obsolete or ineffective
• Excessive controls can create delays and inefficiencies that reduce operational effectiveness
• Employee resistance can undermine control implementation and maintenance
• Small organizations may lack sufficient personnel to achieve adequate segregation

Accounting control — recommended articles

Internal audit — External audit — Financial management — Corporate governance — Risk management — Quality control — Management — Organization — Audit

References

• Committee of Sponsoring Organizations of the Treadway Commission (2013), Internal Control Integrated Framework, AICPA.
• Moeller R.R. (2013), Executive's Guide to COSO Internal Controls, John Wiley & Sons.
• Whittington O.R., Pany K. (2021), Principles of Auditing and Other Assurance Services, McGraw-Hill Education, 22nd edition.
• Rittenberg L.E., Johnstone K.M., Gramling A.A. (2021), Auditing: A Business Risk Approach, Cengage Learning, 11th edition.
• Sarbanes-Oxley Act of 2002, Public Law 107-204.

Footnotes

1. COSO (2013), p. 3
2. Moeller R.R. (2013), pp. 1-5
3. Moeller R.R. (2013), pp. 8-12
4. COSO (2013), pp. 1-3
5. Sarbanes-Oxley Act of 2002, Sections 302 and 404
6. COSO (2013), Preface
7. COSO (2013), p. 3
8. COSO (2013), pp. 4-7
9. Whittington O.R., Pany K. (2021), pp. 198-205
10. Rittenberg L.E. et al. (2021), pp. 245-250
11. Whittington O.R., Pany K. (2021), pp. 205-215
12. Moeller R.R. (2013), pp. 185-195
13. COSO (2013), pp. 8-10
14. COSO (2013), pp. 10-11

Author: Sławomir Wawak