Internal Control and a Process: The Difference

What is the difference in an internal control and a process? Most company accounting manuals do not clearly define what a control is. The result: it can be difficult to identify a company’s key controls. As a result, some auditors incorrectly identify processes as internal controls in their walkthrough documentation. Below, I help you distinguish between controls and processes so you won’t make this mistake.

Processes and Controls in Risk Assessment

As you perform your annual walkthroughs, you determine if the company’s internal controls are designed properly and if they are implemented. But what are internal controls? And how do they differ from processes?

Processes are the actions performed by accounting personnel that are not controls. For example, a cashier receives payments.

Controls, on the other hand, are the actions that ensure safety and accuracy. For example, the cashier might restrictively endorse a check For Deposit Only and create a receipt. These are controls. A business can, however, receive payments without controls. But if they do, monies might be stolen or recorded incorrectly. In short, accounting controls (or internal controls) lessen misstatements in the financial statements and theft.

In performing risk assessment, you consider whether an account balance or transaction might be misstated, whether by error or fraud. And how do you do this? By performing certain procedures such as reviewing the internal control system. This is why it’s important to know what the key controls are.

Below I provide examples of cashier processes and internal controls. 

Cashier Processes

Remember a process is what is being done. The purpose of the process, in this example, is to receive and process payments.

The cashier’s work manual might require processes as follows:

• Take your cash drawer from the vault each morning
• Turn on your computer by 7:50 a.m. to ensure it is working properly
• Open your station at 8:00 a.m. 
• Press the f7 key before entering the receipt
• Ask customers to place their credit cards into the credit card machine at your window
• Press the f3 key when the receipt entry is complete

Now, let’s look at sample internal controls.

Cashier Internal Controls

Controls ensure accuracy and lessen fraud. The accounting manual might spell out the following controls (this list is not comprehensive):

• No purses or handbags are allowed in the cash collections area
• Station security cameras record all activity; retain video for at least one month
• No person receiving cash can write down or eliminate receivables (of if they can, a second person reviews and signs off on all adjustments)
• The receipting software flags all amounts greater than $1,000 (most receipts are less than $500)
• Only one cashier can work from a cash drawer; the cashier must lock his or her drawer upon leaving their station and must log out of their computer
• Cashiers issue a receipt for each payment received
• The cash supervisor observes the daily closeout count of one cashier at least once per week
• The cash supervisor creates the daily summary deposit and provides the same to the courier for delivery to the bank

Notice the segregation of duties and the second-person reviews. The internal controls lessen the potential for misstatements and theft.

Some controls may sound like policies alone—and not controls—such as no purses are allowed in the collection area. But what is the purpose of the requirement? To lessen theft. So I consider this to be both a policy and a control.

Also, notice that some controls are automated such as the entry flag for amounts greater than $1,000. The purpose of this control is to lessen data entry error.

(By the way, new receipting technology is available to lessen theft, increase accuracy of data entry, and speed the deposit process. See the article How You Can Help Limit Retail Theft and Streamline Daily Accounting.)

Difference in Internal Controls and Processes

In summary, we see that a processes are the actions performed to get something done. Cashiers receive and process payments. By contrast, controls ensure that the resulting numbers are correct and that assets are secure from theft. 

Understanding the differences in controls and processes helps you identify key controls. And why is this important? Understanding the distinction allows you to properly identify key controls in your walkthrough documentation. You don’t want to identify a process as a control when it’s not.

Control Risk Assessment

See my article titled Audit Risk Assessment: The Why and How for additional information about control risks. If you desire to test controls for effectiveness, see Test of Controls: When to Perform and How.