What is the difference in an internal control and a process? Most company accounting manuals do not clearly define what a control is. The result: it can be difficult to identify a company’s key controls. As a result, some auditors incorrectly identify processes as internal controls in their walkthrough documentation. Below, I help you distinguish between controls and processes so you won’t make this mistake.
As you perform your annual walkthroughs, you determine if the company’s internal controls are designed properly and if they are implemented. But what are internal controls? And how do they differ from processes?
Processes are the actions performed by accounting personnel that are not controls. For example, a cashier receives payments.
Controls, on the other hand, are the actions that ensure safety and accuracy. For example, the cashier might restrictively endorse a check For Deposit Only and create a receipt. These are controls. A business can, however, receive payments without controls. But if they do, monies might be stolen or recorded incorrectly. In short, accounting controls (or internal controls) lessen misstatements in the financial statements and theft.
In performing risk assessment, you consider whether an account balance or transaction might be misstated, whether by error or fraud. And how do you do this? By performing certain procedures such as reviewing the internal control system. This is why it’s important to know what the key controls are.
Below I provide examples of cashier processes and internal controls.
Remember a process is what is being done. The purpose of the process, in this example, is to receive and process payments.
The cashier’s work manual might require processes as follows:
Now, let’s look at sample internal controls.
Controls ensure accuracy and lessen fraud. The accounting manual might spell out the following controls (this list is not comprehensive):
Notice the segregation of duties and the second-person reviews. The internal controls lessen the potential for misstatements and theft.
Some controls may sound like policies alone—and not controls—such as no purses are allowed in the collection area. But what is the purpose of the requirement? To lessen theft. So I consider this to be both a policy and a control.
Also, notice that some controls are automated such as the entry flag for amounts greater than $1,000. The purpose of this control is to lessen data entry error.
(By the way, new receipting technology is available to lessen theft, increase accuracy of data entry, and speed the deposit process. See the article How You Can Help Limit Retail Theft and Streamline Daily Accounting.)
In summary, we see that a processes are the actions performed to get something done. Cashiers receive and process payments. By contrast, controls ensure that the resulting numbers are correct and that assets are secure from theft.
Understanding the differences in controls and processes helps you identify key controls. And why is this important? Understanding the distinction allows you to properly identify key controls in your walkthrough documentation. You don’t want to identify a process as a control when it’s not.
See my article titled Audit Risk Assessment: The Why and How for additional information about control risks. If you desire to test controls for effectiveness, see Test of Controls: When to Perform and How.
Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty-five years, he has primarily audited governments, nonprofits, and small businesses. He is the author of The Little Book of Local Government Fraud Prevention, The Why and How of Auditing, Audit Risk Assessment Made Easy, and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events. Charles consults with other CPA firms, assisting them with auditing and accounting issues.
Session expired
Please log in again. The login page will open in a new tab. After logging in you can close it and return to this page.