Skip to main content
Key Concepts

Internal Controls

Preventing errors and fraud with practical safeguards

Controls are the actual safeguards that prevent people from violating principles. Without controls, GAAP is just words on paper. With controls, GAAP becomes reality.

Why This Matters

You've learned GAAP principles that SHOULD prevent fraud. But should β‰  will.

A company implements revenue recognition principles. Then a manager records sales that haven't happened yet.

A company maintains the matching principle. Then someone reclassifies operating expenses as capital assets.

Internal controls are why financial statements are trustworthy instead of merely aspirational.

What Are Internal Controls?

Internal controls are the procedures and systems a company implements to:

πŸ›‘οΈPrevent errors from happening
πŸ”Detect errors that do occur
🚫Prevent fraud from happening
⚠️Detect fraud that does occur
πŸ“‹Ensure compliance with policies

The goal: Reliable financial statements and operational efficiency.

The COSO Framework: Five Components

The standard framework for internal controls is COSO (Committee of Sponsoring Organizations). It has five interdependent components:

1

Control Environment

The tone and culture that makes controls matter.

2

Risk Assessment

Identifying what could go wrong and how likely it is.

3

Control Activities

The actual procedures that prevent/detect errors and fraud.

4

Information & Communication

Capturing and sharing information needed for controls to work.

5

Monitoring

Checking that controls are actually working.

Control Types: Prevention vs. Detection

πŸ›‘οΈ Prevention Controls

Try to stop errors/fraud BEFORE they happen.

Example: Authorization control

Policy: Payments over $10,000 need manager approval

Effect: Manager catches potential fraud before payment

Result: Fraud prevented (doesn't happen)

Advantages:

  • βœ“ Better than detection (stops problem before it starts)
  • βœ“ Less costly to fix
  • βœ“ No damage occurs

πŸ” Detection Controls

Try to catch errors/fraud AFTER they happen.

Example: Bank reconciliation

Action: Compare cash ledger to bank statement

Finding: Reconcile discrepancies

Result: Fraud detected after it occurs

When used:

  • β€’ When prevention isn't 100% possible
  • β€’ As backup to prevention controls
  • β€’ For monitoring overall health

Segregation of Duties: The Core Control

The most important control principle: No one person should handle all parts of a transaction.

The Four Duties (Split Among People)

1
Authorization
Who approves the purchase?
Manager / Purchasing Agent
2
Recording
Who enters it in the system?
Accounting Clerk
3
Custody
Who takes physical possession?
Warehouse Manager
4
Reconciliation
Who verifies everything matches?
Internal Auditor / Supervisor

RULE: All four duties held by different people

❌ Fraud WITHOUT Segregation

Same person who:

  • βœ“ Approves purchases
  • βœ“ Records purchases
  • βœ“ Takes custody of goods
  • βœ“ Reconciles records

Fraud: Person receives goods, records fake purchase price, pockets difference

Result: Fraud happens, no detection

βœ“ Fraud WITH Segregation

  • Person A: Approves purchases
  • Person B: Records purchases
  • Person C: Takes custody of goods
  • Person D: Reconciles records

Fraud attempt: Person B tries to record fake purchase

  • But Person A didn't approve it
  • But Person C never received it
  • But Person D sees discrepancy

Result: Fraud prevented/detected immediately

Common Fraud Schemes & Controls

Cash Theft

Fake Invoices (Accounts Payable)

Lapping (Accounts Receivable)

Inventory Theft

Red Flags: Detecting Control Weaknesses

🚩 Transactions Without Documentation

  • β€’Invoice paid, but no receipt
  • β€’Journal entry recorded, but no supporting evidence

🚩 Unusual Transactions

  • β€’Related-party purchases at inflated prices
  • β€’Transactions outside normal business
  • β€’Payments to unfamiliar vendors

🚩 Discrepancies Not Investigated

  • β€’Bank reconciliation differences ignored
  • β€’Inventory counts don't match records
  • β€’Journal entries without explanation

🚩 Missing Segregation

  • β€’One person handles all steps
  • β€’No one reviewing transactions
  • β€’Approvals from people with conflicts of interest

🚩 Lack of Documentation

  • β€’No supporting invoices or receipts
  • β€’No evidence of approval
  • β€’No explanation of adjustments

Real-World Control Failure: Petty Cash Example

Company Policy

Petty cash for small purchases under $100 | $500 max in box | Weekly reconciliation | All receipts required

βœ“ What Should Happen

  1. 1. Employee buys office supplies for $50
  2. 2. Receives receipt
  3. 3. Takes from petty cash box
  4. 4. Records in log
  5. 5. Weekly: Receipts total = Cash removed βœ“
  6. 6. Manager signs off

❌ What Actually Happened (Control Failure)

  1. 1. Employee takes $50 for personal coffee
  2. 2. No receipt, no record
  3. 3. Weekly reconciliation:
  4. Receipts total: $300 | Cash in box: $150 | Difference: $50
  5. 4. Manager: "Where's the $50?"
  6. 5. Employee: "Oops, forgot to include receipt"
  7. 6. Manager signs off anyway (no investigation)

Result: Undetected theft continues

Better Control:

  • β€’ Reconciliation difference = Investigation required
  • β€’ No exceptions
  • β€’ Can't sign off until difference explained
  • β€’ Repeated discrepancies = Discipline

Sarbanes-Oxley: The Legal Requirement

Sarbanes-Oxley (SOX)

Post-Enron reform law to prevent fraud

🏒

Public companies must have internal controls

πŸ“Š

Management must assess control effectiveness

πŸ”

Auditors must verify controls work

πŸ‘₯

Board audit committee must oversee

βš–οΈ

Violations can result in criminal penalties

The Cost-Benefit of Controls

Controls aren't free. They require personnel, systems, time, and auditing. So when are controls justified?

When Benefit > Cost βœ“

Benefit: Prevent $100,000 fraud

Cost: $10,000 annually

Verdict: Control is justified

When Benefit < Cost βœ—

Benefit: Prevent $500 fraud

Cost: $10,000 annually

Verdict: Control is overkill

This is materiality in action.

Key Takeaway

Internal controls are the practical safeguards that prevent errors and fraud. Based on the five COSO components (control environment, risk assessment, control activities, information & communication, monitoring), they include prevention controls that stop problems before they occur and detection controls that catch problems after. Segregation of duties is the core principleβ€”no one person should handle all parts of a transaction. Understanding common fraud schemes and how controls prevent them is essential to building reliable financial statements.

Test Your Understanding

1. Which COSO component is the "tone at the top"?

2. Segregation of duties is best illustrated by:

3. A prevention control works by:

4. In a petty cash system, the most important control is:

5. True or False: A company with strong GAAP principles but weak internal controls will have reliable financial statements.

Previous: GAAP PrinciplesBack to Learning Hub