Safeguarding of controls limit access to an organization’s assets to authorized personnel. Access includes both direct physical access and indirect access through the preparation or processing o f documents that authorize the use or disposition of assets.
a) A lockbox system for collecting cash receipts from customers.
b) Daily, intact deposit o f cash receipts after preparation and verification by two treasury employees.
c) Approval of credit memos by the credit department, not sales.
d) Writeoffs of uncollectible accounts by the supervisor of the credit department manager.
e) Unescorted access to computer operations center prohibited to;
(1) all noninformation systems personnel and
(2) all non-operations information system personnel, such as developers
f) Online access to production application libraries prohibited to developers; online access to production databases prohibited to all users except the organizational “owners” of the data elements.
g) Direct deposit of pay in lieu o f distribution of physical paychecks; unclaimed paychecks held by the treasurer, not payroll.
h) Holding of securities in safe deposit box; two employees always present when box is accessed.
i) Physical measures taken to protect assets from natural disasters, e.g., floods, wind damage, earthquakes.
a. Compensating controls replace the normal controls, such as segregation o f duties, when the latter cannot feasibly be implemented.
1) For example, in the finance and investment cycle, top management may authorize and execute investments and have access to the records, stock certificates, etc. The compensating control in this case is for at least two people to perform each function.
Internal Controls – Risk and Procedures for Control
a) An alternative to performance o f each function by at least two people is to provide oversight. Thus, the board may authorize an investment with other functions (custody o f stock certificates, management of the portfolio, and oversight of record keeping) perform ed by a top manager.
2) Other compensating controls in the finance and investment cycle include periodic communications with the board, oversight by a committee of the board, and internal auditing’s reconciliation o f the securities portfolio with the recorded information.
a. Fraud differs from error because it is intentional. It typically involves pressures or incentives to engage in wrongdoing and a perceived opportunity to do so.
b. Examples are fraudulent financial reporting and misappropriation o f assets.
c. Internal controls are designed to, among other things, prevent fraud. However, because of the concealment aspects of fraudulent activity (e.g., collusion or falsification of documents), the controls cannot give absolute assurance that material fraud will be prevented or detected.