Bab210381

CHAPTER 2

THEORETICAL FOUNDATION

2.1

Theoretical Foundation

2.1.1 Definition of Internal Control

cited

from the

AICPA

Professional Standards,

Hall

(2007)

reveals

that

internal control comprises policies, practices, and procedures employed by the

organization to achieve four broad objectives:

1. To safeguard assets of the firm.

2. To

ensure

the

accuracy

and

reliability

accounting

records

and

information.

3. To promote efficiency in the firm’s operations.

4. To

measure compliance with management’s prescribed policies and

procedures.

COSO (1994) defines internal control in its Internal Control-Integrated

Framework as follows:

“A process, effected by the entity’s board of directors, management and

other personnel, designed to provide reasonable assurance regarding the

achievement

objectives

the following categories: effectiveness and

efficiency of operations, reliability of financial reporting, and compliance

with applicable laws and regulations.”

COSO (1994) highlights the

following basic concepts

from

its definition of

internal control:

•

“Internal Control is a process, which

is to an end but

not

an end itself”

(COSO, 1994). “It consists of a series of actions that are integrated with,

not added onto an entity’s infrastructure” (Leung et al., 2007).

•

“Internal

Control

affected

people”

(COSO,

1994).

good internal

control will not be accomplished with simply setting up policy and

procedures.

However,

also

influenced

the

manner of persons

each level in an organization (COSO, 1994).

•

“Internal

control

can

only provide

reasonable

assurance,

not

absolute

assurance to an entity’s management and board” (COSO, 1994). The

reason because internal control has limitations on its effectiveness (Leung

et al., 2007).

•

“Internal

control

is a geared to the

achievement of objectives

in one or

more separate but overlapping categories” (COSO, 1994), which include

financial reporting, compliance, and operations (Leung et al., 2007). This

means one singular objective can be classified into more than one

category resulting in addressing various requirements and

responsibilities

to various boards (COSO, 1994).

Chambers

and

Rand

(1997)

define

effectiveness and efficiency, which

mentioned in COSO’s definition of internal control, as the following:

•

“Effectiveness

means

doing

the

right

things

–

i.e.

achieving

objectives”

(performances and profitability goals).

•

“Efficiency means doing them well – e.g. with

good systems which avoid

waste and rework”.

Moreover,

Chambers

and

Rand

(1997)

believe

that

the

“effectiveness

and

efficiency

of operation”

within

COSO’s

definition

internal

control,

comprises of the objectives of safeguarding of assets that could be defined as:

“…the prevention or timely detection of unauthorized acquisition, use or

disposition of the entity’s assets…”

Leung et al. (2007) describes the following possible limitations of internal

control

that

limited

them to

offer

merely

reasonable

assurance

and

not

absolute assurance:

Costs

versus

benefits.

entity

should

consider that the costs in

establishing

internal

controls should not outweigh

its benefits (Leung et

al., 2007). As a result, the internal control will not be perfect and able to

provide an absolute assurance.

Management override. Management may overrule the given control

policies and procedures and perpetrate override practices

such

representing fictitious transactions, with

illegitimate

intentions

including

personal gain (Leung et al., 2007).

Non-routine transactions. The internal controls are made generally for

routine

transactions

order

to lower

the

costs

(Leung

al.,

2007).

Therefore, there will be higher potential of risk to occur within the entity’s

non-routine transactions.

Collusion. Personnel work together

to perpetrate and cover up an

irregularity

(Leung

al.,

2007). For

instance,

“kickback”

schemes

arranged between a supplier and an employee in the purchasing

department

(Wiersema, 2010), or among customers and employee in the

sale department, etc. (Leung et al., 2007).

Mistakes

judgment. Poor

judgment

in business decisions making or

routine transactions made by management or other personnel may occur

due to insufficient information, time constraints or other pressures (Leung

et al., 2007).

Breakdowns.

Occasionally,

failed

controls

may

happen

due

personnel misinterpret commands, errors happened because of negligence,

disruption

fatigue,

the

modification

workers,

systems

procedures (Leung et al., 2007).

Changes in conditions. Changes will occur overtime as it influenced by

internal

and external

factors,

which

may

caused

the

existing

controls

become ineffective (Leung et al., 2007).

2.1.2 Roles and Responsibilities

“Everyone in an organization has responsibility for internal control” (COSO,

1994), which briefly explain as the following:

•

Management

Chambers

and

Rand

(1997)

state

that

“internal

control

synonymous

with management control” as management including Chief Executive

Officers (CEO) and Chief financial Officers (CFO) are the one who

responsible to the board of directors in ensuring the effectiveness of

entity’s internal control.

•

Board of directors

Chambers and Rand (1997) mention that the board’s stewardship, on

behalf of the shareholders who appointed them, is to manage all business

matters

that happen

within

the

company

including

internal

control.

However, the board only gives direction to management, who has

the

overall responsibility in ensuring the entity’s internal controls are effective

(Chambers and Rand, 1997).

•

Internal Auditors

Hirth (2008) believes that better internal audit will lead to better controls.

He mentions that The Institute of Internal Auditors (IIA) defined internal

audit

“independent,

objective assurance

and

consulting

activity

designed to add value and improve organization’s operation. It helps an

organization accomplish

its objectives by bringing a systematic,

disciplined approach

to evaluate

and

improve

the

effectiveness

risk

management, control, and governance process”

Leung et al. (2007) explains that internal auditors are the employees of the

entities

that

they

audit, who

involved

internal

auditing

within

that

organization. Chamber and Rand (1997) also state that internal auditors

responsible

provide

service

by being

involved

independent

appraisal

activities

for

the

adequacy and

effectiveness

company’s

internal control. Chambers and

Rand (1997) stated the

following implicit

and explicit objectives of internal auditing:

1. “To reassure management that internal control is sound

2. To identify non-compliance and urge future compliance.

3. To identify system weaknesses and make recommendations for

improvement.

4. To persuading management to accept and implement successfully the

audit recommendations for improvement.”

Moreover, COSO (1994) states that internal auditors not only play a

important role in assessing

the entity’s

internal

control effectiveness but

also play an essential monitoring role in ensuring the ongoing

effectiveness of the entity’s internal control.

•

Other Personnel

COSO (1994) briefly

explains the

roles

personnel, both

inside and

outside the organization, in relation with internal control, as follows:

1. Employees – All employees responsible to communicate to the upper

level

regarding

the

problems

arise

“operations,

non-compliance

with the code of conduct, or other policy violations or illegal actions”

(COSO, 1994).

2. External

auditors

–

They

often

involve

the

achievement

entity's objectives by carry out “an independent and objective view,

contribute directly through the financial statement audit, and

indirectly

providing

useful

information to

management

and the

board” (COSO, 1994).

3. External parties – A number of external parties such as

“legislators

and regulators, customers and others transacting business

with the

enterprise,

financial

analysts,

bond raters

and

the

news

media” are

providing the entity with useful information

regarding

its

internal

control (COSO, 1994). “However, external parties are not responsible

for, nor a part of, the entity's internal control system” (COSO, 1994).

2.1.3 Risk and Control

Hunton et al. (2004) defines risks as “the chances of negative outcomes” that

may emerge

from

internal and external environments, which can

hinder the

achievement

business

objectives.

The

examples

risks

from external

factors such as new competitors enter the market, poor economic conditions,

changing customer’s demand, etc. (Hall, 2007). On the other hand, risks from

internal

factors

may

include

unauthorized

access

firm’s

assets, fraud

perpetrated by employees and management, labor disputes, error due to

employee incompetence, equipment failures, etc. (Hall, 2007).

Fraud is defined by Hall (2007) as “a false representation of

material

fact

made by one party to another party with the intent to deceive and induce the

other party to justifiably rely on the fact to his or her detriment”. Moreover,

Hall (2007) describes the following characteristics of a fraudulent act:

1. “False representation. There must be a false statement or disclosure.

2. Material fact. A fact must be a substantial factor in inducing someone to

act.

3. Intent. There must be the intent to deceive or knowledge that one’s

statement is false.

4. Justifiable reliance. The

misrepresentation

must have been a substantial

factor on which the injured party relied.

5. Injury or loss. The deception must have been caused injury or loss to the

victim of the fraud”.

Fraud in business environment has a more specialized meaning as Hall (2007)

defined it as “an intentional deception, misappropriation of a company’s

assets, or manipulation of financial data for the advantage of perpetrator”.

Leung et al. (2007) classified 3 factors that contribute fraud: (1) incentives or

pressures, (2) opportunity, (3) attitudes/rationalization.

These

factors

are

usually known as the ‘fraud triangle’. However, proper internal control could

mitigate these risks as Hall (2007) illustrates internal control as a shield that

safeguard the firm’s assets from numerous risks. Hence, management in every

organization should develop and maintain an adequate internal control.

2.1.4 Types of Control

Chamber and Rand (2007) reveal that in 1958, AICPA divided internal

control

into

two

types; accounting control

and

administrative

control.

This

distinction has been made to allow external auditors to be aware that their

primary

concern

internal control

limited

merely

to accounting

controls

and not the administrative controls over operation (Chamber and Rand, 2007).

AICPA made the distinction of controls as below: (Chamber and Rand, 2007)

“Accounting control comprises the plan of the organization and the

procedures and records that are concerned with the safeguards of assets

and the reliability of financial records.”

“Administrative control includes, but is limited to, the plan of organization

and

the

procedures

and

records

that are

concerned

with

the

decision

processes leading to management’s authorization of transactions. Such

authorization is a management function directly associated with the

responsibility for achieving the objectives of the organization and is the

starting point for establishing accounting controls of transactions”

In addition, Hall (2007) states there are three levels of internal control;

Preventive, Detective, and Corrective (PDC), which briefly explain below:

•

Preventive controls are “passive techniques designed to reduce the

frequency of occurrence of undesirable events” (Hall, 2007). This is the

first

level

defense

in the

control

structure that

forces

to comply with

given rules or desired actions (Hall, 2007). “Preventing errors and fraud is

obviously

far

more cost-effective than detecting and correcting problems

after they

occur” (Hall,

2007).

The

example

preventive

control

designing a proper internal control (Hall, 2007).

•

Detective controls are the second level of defense in the control structure

(Hall, 2007). “These are devices, techniques, and procedures designed to

indentify and expose undesirable events that elude preventive controls.

Detective controls reveal specific types of errors by comparing the actual

occurrences to the pre-established standards” (Hall, 2007). This type of

controls identifies irregularity then draws attention when error occurs.

•

Corrective

controls

are

“actions

taken

reverse

the

effects

errors

detected in the previous step” (Hall,

2007).

Corrective

control

actually

fixes the problem identified by detective controls.

Unfortunately, PDC control model offers inadequate guidance for designing

specific controls (Hall, 2007). Thus, Statement on Auditing Standards

No.78, which

is based on COSO framework, is

made as

guidance in

specifying internal control procedures and objectives (Hall, 2007).

2.1.5 Sarbanes-Oxley Act and COSO Framework

Sarbanes-Oxley Act (SOX) was created by the U.S Senator Paul Sarbanes and

U.S Representative Michael G. Oxley and was signed into law by President

George W. Bush on 30

July 2002 (Grumet, 2007). This Act was created as

the

respond to

the

foremost

corporate accounting

scandals

that happened

year 2001-2002; such as Enron, WorldCom, Tyco, etc. (Grumet, 2007).

Hall (2007) explains that Sarbanes Oxley Act 2002 obliges all public

companies’

management

execute

proper internal

controls; in order to

enhance the firm’s financial reports accuracy and reliability.

Merchant et al. (2007) mentions that a good internal control is not only ensure

the fairness and accuracy of financial reporting but also help ensure managers

would

have

good

information

making

business decision as well as to

minimize the numbers of fraud and asset loss.

The following are the sections of Sarbanes Oxley Act (SOX) 2002 that deal

with internal control:

SOX section 302

requires company’s management including Chief

Executive Officers (CEO) and Chief financial

Officers

(CFO)

make

certain quarterly or annual representations or financial reporting that

disclose

any

significant

deficiencies in

organization‘s

internal

controls

(Elder et al., 2009).

SOX section 404 obliges public companies with the

following

requirements:

Their

management

required

to annually assess and report

on the

effectiveness of organization’s internal control (Elder et al., 2009).

Their external auditors are required to issue attestation report for

giving opinion regarding

management’s assessment

in the company’s

internal control (Elder et al., 2009).

In assessing the effectiveness of internal control as required by SOX section

404, company should use a framework entitled of Internal Controls–

Integrated Framework

(Elder

et al., 2009),

which

was

developed and

published

Committee

Sponsoring Organizations (COSO) of the

Treadway Commission in 1992 (Tanki and Steinberg, 1993).

This COSO framework formed a general definition of internal control and

proposed standard for companies to assess and improve their internal control

effectiveness

over

financial

reporting and

business

operations

(Tanki

and

Steinberg, 1993). This implies that the framework can be use by companies’

management or public accountant to assess and report on the effectiveness of

companies’ internal control, for fulfilling the required attestation report on

management’s assessment of internal control, as well as to give advice for

improving companies’ operations (Tanki and Steinberg, 1993).

However, Michelman and Waldrup (2008) state that most smaller public and

nonpublic companies have found difficulty in understanding and applying the

1992 COSO Internal Control-Integrated Framework (ICFR) as it concerned

more on large companies operation. Hence, Internal Control over Financial

Reporting-Guidance for Smaller Public Companies (ICFR-SPC)

has

been

issued by COSO in 2006 as a guidance for smaller companies; whether they

are public, private, or not-for profit (Gramling and Hermanson, 2007).

Gramling and Hermanson (2007) state that the new COSO guidance does not

change or replace the 1992 COSO internal control framework, on the other

hand,

takes

the

concepts

1992 COSO

framework

and

clarifies

the

applicability of ICFR in smaller companies.

2.1.6 Internal Control for Smaller Entities

COSO (2006) believes that effective internal control should be maintained by

any organization regardless of their size and type (public, private, state-

owned, or family-owned). It is because size and type of the organization does

not impact the need for having effective internal control. However, the

implementation

of internal

control

smaller entities

is commonly

less

complex and less formally documented in certain part (COSO, 2006).

Hardesty (2008) defined two characteristics

smaller

companies;

management

significant involvement in the day to day activities and fewer

levels of management. He believes that these two characteristics are important

to be considered as they may lead directly to a serious internal control risks;

such as management override of controls, risks of fraud, etc.

Leung

al.

(2007)

states

the

following

critical

points

in relation

the

application of internal control in smaller entities:

1. The application of control environments and control procedures in smaller

entities will

only

vary

in the

terms

the

“degree

formality and the

manner in which components are implemented”.

2. “Smaller entities are less likely to have written codes of conduct, external

auditors,

formal policy

manuals, sufficient personnel to provide

segregation of duties, or internal auditors.” However, smaller entities may

overcome these problems by

“developing a culture that emphasizes

integrity, ethical values and competence”.

3. Managers

smaller

entities

should

concern

about

certain

crucial

tasks

such as “approving credit, signing checks, reviewing bank reconciliations,

monitoring customer balances and approving write-offs of bad debts”.

Gramling and Hermanson (2007) stated that COSO guidance for smaller

public companies describe internal control as an ongoing, interactive process

with

five

interrelated

components

that begins

with

risk assessment,

control

environment, control activities, information and communication, and finally

monitoring.

Tanki and Steinberg (1993) state that every organization

will

have different

nature of internal control components in terms

of degree, formality,

and

structure but they believe

that

company’s internal control can be deemed as

effective when all of these five components of internal control are exist.

The

following are

the

comparison

elements

internal

control

within

large and smaller companies, which is summarized in table 2.1 p. 29:

1. Control environment – This

the

key basis

for

the

other four

components of internal control. The control environment influences

management and employees to aware with the importance of control,

which affected by the following major factors: (COSO, 1994)

•

The integrity and ethical values

•

Commitment to competence

•

Board of directors or audit committee

•

Management's philosophy and operating style.

•

Organizational structure.

•

Assignment of authority and responsibility.

•

Human Resource Policies and Practices.

Michelman and Waldrup (2008) mention only 5 out of 7 principles listed

above that are applicable for small companies as they often have no board

of directors and have inadequate knowledge of human resources policies

and practices.

Risk

assessment

–

Every organization faces a

variety of risks that

may

emerge

from

external and

internal

environment.

Thus, they should

perform risk

assessment,

which

“the

identification

and

analysis

relevant

risks

the

achievement

objectives,

forming

basis for

determining how the risks should be managed” (COSO, 1994).

Tanki and Steinberg (1993) reveal that the risk assessment in the case of

smaller companies is

likely to be less formal and

less structured, but not

less important. Smaller companies should have clear objective although in

more implicit rather than explicit way. Moreover, they rely more on direct

interaction rather than formal written reports from its workers.

Michelman

and

Waldrup

(2008)

mention

that out of three steps of risk

assessment that comprise of establishment of financial reporting

objectives, identification of financial reporting risks, and

identification of

fraud

risks;

they believe

small

entities

should

concern more

the

identification

fraud risk rather

than

financial

reporting

objectives

and risks, as many of them are using a cash basis accounting. In this

context, small companies should be aware with how “fraud triangle” (as

explained the above section 2.1.3) may influence their business and its

employees (Michelman and Waldrup, 2008).

3. Control activities – Control activities consist of policies and procedures

that help company in ensuring the needed actions are taken to deal with

risks,

which may

hinder the achievement of entity's objectives”

(COSO,

1994). Control activities are applicable for all levels and functions in an

organization; which classified as the following categories:

“transaction

authorization, segregation of duties, supervision, accounting records,

access control, and independent verification.” (Hall, 2007)

Michelman and Waldrup (2008) explain that small businesses should

select and develop control activities that can mitigate the

risks of fraud

that

have

been

identified

risk

assessment

well

integrate and

document

their control

activities as part of its policies and procedures.

However,

Michelman

and

Waldrup

(2008) believe

that

not

significant issue as most small businesses do not rely much on it.

4. Information and communication –

Every enterprise

must

identify,

capture, and communicate any relevant information throughout the

organization at the right time and at the right people to help them perform

their responsibilities (COSO, 1994). All personnel must understand their

own

role

internal

control as

well

having

effective communication

with

external

parties

such

customers,

suppliers, regulators

and

shareholders (COSO, 1994).

Small businesses should encourage their employees to communicate

internally

with

management

owner regarding internal control

deficiencies or

frauds

that

occur,

vital

the

success

the

organization. (Michelman and Waldrup, 2008).

5. Monitoring – a process that assesses the quality of internal control design

and performance over time (Hall, 2007). Management should periodically

monitor the entity’s internal controls to ensure they are functioning well

(COSO, 1994). This could be done by either through ongoing monitoring

activities, separate evaluations, or the combination of both.

Michelman

and

Waldrup

(2008)

believe that the ongoing and separate

evaluations are crucial even for small businesses that usually do not have

the requirement to report internal control deficiencies since it will bring a

value added.

Rittenberg et al. (2007) stated that

the

COSO

guidance

for

smaller

companies

requires

any

organization

realize that

internal control

is a

continuous and integrated process as the risks are changing over time and

therefore controls will change as well.

Thus, any organizations need to

update its identification and assessment of risks as well as to monitor the

effectiveness of its internal control.

Rittenberg et al. (2007)

mentioned that written documentation over

internal controls are

important

as it

can offer companies

guidance

implement internal controls, serve as a basis for training new personnel in

implementing internal controls as well as to provide evidence whether the

internal

controls

have effectively

implemented.

Unfortunately,

many

organizations are still having inadequate written documentation over its

internal controls

and

as a

result,

its internal

controls

are

not effectively

designed or implemented (Rittenberg et al., 2007).

The following table summarizes the comparison between 5 elements of

internal control in large and small companies based on ICFR and ICFR-SPC.

Table 2.1 Comparison of Internal Control Components

Components

Large Businesses

Small Businesses

1. Control

Environment

•

Integrity and ethical values

•

Commitment to competence

•

Board of directors

•

Management's philosophy and

operating style.

•

Organizational structure.

•

Assignment of authority and

responsibility.

•

Human resources

•

Integrity and ethical values

•

Commitment to

competence

•

Management's philosophy

and operating style.

•

Organizational structure.

•

Assignment of authority

and responsibility.

2. Risk Assessment

•

Financial reporting objectives

•

Financial reporting risks

•

Fraud risks

•

Fraud risks

3. Control Activities

•

Integration with risk assessment

•

Selection and development of

control activities

•

Policies and procedures

•

Information technology

•

Integration with risk

assessment

•

Selection and development

of control activities

•

Policies and procedures

4. Information and

Communication

•

Financial reporting information

•

Internal control information

•

Internal communication

•

External communication

•

Internal control information

•

Internal communication

5. Monitoring

•

Ongoing and separate

evaluations

•

Reporting deficiencies

•

Ongoing and separate

evaluations

2.2

Purchasing Function

2.2.1 Purchasing Process

Purchasing, known as procurement,

is the

buying

process

that

supports

the

organization activities with following specifications (Monczka et al., 2009):

1. “At the right price

2. From the right source

3. At the right quality

4. In the right quantity

5. At the right delivery time.”

Wilkinson et al. (2000) describe the following broad objectives of purchasing:

1. To ensure that all goods and services are ordered as needed.

2. To receive all ordered goods and verify that they are in good condition.

3. To safeguard goods until needed.

4. To determine invoices related to goods or services are valid and correct.

Monczka et al. (2009) state that purchasing process involve following steps:

1. Forecast and plan requirement.

2. Clarify the need (purchase requisition).

3. Identify or select proper supplier.

4. Approve and prepare purchase order.

5. Receive and inspect raw materials and documents.

6. Invoice received, verified, and then issues the payment.

7. Measure supplier performance.

Wilkinson et al.

(2000) points out

that purchasing function

not solely the

responsibility

purchasing

department

but

also

staffs

from several

departments;

inventory

control,

receiving,

inventory

store, and

finance

and

accounting.

Monczka et al. (2009) mentions the following types of purchasing:

1. Raw materials

2. Semi-finished product and components

3. Finished products

4. Maintenance, Repair, and operating items

5. Production support items

2.2.2 Purchasing Department

The purchasing staff has the following responsibilities within the purchasing

process: (Monczka et al. (2009)

Evaluate and select several sources of supply that may fulfill the

company’s requirements.

2. Make a direct contact with those chosen suppliers; ensure all contacts

with suppliers only made through purchasing department.

3. When it is a new supplier or a new product, proceed with “Request for

Quote” to find out regarding; the price to be paid, quantity availability

and offered delivery time. Additionally, examine the suppliers’ sample

products and

investigate

any

up service

such

installation,

maintenance, and warranty.

4. Negotiate all the term in purchasing; such as purchase price, terms and

conditions of the contract, the packing and shipping agreement, the

availability, delivery schedule.

Afterward,

preparing

and

issue

purchase order

complete the

agreement to acquire the product.

6. Review the performance of the product to determine whether to select

other supplier or using the same supplier.

The following documents trigger and support the purchasing processes:

Purchase

requisition is

the

formal

document

that authorizes

purchase

order made by the purchasing staff. This document specifies the request

person, code of products, type of the products to be purchased, quantities,

and the date when the product is needed.

2. Purchase order shows the date of ordering, name of the supplier, type of

products

being

purchased,

name

of the products, quantities of the

products, and price of products. This written document is made based on

the purchase requisition as a formal way

in requesting specific products

ordered from specified supplier.

3. Blind

is a copy of purchase order but contains no quantity or price

information

about

the

products

being

received

from

suppliers.

This

provided to force receiving clerk to count and inspect goods delivered by

supplier before making the receiving report.

4. Receiving report is made by the company as the evidence document that

they

have received products

from specified

suppliers.

consists of the

date of receiving product, name of supplier, code of product, name of

product, quantity of the product, and condition of the products.

2.2.3 Internal Control over Purchasing

The objectives of control over purchasing are consciously broad in nature as

listed in the following, which cited from Chambers and Rand (1997):

•

“To

ensure that all

purchasing activities

are supported by

authorized

and

documented policies and procedures.

•

ensure

that

purchasing

appropriately

supports

the

business

objectives

of the organization.

•

To ensure that the appropriate goods/services are obtained at the optimum

price and at the relevant time.

•

To ensure that the all purchasing activity is valid, justified, authorized and

within the prescribed budgets.

•

ensure

that

all

goods and services

are

an appropriate

quality

satisfy the organization’s objectives.

•

To ensure that supplier’s trading terms and conditions are appropriate.

•

To ensure

that purchasing activities comply with all the prevailing

legislation and regulations.

•

To ensure

that

all

purchasing

activity

correctly

reflected

the

organization’s stock control records and accounts.

•

To ensure that overdue and late deliveries are progressed.

•

To ensure that supplier performance is adequately monitored and reacted.

•

To provide management

with adequate, accurate, and timely

information

on purchasing activities.”

Hall (2007) summarized the fundamental internal controls within purchasing

cycle in the following table:

Table 2.2 Internal Controls Over Purchasing

Control Activity

Purchases Processing

Transaction Authorization

Inventory control

Segregation of Duties

Inventory control separate from purchasing

and inventory custody.

Supervision

Receiving area

Accounting records

AP subsidiary ledger, general ledger,

purchases requisition file, purchase order

file, receiving report file.

Access

Security of physical assets. Limit access to

the accounting records above.

Independent verification

•

Accounts payable reconciles source

documents before liability is recorded.

•

General

ledger

reconciles

overall

accuracy of process.

The explanation of each control activity as shown in previous page is

presented as the following:

1. Transaction Authorization – The purpose of transaction authorization is

to ensure that “all material

transactions are

valid and

in accordance with

the management’s objectives” (Hall, 2007).

The formal authorization process, prior to the purchase of inventories is to

ensure that the purchasing agents order only the needed inventories and

from a

valid

vendor. It

crucial

internal

control

under the

following

reasons: (Hall, 2007)

•

Inventory

control

commonly

used

monitor

inventory

levels

and

authorizes

the

replenishment

of inventory

with

purchase

requisition

only when the inventory levels fall to its predetermined reorder points

(Hall, 2007).

This

authorization

procedure

encourages an efficient inventory

management

as it may avoid any unauthorized purchasing by the

purchasing agents, which can result

excessive

inventory

levels or

run

out

stock

(Hall,

2007). Note that,

excessive

inventories

will

decrease the entity’s cash reserves while run out of stock

will

cause

lost of sales and delay in manufacturing.

•

Firms often establish a list of

valid vendors with whom they regularly

deal with. Purchasing agents only allow acquire inventories from those

valid vendors. This method is to prevent any potential fraud such as

purchasing agent decides to buy from

vendors

from whom

he or she

has a relationship or to buy from vendors with excessive price

however in exchange with a reward (Hall, 2007).

2. Segregation of duties – This control activity is to reduce any chances of

incompatible functions. It can take many forms but there are three

common

guidelines

that are

applicable

for

most

organization,

such

as:

(Hall, 2007)

•

Segregate

the

task of

transaction authorization

from transaction

processing.

• Segregate responsibility for record keeping from assets custody.

•

Divide

transaction-processing

tasks

among

individuals

that

fraud

will require collusion between two or more individuals.

Within

the

purchasing

cycle,

the

company should

segregate

the

person

who

responsible

for

purchasing

from inventory

control

who

keeps

the

detailed inventory records, the receiving, inventory custody, and payment

functions

(Hall,

2007).

Moreover,

the

task

authorize the purchasing

transaction should also be segregate from the task to make the purchasing

transaction (Hall, 2007).

However, Hardesty (2008) mentioned that smaller companies are often

encountered

problem

for

segregating

incompatible

duties

they

have

lack of personnel.

In this case, Hardesty (2008) suggested smaller

companies with two good alternatives; either to outsource certain function

or to have management supervision.

Supervision –

Small

entity often

found difficulty

in achieving

adequate

segregation

duties

since

requires

large

number

employees.

result, the purchasing

function

in small organizations usually assigned to

one person however, with the authorization by competent and trustworthy

manager (Hall, 2007).

In the purchasing process, the critical part for supervision is in the

inventory receiving area as large quantities of valuable assets flow

through this to the warehouse (Hall, 2007). Close supervision may

minimize the possibility of exposures, e.g.

failure in properly

inspect the

assets and the theft of assets.

Accounting records –

The accounting records of an organization that

include source of documents, journals, and ledgers; capture the essence of

economic transactions as well as maintain an audit trail of economic

events. The audit trail enables the auditor to trace any transaction from the

beginning of the event (its source document) to the financial statements.

The audit trails are crucial to be maintained for two reasons; it is needed

for conducting day to day operations as it helps employees in responding

the customer inquiries and it plays an essential role in the financial audit

of the firm (Hall, 2007).

The purchasing cycle should provide the following accounting records:

accounts payable subsidiary ledger, general ledger, purchases requisition

file, purchase order file, and receiving report file. By having these records,

auditors may gain evidence of inventory purchases that have not been

recorded as liabilities (Hall, 2007).

5. Access control – The existence of access controls is to limit the access to

the

firm’s

assets

only to

authorized

person

order

prevent

any

misappropriation, damage, and theft. There are two types of access

control; direct access control and indirect access control.

In the purchasing cycle the access controls are as follows: (Hall, 2007)

•

Direct access control – A firm

must limit the access to physical assets

such as cash and inventory. The examples of direct access control may

include locks, alarms, safes, fences in the areas that contain

inventories and cash.

•

Indirect

access

–

firm

should

control

the

access

records

and

documents that may control the use, ownership, and disposition of its

physical asset or else it could possibly result in a fraudulent purchase

transaction. The

documents

include

purchase

requisitions,

purchase

orders and receiving reports.

6. Independent verification –

Verification processes are independent confirmation that takes place after

the fact by person who does not directly involved within the transaction or

task being

verified. The purpose of this type of control

is to identity any

possible errors and misrepresentations.

The independent verifications in the purchasing cycle are as follows:

(Hall, 2007)

a. Independent verification by accounts payable. The account payable

function

plays a

vital

role

the

verification

the

work

done

others in this system. Copies of key source documents flow into this

department for review and comparison. Each document contains

unique fact about the purchase transaction, which the account payable

clerk

must

reconcile before

the

firm

recognizes

obligation.

These

include:

•

The purchase order shows only the needed inventories ordered by

the purchasing agent

from a

valid

vendor. This document

should

be reconciled with the purchase requisition.

•

The

receiving

report

the

evidence

document

for

the

physical

receipt

the

goods,

their

condition, and

the

quantities received.

This

document

should

reconciled with the purchase order in

order to ensure the organization has legitimate obligation.

•

The supplier’s

invoice

provides the

financial

information

needed

to record the obligation of the organization as an account payable.

The accounts payable clerk should match the prices on the invoice

with the expected prices on the purchase order.

Independent verification by the general ledger department The

general ledger function provides an important independent verification

in the system. It receives journal vouchers and summary reports from

inventory control, accounts payable, and cash disbursements. From

these

sources,

the

general

ledger function

verifies

that

the

total

obligations recorded equal the total inventories received and that the

total

reductions

accounts

payable

equal

the

total

disbursements

cash.

2.3

Production Function

2.3.1 Types of Production

There are three types of production methods explained by Hall (2007) as

shown below:

1. Continuous processing. This method created a homogeneous product

through a continuous series of standard procedures. Firm should maintain

its finished goods inventory at the levels needed to meet expected sales

demand. Cement and petrochemicals are produced under this

manufacturing approach.

2. Batch

processing.

This

the

most

common

technique

production,

which

the

firm produces

part

the

group

(batches)

product.

The

beginning

this

manufacturing

process

the requirement

maintain

finished-goods inventory levels in line with expected sales requirements.

This method is commonly used to produce products such as automobiles,

household appliances and computers.

Make to order processing. This approach involves the production of

different products based on the customer specifications.

2.3.2 Production Processes

Hall

(2007)

explains

that

the

production processes

involve the activities

“planning,

scheduling,

and

control

of the

physical

product

through

the

manufacturing process” that convert raw materials to become finished goods.

Romney et al. (2003) states the basic steps in production process as follows:

Product

Design. This

step

design

product

that

meets customer

requirements in terms of quality, durability, and functionality with

minimum costs of production.

Planning

and

Scheduling.

The

objective

develop an

efficient

production plan to meet existing

and short term demand

without creating

excess of finished goods.

Production

Operations.

This is the

actual

step

manufacturing the

products.

The documents that trigger and support the production processes, which

classified according to the step of production process:

•

Production design:

Bill

materials,

which

specifies

the

types

and

quantities

Raw

Materials required in producing a single unit of finished product (Hall,

2007).

Operating list (also called as routing sheet) that shows the sequence of

operations

and

the

standard

time

allocated at

each

task

during

manufacturing (Romney et al., 2003).

•

Planning and Scheduling: (Romney et al., 2003)

Production

schedule

the

formal

plan that describes the specific

products to be made, the quantities, and the timetable for starting and

completing the production.

Production order

authorizes

the

production

staff

manufacture

specified quantity of a particular product by listing the operations that

need to be performed, the quantity to be produced, and the location to

deliver the finished product.

Materials requisition is the authorization document for the storekeeper

to release

the raw

materials into factory for production process. This

document specifies the production order number, date of issue,

quantities of necessary raw materials based on the bill of materials.

Move tickets are recorded subsequent to the transfers of raw materials

to the factory. It lists the raw materials being transferred, the location

of raw materials being transferred, and the time of transfer.

•

Production operations. Firm

needs

have data regarding the quantity of

raw materials used labor hours expanded, machine operations performed,

and other manufacturing overhead costs incurred (Romney et al., 2003).

2.3.3 Inventory Control over Production

The objectives of the control over Production are listed below: Chambers and

Rand (1997)

•

To ensure

that production and

manufacturing requirements are accurately

determined, authorized, effectively communicated and suitably planned.

•

To ensure that adequate

facilities and resources are

made available at the

appropriate

time

order

meet the

agreed

production and

manufacturing obligations.

•

To ensure

that

the required quantity of products

manufactured to the

required quality standards.

•

To ensure

that the actions of

all affected

departments

and

functions

are

adequately coordinated to achieve the defined objectives.

•

ensure

that

production

resources and facilities are

efficiently

utilized

and that waste is avoided or minimized.

•

To ensure that the necessary production equipment is fully operational and

operated efficiently.

•

ensure

that

production

staff

are

suitably

trained

and

experienced

order to maximize their contribution.

•

To ensure that production downtime is minimized, suitably monitored and

reacted to.

•

ensure

that

all

materials,

resources

and

finished

goods

are

accurately

accounted for.

•

ensure

production

activities

are

effectively

monitored,

any

shortfalls

are reported to management, and problems are promptly detected and

resolved.

•

To ensure

that all relevant legislation, health and safety and other

regulations are compiled with.

•

ensure

that

actual

production

plant

efficiency

and

performance

are

adequately monitored for management information and action.

Hall (2007) summarized the

fundamental internal controls within production

process in the following table:

Table 2.3 Internal Controls over Purchasing

Control Activity

Production Process

Transaction authorization

Work orders,

move tickets,

and

material

requisitions.

Segregation of duties

• Inventory control

separate

from

Raw

material and finished goods inventory

custody.

• Cost

accounting

separate

from

work

centers.

• General

ledger

separate

from

other

accounting functions.

Supervision

Supervisors

oversee

usage

raw

material

and timekeeping.

Access

Limit physical access to finished goods, raw

material stocks, and production processes.

Use

formal

procedures and

documents

release materials into production.

Accounting records

Work orders, cost sheets,

move tickets, job

tickets,

materials

requisitions,

work-in-

process records, finished goods file.

Independent verification

• General ledger reconciles overall system.

The explanation of each control activity, as shown in the above table is

presented below: (Hall, 2007)

Transaction Authorization –

The production activity is authorized by

production planning and control via a formal work order. This document

contains the production requirements that initiate the manufacturing

process in the production department. Moreover, material requisitions and

excess material requisitions authorize the storekeeper to release materials

to the work centers.

2. Segregation of duties – The production planning and control department

should

segregated

from the

work

centers.

Additionally,

the

record

keeping should also be segregated from the asset custody such as:

•

Inventory

control

that

maintains

accounting

records of raw

materials

and

finished

goods

inventories

should

segregated

from

the

materials storeroom and from finished goods warehouse functions.

3. Supervision

–

the

production

process,

the

supervisors

the

work

centers oversee the usage of raw materials in the production process to

ensure

that all

materials released from stores are

used

in the production

and waste is being minimized. Supervisors also observe and review the

accuracy of employee time cards and job tickets.

4. Access control – The production process allows both direct and indirect

access to assets thus both access control should be maintained as follow:

•

Direct

Access

–

Firm should

limit access

vulnerable areas such

storerooms, production work centers, and finished goods warehouses

by using identification badges, security

guards,

observation devices,

electronic sensors and alarms.

•

Indirect Access – The

firm should control the access to certain critical

documents such as materials requisitions, excess material requisitions,

and employee time cards; to prevent any manipulation. Pre-numbered

documents are also another possible control to prevent manipulation.

5. Accounting

records – In the production process, this control is done by

using work orders, cost sheets, move

tickets,

job

tickets,

materials

requisitions, work-in-process file, and finished goods inventory file.

6. Independent

Verification –

The

verification

the

production process

are describe below:

•

Cost

accounting reconciles

the

materials and

labor

usage

from

materials requisitions and job tickets with prescribed standards.

•

The general ledger department confirms the total movement from

work-in-process to finished goods by reconciles journal vouchers from

cost accounting

and summaries of

inventories subsidiary ledger from

inventory control.