Skip Navigation
Financial Accounting for Local and State School Systems: 2014 Edition
NCES 2015347
April 2015

Chapter 4: Governmental Accounting — Internal Control Structure

An integral part of proper accounting procedures rests in issues of controls and begins with internal accountability structures. AICPA's Statement on Auditing Standards No. 78, Consideration of Internal Control in a Financial Statement Audit: An Amendment to Statement on Auditing Standards No. 55 (AICPA 1995)—which incorporates the Committee of Sponsoring Organizations' report, Internal Control Framework—indicates that the elaborateness of the system of internal controls established within an organization is a matter of judgment on the part of management, with careful consideration for circumstances, such as the size of the organization and the number of personnel and the relationship between the costs and benefits of designing and implementing controls. In addition, the nature of internal control is such that even appropriate methods and systems do not guarantee that an organization's objectives will be achieved.

Internal control is a process designed to provide reasonable assurance regarding the reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. It consists of five interrelated components:

  • control environment;
  • risk assessment;
  • control activities;
  • information and communication; and
  • monitoring.

Each of these components is discussed below.

Control Environment

The control environment is established on the basis of the attitude of management toward internal control. AICPA Statement on Auditing Standards No. 78 states that the control environment "sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure" (AICPA 1995). As such, a management philosophy that is dedicated to establishing a sound business process and operating controls would tend to create a stronger internal control environment than a philosophy that is unaware of or unconcerned with internal controls.

Collectively, various factors affect the control environment, including the following:

  • integrity and ethical values;
  • commitment to competence;
  • governing board or audit committee participation;
  • management's philosophy and operating style;
  • organizational structure;
  • assignment of authority and responsibility; and
  • human resource policies and practices.

The substance of internal controls is more important than the form because of the risk that controls may not be effectively implemented or maintained.

Risk Assessment

Risk assessment is the entity's identification and analysis of risks relevant to the achievement of its objectives. Risk assessment forms a basis for determining how risk should be managed. Risks can arise or change as a result of the following factors:

  • changes in the operating environment;
  • new personnel;
  • new or revamped information systems;
  • rapid growth;
  • new technology;
  • new grant programs, building projects, or other activities;
  • organizational restructuring;
  • accounting pronouncements;
  • changes in federal regulations; and
  • changes in finance-related statutes.

Given the dynamic nature of governmental operating environments, the ability to anticipate and mitigate risks from these changes is a key factor in measuring the strength of internal controls.

Control Activities

Control activities are the policies and procedures that help ensure that management directives are carried out. Control activities can be divided into the following four categories:

  • performance reviews;
  • information processing;
  • physical controls; and
  • segregation of duties.

The application of controls, such as the segregation of duties, is affected to some degree by the size of the entity. In small entities, procedures are less formal than in large entities. Additionally, certain types of control activities may not be relevant in small entities.

Information and Communication

Information and communication represent the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities. Information systems encompass procedures and documents that perform the following functions:

  • identify and record all valid transactions;
  • describe, on a timely basis, transactions in sufficient detail to permit proper classification for financial reporting;
  • measure the value of transactions in a manner that permits their proper recording in the financial statements;
  • permit the recording of transactions in the proper accounting period; and
  • present properly the transactions and related disclosures in the financial statements.

Senior management should deliver a clear message to employees about their responsibilities and roles in the internal control system. Employees should also have a means for communicating the effectiveness and efficiency of these systems to upper levels of management.


Monitoring is a process that assesses the quality of internal control performance over time. Ongoing monitoring activities include regular management and supervisory activities, and other actions taken during the normal performance of management's duties. Further, periodic reviews of internal controls and related activities, performed with internal personnel or external resources, may be undertaken. The nature and timing of these evaluations depend on the effectiveness of ongoing activities and the risk that internal controls are not performing as intended by management. Deficiencies in the system of internal controls should be reported to the appropriate level of management.

Management should clearly assign responsibility and delegate authority with sufficient care to ensure that

  • persons who perform control procedures are held accountable for their performance by those who monitor these activities; and
  • persons who monitor the performance of control procedures are held accountable by senior management, the governing board, or the audit committee.

If accounting information is routinely used in making operating decisions, management is likely to establish effective controls and hold lower level managers and employees accountable for performance. In addition, if management routinely uses accounting information to measure operating results, significant variances between planned and actual results are likely to be investigated. This review may detect the causes of the variances and effect the steps necessary to correct the procedures that failed to prevent them.

Common Types of Control Procedures

Numerous control procedures and monitoring activities are performed by individuals in governmental entities to accomplish particular objectives. All of these controls, however, can be classified within one of the following basic categories:

  • access controls;
  • reconciliation and comparison of assets with records;
  • analytical reviews;
  • authorization and approval;
  • reviews of output;
  • transactional reviews; and
  • general computer controls.

Detailed control procedures or monitoring activities may be included in each of these categories, depending on the size of the entity and the sophistication of the particular control environment. Each of these categories is described below.

Access Controls
Certain controls prevent access to assets by unauthorized persons. Often these controls are physical in nature. For example, an organization might store inventories of supplies and commodities in locked storage areas, store currency in a vault or a locked drawer, and use alarm systems to restrict access by unauthorized individuals. If controls to prevent unauthorized access to assets are not effective, assets may be lost or stolen. However, if detective control procedures (such as physical inventory counts) are appropriately performed, shortages should be discovered in a timely manner.

In some cases, unauthorized access to assets may be gained through vulnerable accounting records—especially records maintained on computer systems. For example, if warehouse requisitions can be issued through a computer terminal, access to inventory may be gained through the system. Controls over unauthorized access to assets through computer records may be physical (e.g., terminals may be kept in a locked room) or logical (e.g., access to the computer program or data files may be obtained only with the proper password or other user-identification method). Monitoring the control procedures that address unauthorized access includes observing physical control procedures, reviewing established access privileges with the manager of information systems, and reviewing reports of attempted computer access violations. Internal auditors often perform such activities.

Access controls, however, do not prevent individuals who have authorized access to assets from misappropriating them. Individuals who have authorized access to both assets and related accounting records may be in a position to conceal shortages of assets in the records. However, if duties are properly segregated, persons with access to assets will not have access to the related accounting records, which they might alter to conceal shortages.

Controls over authorized access to assets are important to an organization, not only to prevent thefts, but also to ensure that assets are committed only after proper consideration by knowledgeable and experienced individuals. Authorization and approval are types of controls designed to prevent invalid or inappropriate transactions from occurring. An example is a procedure designed to ensure that disbursements are made only when authorized orders for goods and services have been received. In many systems, access to computerized records (e.g., shipping requests) can result in improper access to assets; therefore, procedures must be designed to limit access to these records.

Reconciliation and Comparison of Assets With Records
Reconciling and comparing assets with accounting records establishes a system of independent verification, either through preparing an independent control document used to reconcile accounting records and assets or by directly comparing accounting records with related assets. Examples of these procedures include the reconciliation of physical inventory with accounting records and the preparation of a bank reconciliation.

Analytical Reviews
The purpose of analytical reviews is to evaluate summarized information by comparing it with expected results. Management personnel often perform analytical reviews to determine whether the entity is performing as planned. For example, a common analytical review procedure is the comparison of budgeted to actual performance, with investigation of any significant or material variances as determined by the analyst. Often, analytical reviews are used to monitor other underlying control procedures.

Authorization and Approval
Authorization and approval procedures prevent invalid transactions from occurring. Thus, this type of control typically involves authorization or approval of transactions at specific dollar thresholds and manual (e.g., requiring signatures of authorized individuals) or automated (e.g., password protected) authorizations for computerized transactions. The effectiveness of these procedures often depends on general computer controls over information security.

Reviews of Output
Reviews of output should be performed by school district personnel who have the knowledge and experience to identify errors. Such reviews, which can be performed in both computer and manual systems, are used to check the validity and accuracy of output by comparing it in detail with expected results. For example, a purchasing manager may compare recorded amounts or quantities purchased with separate records of purchase orders.

Transactional Reviews
Transactional reviews check the validity and accuracy of transaction processing by comparing it in detail with expected results. Reviews often use exception reports (usually computer generated), which list items that could not be processed because they did not meet specified criteria. For example, a computer-generated check may be rejected if it exceeds some dollar amount and requires a manual signature. Monitoring these types of control procedures involves management reviews of results.

General Computer Controls
Computer systems frequently have common areas of control and related control procedures referred to as general computer controls. These controls directly or indirectly affect all systems that operate within a computer-processing environment. General computer controls include the usual elements of effective internal control (that is, an individual or group responsible for control procedures and monitoring activities). Managers of the information systems function usually monitor the performance of general computer controls. Monitoring activities include observation, exception reporting, reviews of work performed, reviews of program changes, oversight by information system steering committees, and the monitoring of user complaints. For example, the effectiveness of programmed control procedures, such as edit checks and approvals, depends on general computer controls that ensure that program changes are not made improperly.

General computer controls include controls over computer operations; systems acquisition, development, and maintenance; information security; and information systems support, as detailed below:

  • Computer Operations. The computer operations staff is responsible for the day-to-day processing activities of the entity's system. It ensures that jobs are scheduled and processed as planned, data are properly stored on the system or tapes, and reports are distributed in a timely and accurate fashion.
  • Systems Acquisition, Development, and Maintenance. The systems acquisition, development, and maintenance staff is responsible for planning, acquiring (or developing), testing, and implementing new application systems and changes to existing application systems. Such controls are usually important in larger processing environments where there is more development and maintenance activity, where the systems are more complex, and where there is less reliance on purchased software.
  • Information Security. The information security function is responsible for administering and maintaining an entity's information security program, including both physical and logical security. The primary goal of such a program is to ensure that access to program data, online transactions, and other computing resources is restricted to authorized users.
  • Information Systems Support. Information systems support includes system software maintenance, database administration, communications and network management, and end-user computing, as well as other functional groups with technical and administrative support responsibilities.

Certain governmental entities may use external service organizations for executing and recording certain transactions, such as payroll processing. In such situations, the entity needs to ensure that the service organization has adequate controls over processing the transactions.

In the final analysis, maintaining the internal control environment and related control procedures is an integral part of management's responsibilities. In the context of governmental accounting and reporting, the control environment has a direct impact on an entity's ability to collect and present accurate financial information. Thus, the internal control environment and related procedures are key areas of concern to an entity's external auditor.