company produces a substandard product that is not detected by quality control’s final inspection. This
            defective product might be shipped to a customer. There is a risk of litigation if the manufacturing defect
            ultimately results in harm to a customer. A key objective, producing quality products, might not be
            obtained.

            An example of quantitative risks in the manufacturing example would be having a poor cost-accounting
            system that does not capture all costs. The company might inadvertently price a product at less than the
            cost of production if the system does not allocate overhead properly to work in process and finished
            goods.

            Risk is often considered in designing and implementing internal control, whereas risks to objectives are
            identified to determine how risks are to be managed. Of particular importance is that many of the
            standard “checklist” internal control questionnaires (ICQs) might not be relevant to a particular
            company’s risks. Many practitioners note that they spend an inordinate amount of time checking the Not
            Applicable column of popular marketed ICQs.

            Risk analysis should be tailored to each company. As an analogy, an ill person can access
            www.webmd.com to obtain a standard diagnosis and treatment for ailments (analogous to the standard
            internal control approach). This approach assumes that all ill persons will exhibit the same symptoms.
            The better method is to visit a doctor and have the physician conduct tests to reach a diagnosis about a
            particular patient (analogous to the risk-based approach for a particular company). Thus, it is suggested
            that it is best to design internal controls that meet each company’s unique risks instead of taking a one-
            size-fits-all approach. First-year costs of this methodology are known to be high because of the time
            invested to tailor internal controls to a particular environment. The payoff is that efficiencies are gained in
            subsequent years resulting from the elimination of unnecessary and redundant procedures.

            Another inefficient approach is to document accounting systems without considering whether the
            process is related to the ability to achieve reliable financial reporting.




            Internal control as an integrated process

            Management should think of internal control as an integrated and somewhat sequential process. The five
            components of internal control are control environment, risk assessment, control activities, information
            and communication, and monitoring activities. The integrated process proceeds as follows: First,
            management sets financial reporting objectives (and sub-objectives). Second, management identifies
            and assesses the risks to achievement of these objectives. Third, management considers how these
            risks might be controlled by the system of internal control.

            The five components should be viewed as integrated and working together. All components need to be
            present and functioning in order for the system of internal control to be deemed effective. Management
            should consider the impact of each internal control component in reducing the risk of material
            misstatement in the financial statements.





            © 2020 Association of International Certified Professional Accountants. All rights reserved.     10-9