Actions

Difference between revisions of "Internal Control"

Line 23: Line 23:
 
[[File:Internal Control Framework.png|300px|Internal Control Framework]]<br />
 
[[File:Internal Control Framework.png|300px|Internal Control Framework]]<br />
 
source: [https://rfirst.org/KnowledgeCenter/Risk%20Analysis/InternalControls/Pages/InternalControls.aspx Reliability First]
 
source: [https://rfirst.org/KnowledgeCenter/Risk%20Analysis/InternalControls/Pages/InternalControls.aspx Reliability First]
 +
 +
 +
'''History of Internal Control<ref>History of Internal Control [https://bizfluent.com/info-8064250-advantages-disadvantages-internal-control.html Bizfluent]</ref>'''<br />
 +
The "internal control" was first defined in 1948 by the American Institute of Accountants, but internal control practices have existed since ancient times. According to the website joeinvestoronline, Hellenistic Egypt had a dual system of internal controls in place for tax collecting, with one set of bureaucrats collecting taxes while another oversaw them. Since 1977, all American publicly owned corporations are legally required to abide by a strictly defined and enforced set of internal-control standards.
  
  

Revision as of 16:06, 10 April 2021

Internal Control is a process affected by an organization's governing board, management, administration, and personnel and is designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • effectiveness and efficiency of operations;
  • reliability of financial reporting; and
  • compliance with applicable laws and regulations.

This definition reflects certain fundamental concepts:

  • Internal control is a process. It is a means to an end, not an end in itself.
  • Internal control is affected by people. It involves not only policy manuals and forms, but also people functioning at every level of the organization.
  • Internal control is geared to the achievement of objectives in several overlapping categories.
  • Internal control can be expected to provide only reasonable assurance to an organization's leaders regarding achievement of operational, financial reporting, and compliance objectives.[1]

Internal controls are one of the most essential elements within any organization. Internal controls are put in place to enable organizations to achieve their goals and missions. Management is responsible for the design, implementation, and maintenance of all internal controls, with the Board responsible for the overall oversight of the control environment. Strong internal controls allow for organizations to achieve three main objectives. These three objectives are: accurate and reliable financial reporting, compliance with laws and regulations, and effectiveness and efficiency of the organizations operations. In order to achieve these objectives an internal control framework needs to be applied and followed throughout the organization. The five components of the internal control framework are control environment, risk assessment, control activities, information and communication, and monitoring.[2]


Components of Internal Control[3]
The framework of a good internal control system includes:

  • Control environment: A sound control environment is created by management through communication, attitude and example. This includes a focus on integrity, a commitment to investigating discrepancies, diligence in designing systems and assigning responsibilities.
  • Risk Assessment: This involves identifying the areas in which the greatest threat or risk of inaccuracies or loss exist. To be most efficient, the greatest risks should receive the greatest amount of effort and level of control. For example, dollar amount or the nature of the transaction (for instance, those that involve cash) might be an indication of the related risk.
  • Monitoring and Reviewing: The system of internal control should be periodically reviewed by management. By performing a periodic assessment, management assures that internal control activities have not become obsolete or lost due to turnover or other factors. They should also be enhanced to remain sufficient for the current state of risks.
  • Information and communication: The availability of information and a clear and evident plan for communicating responsibilities and expectations is paramount to a good internal control system.
  • Control activities: These are the activities that occur within an internal control system.


Internal Control Framework
source: Reliability First


History of Internal Control[4]
The "internal control" was first defined in 1948 by the American Institute of Accountants, but internal control practices have existed since ancient times. According to the website joeinvestoronline, Hellenistic Egypt had a dual system of internal controls in place for tax collecting, with one set of bureaucrats collecting taxes while another oversaw them. Since 1977, all American publicly owned corporations are legally required to abide by a strictly defined and enforced set of internal-control standards.


Types of Internal Controls[5]

  • Preventive: Preventive Controls are designed to discourage errors or irregularities from occurring. Internal controls best work on the principle, ‘Prevention is better than cure’. They are proactive controls that help to ensure departmental objectives are being met. Examples of preventive controls are:
    • Segregation of Duties: Duties are segregated among different people to reduce the risk of error or inappropriate action. Normally, responsibilities for authorizing transactions (approval), recording transactions (accounting) and handling the related asset (custody) are divided.
    • Approvals, Authorizations, and Verifications: Management authorizes employees to perform certain activities and to execute certain transactions within limited parameters. In addition, management specifies those activities or transactions that need supervisory approval before they are performed or executed by employees. A supervisor’s approval (manual or electronic) implies that he or she has verified and validated that the activity or transaction conforms to established policies and procedures.
    • Security of Assets: Access to equipment, inventories, securities, cash and other assets is restricted; assets are periodically counted and compared to amounts shown on control records.
  • Detective: Detective Controls are designed to find errors or irregularities after they have occurred. Examples of detective controls are:
    • Reviews of Performance: Management compares information about current performance to budgets, forecasts, prior periods, or other benchmarks to measure the extent to which goals and objectives are being achieved and to identify unexpected results or unusual conditions that require follow-up.
    • Reconciliations: An employee relates different sets of data to one another, identifies and investigates differences, and takes corrective action, when necessary.
    • Physical Inventories
    • Audits
  • Corrective: Coupled with preventive and detective controls, corrective controls help mitigate damage once a risk has materialized.
    • Document policies and procedures
    • Enforce them by means of warnings and employee termination when appropriate
    • Wisely back up data to enable restoring a functioning system in the event of a crash. If a disaster strikes, business recovery can take place when an effective continuity and disaster management plan is in place and followed.
  • Compensative: Compensation can take place to an extent only. However, compensative internal control procedures should be adopted at the earliest.
    • Rad through the detailed transaction report- Track exactly where the error originated and drive a backlink.
    • Perform analytical reviews- Do a thorough analysis and plug all loopholes.
    • Reassign reconciliation- Shuffle the assignee for performing reconciliation task.


Examples of Internal Controls[6]

  • Segregation of Duties: When work duties are divided or segregated among different people to reduce the risk of error or inappropriate actions.
  • Physical Controls: When equipment, inventories, securities, cash and other assets are secured physically. This can occur through the use of locks, safes, or other environmental controls. Access is restricted to those with authority to handle them.
  • Reconciliations: Comparisons are made between similar records maintained by different people to verify transaction details are accurate and that all transactions are properly recorded. Specific examples would include: Performing a reconciliation from bank statements to check register/records. Balancing/reconciling cash on hand to sales or transaction activity on the cash register totals.
  • Policies and Procedures: Established policies, procedures, and documentation that provide guidance and training to ensure consistent performance at a required level of quality. These should be available at all levels of the organization. Departmental and University/Organization wide.
  • Transaction and Activity Reviews: Management reviews of transaction, operating, and summary reports help to monitor performance against goals and objectives, spot problems, identify trends, etc. Specific examples include: Monthly review of budget statements to actual expenses. Review of telecommunication call activity reports for personal or non-business related phone calls. Review of timecards and overtime hours by employees.
  • Information Processing Controls: When data is processed, a variety of internal controls are performed to check the accuracy, completeness and authorization of transactions. Data entered is subject to edit checks or matching to approved control files or totals. Numerical sequences of transactions are accounted for, and file totals are controlled and reconciled with prior balances and control accounts. Development of new systems and changes to existing ones are controlled, as is access to data, files and programs.


Roles and Responsibilities in Internal Control[7]
According to the COSO Framework, everyone in an organization has responsibility for internal control to some extent. Virtually all employees produce information used in the internal control system or take other actions needed to affect control. Also, all personnel should be responsible for communicating upward problems in operations, non-compliance with the code of conduct, or other policy violations or illegal actions. Each major entity in corporate governance has a particular role to play:

  • Management: The Chief Executive Officer (the top manager) of the organization has overall responsibility for designing and implementing effective internal control. More than any other individual, the chief executive sets the "tone at the top" that affects integrity and ethics and other factors of a positive control environment. In a large company, the chief executive fulfills this duty by providing leadership and direction to senior managers and reviewing the way they're controlling the business. Senior managers, in turn, assign responsibility for establishment of more specific internal control policies and procedures to personnel responsible for the unit's functions. In a smaller entity, the influence of the chief executive, often an owner-manager, is usually more direct. In any event, in a cascading responsibility, a manager is effectively a chief executive of his or her sphere of responsibility. Of particular significance are financial officers and their staffs, whose control activities cut across, as well as up and down, the operating and other units of an enterprise.
  • Board of directors: Management is accountable to the board of directors, which provides governance, guidance and oversight. Effective board members are objective, capable and inquisitive. They also have a knowledge of the entity's activities and environment, and commit the time necessary to fulfil their board responsibilities. Management may be in a position to override controls and ignore or stifle communications from subordinates, enabling a dishonest management which intentionally misrepresents results to cover its tracks. A strong, active board, particularly when coupled with effective upward communications channels and capable financial, legal and internal audit functions, is often best able to identify and correct such a problem.

Audit roles and responsibilities

  • Auditors: The internal auditors and external auditors of the organization also measure the effectiveness of internal control through their efforts. They assess whether the controls are properly designed, implemented and working effectively, and make recommendations on how to improve internal control. They may also review Information technology controls, which relate to the IT systems of the organization. To provide reasonable assurance that internal controls involved in the financial reporting process are effective, they are tested by the external auditor (the organization's public accountants), who are required to opine on the internal controls of the company and the reliability of its financial reporting.
  • Audit committee: The role and the responsibilities of the audit committee, in general terms, are to: (a) Discuss with management, internal and external auditors and major stakeholders the quality and adequacy of the organization’s internal controls system and risk management process, and their effectiveness and outcomes, and meet regularly and privately with the Director of Internal Audit; (b) Review and discuss with management and the external auditors and approve the audited financial statements of the organization and make a recommendation regarding inclusion of those financial statements in any public filing. Also review with management and the independent auditor the effect of regulatory and accounting initiatives as well as off-balance sheet issues in the organization’s financial statements; (c) Review and discuss with management the types of information to be disclosed and the types of presentations to be made with respect to the Company's earning press release and financial information and earnings guidance provided to analysts and rating agencies; (d) Confirm the scope of audits to be performed by the external and internal auditors, monitor progress and review results and review fees and expenses. Review significant findings or unsatisfactory internal audit reports, or audit problems or difficulties encountered by the external independent auditor. Monitor management's response to all audit findings; (e) Manage complaints concerning accounting, internal accounting controls or auditing matters; (f) Receive regular reports from the Chief Executive Officer, Chief Financial Officer and the Company's other Control Committees regarding deficiencies in the design or operation of internal controls and any fraud that involves management or other employees with a significant role in internal controls; and (g) Support management in resolving conflicts of interest. Monitor the adequacy of the organization’s internal controls and ensure that all fraud cases are acted upon.
  • Personnel benefits committee: The role and the responsibilities of the personnel benefits, in general terms, are to: (a) Approve and oversee administration of the Company's Executive Compensation Program; (b) Review and approve specific compensation matters for the Chief Executive Officer, Chief Operating Officer (if applicable), Chief Financial Officer, General Counsel, Senior Human Resources Officer, Treasurer, Director, Corporate Relations and Management, and Company Directors; (c) Review, as appropriate, any changes to compensation matters for the officers listed above with the Board; and (d)Review and monitor all human-resource related performance and compliance activities and reports, including the performance management system. They also ensure that benefit-related performance measures are properly used by the management of the organization.
  • Operating staff: All staff members should be responsible for reporting problems of operations, monitoring and improving their performance, and monitoring non-compliance with the corporate policies and various professional codes, or violations of policies, standards, practices and procedures. Their particular responsibilities should be documented in their individual personnel files. In performance management activities they take part in all compliance and performance data collection and processing activities as they are part of various organizational units and may also be responsible for various compliance and operational-related activities of the organization. Staff and junior managers may be involved in evaluating the controls within their own organizational unit using a control self-assessment.


Disadvantages of Internal Controls[8]
Regardless of the policies and procedures established by an organization, only reasonable assurance may be provided that internal controls are effective and financial information is correct. The effectiveness of internal controls is limited by human judgment. A business will often give high-level personnel the ability to override internal controls for operational efficiency reasons, and internal controls can be circumvented through collusion.


See Also

Governance Governance, Risk And Compliance (GRC) Government Enterprise Architecture (GEA) Government Interoperability Maturity Matrix (GIMM) IT Governance IT Governance Framework Corporate Governance Board of Directors Management Risk Risk Assessment Risk Mitigation COSO Internal Control Integrated Framework Compliance Compliance Audit Compliance Officer Audit Trail


References

  1. What Does Internal Control Mean? Michigan Tech
  2. What is the Objective of Internal Controls? Cerini & associates
  3. The Framework for Internal Control University of Washington
  4. History of Internal Control Bizfluent
  5. Types of Internal Controls V Comply
  6. Examples of Internal Controls Western Illinois University
  7. Roles and Responsibilities in Internal Control Wikipedia
  8. Disadvantages of Internal ControlsInvestopedia