Internal Control is a process affected by an organization's governing board, management, administration, and personnel and is designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- effectiveness and efficiency of operations;
- reliability of financial reporting; and
- compliance with applicable laws and regulations.
This definition reflects certain fundamental concepts:
- Internal control is a process. It is a means to an end, not an end in itself.
- Internal control is affected by people. It involves not only policy manuals and forms, but also people functioning at every level of the organization.
- Internal control is geared to the achievement of objectives in several overlapping categories.
- Internal control can be expected to provide only reasonable assurance to an organization's leaders regarding achievement of operational, financial reporting, and compliance objectives.
Internal controls are one of the most essential elements within any organization. Internal controls are put in place to enable organizations to achieve their goals and missions. Management is responsible for the design, implementation, and maintenance of all internal controls, with the Board responsible for the overall oversight of the control environment. Strong internal controls allow for organizations to achieve three main objectives. These three objectives are: accurate and reliable financial reporting, compliance with laws and regulations, and effectiveness and efficiency of the organizations operations. In order to achieve these objectives an internal control framework needs to be applied and followed throughout the organization. The five components of the internal control framework are control environment, risk assessment, control activities, information and communication, and monitoring.
Components of Internal Control
The framework of a good internal control system includes:
- Control environment: A sound control environment is created by management through communication, attitude and example. This includes a focus on integrity, a commitment to investigating discrepancies, diligence in designing systems and assigning responsibilities.
- Risk Assessment: This involves identifying the areas in which the greatest threat or risk of inaccuracies or loss exist. To be most efficient, the greatest risks should receive the greatest amount of effort and level of control. For example, dollar amount or the nature of the transaction (for instance, those that involve cash) might be an indication of the related risk.
- Monitoring and Reviewing: The system of internal control should be periodically reviewed by management. By performing a periodic assessment, management assures that internal control activities have not become obsolete or lost due to turnover or other factors. They should also be enhanced to remain sufficient for the current state of risks.
- Information and communication: The availability of information and a clear and evident plan for communicating responsibilities and expectations is paramount to a good internal control system.
- Control activities: These are the activities that occur within an internal control system.
source: Reliability First
History of Internal Control
The "internal control" was first defined in 1948 by the American Institute of Accountants, but internal control practices have existed since ancient times. According to the website joeinvestoronline, Hellenistic Egypt had a dual system of internal controls in place for tax collecting, with one set of bureaucrats collecting taxes while another oversaw them. Since 1977, all American publicly owned corporations are legally required to abide by a strictly defined and enforced set of internal-control standards.
Types of Internal Controls
- Preventive: Preventive Controls are designed to discourage errors or irregularities from occurring. Internal controls best work on the principle, ‘Prevention is better than cure’. They are proactive controls that help to ensure departmental objectives are being met. Examples of preventive controls are:
- Segregation of Duties: Duties are segregated among different people to reduce the risk of error or inappropriate action. Normally, responsibilities for authorizing transactions (approval), recording transactions (accounting) and handling the related asset (custody) are divided.
- Approvals, Authorizations, and Verifications: Management authorizes employees to perform certain activities and to execute certain transactions within limited parameters. In addition, management specifies those activities or transactions that need supervisory approval before they are performed or executed by employees. A supervisor’s approval (manual or electronic) implies that he or she has verified and validated that the activity or transaction conforms to established policies and procedures.
- Security of Assets: Access to equipment, inventories, securities, cash and other assets is restricted; assets are periodically counted and compared to amounts shown on control records.
- Detective: Detective Controls are designed to find errors or irregularities after they have occurred. Examples of detective controls are:
- Reviews of Performance: Management compares information about current performance to budgets, forecasts, prior periods, or other benchmarks to measure the extent to which goals and objectives are being achieved and to identify unexpected results or unusual conditions that require follow-up.
- Reconciliations: An employee relates different sets of data to one another, identifies and investigates differences, and takes corrective action, when necessary.
- Physical Inventories
- Corrective: Coupled with preventive and detective controls, corrective controls help mitigate damage once a risk has materialized.
- Document policies and procedures
- Enforce them by means of warnings and employee termination when appropriate
- Wisely back up data to enable restoring a functioning system in the event of a crash. If a disaster strikes, business recovery can take place when an effective continuity and disaster management plan is in place and followed.
- Compensative: Compensation can take place to an extent only. However, compensative internal control procedures should be adopted at the earliest.
- Rad through the detailed transaction report- Track exactly where the error originated and drive a backlink.
- Perform analytical reviews- Do a thorough analysis and plug all loopholes.
- Reassign reconciliation- Shuffle the assignee for performing reconciliation task.
Examples of Internal Controls
- Segregation of Duties: When work duties are divided or segregated among different people to reduce the risk of error or inappropriate actions.
- Physical Controls: When equipment, inventories, securities, cash and other assets are secured physically. This can occur through the use of locks, safes, or other environmental controls. Access is restricted to those with authority to handle them.
- Reconciliations: Comparisons are made between similar records maintained by different people to verify transaction details are accurate and that all transactions are properly recorded. Specific examples would include: Performing a reconciliation from bank statements to check register/records. Balancing/reconciling cash on hand to sales or transaction activity on the cash register totals.
- Policies and Procedures: Established policies, procedures, and documentation that provide guidance and training to ensure consistent performance at a required level of quality. These should be available at all levels of the organization. Departmental and University/Organization wide.
- Transaction and Activity Reviews: Management reviews of transaction, operating, and summary reports help to monitor performance against goals and objectives, spot problems, identify trends, etc. Specific examples include: Monthly review of budget statements to actual expenses. Review of telecommunication call activity reports for personal or non-business related phone calls. Review of timecards and overtime hours by employees.
- Information Processing Controls: When data is processed, a variety of internal controls are performed to check the accuracy, completeness and authorization of transactions. Data entered is subject to edit checks or matching to approved control files or totals. Numerical sequences of transactions are accounted for, and file totals are controlled and reconciled with prior balances and control accounts. Development of new systems and changes to existing ones are controlled, as is access to data, files and programs.
Roles and Responsibilities in Internal Control
According to the COSO Framework, everyone in an organization has responsibility for internal control to some extent. Virtually all employees produce information used in the internal control system or take other actions needed to affect control. Also, all personnel should be responsible for communicating upward problems in operations, non-compliance with the code of conduct, or other policy violations or illegal actions. Each major entity in corporate governance has a particular role to play:
- Management: The Chief Executive Officer (the top manager) of the organization has overall responsibility for designing and implementing effective internal control. More than any other individual, the chief executive sets the "tone at the top" that affects integrity and ethics and other factors of a positive control environment. In a large company, the chief executive fulfills this duty by providing leadership and direction to senior managers and reviewing the way they're controlling the business. Senior managers, in turn, assign responsibility for establishment of more specific internal control policies and procedures to personnel responsible for the unit's functions. In a smaller entity, the influence of the chief executive, often an owner-manager, is usually more direct. In any event, in a cascading responsibility, a manager is effectively a chief executive of his or her sphere of responsibility. Of particular significance are financial officers and their staffs, whose control activities cut across, as well as up and down, the operating and other units of an enterprise.
- Board of directors: Management is accountable to the board of directors, which provides governance, guidance and oversight. Effective board members are objective, capable and inquisitive. They also have a knowledge of the entity's activities and environment, and commit the time necessary to fulfil their board responsibilities. Management may be in a position to override controls and ignore or stifle communications from subordinates, enabling a dishonest management which intentionally misrepresents results to cover its tracks. A strong, active board, particularly when coupled with effective upward communications channels and capable financial, legal and internal audit functions, is often best able to identify and correct such a problem.
Audit roles and responsibilities
- Auditors: The internal auditors and external auditors of the organization also measure the effectiveness of internal control through their efforts. They assess whether the controls are properly designed, implemented and working effectively, and make recommendations on how to improve internal control. They may also review Information technology controls, which relate to the IT systems of the organization. To provide reasonable assurance that internal controls involved in the financial reporting process are effective, they are tested by the external auditor (the organization's public accountants), who are required to opine on the internal controls of the company and the reliability of its financial reporting.
- Audit committee: The role and the responsibilities of the audit committee, in general terms, are to: (a) Discuss with management, internal and external auditors and major stakeholders the quality and adequacy of the organization’s internal controls system and risk management process, and their effectiveness and outcomes, and meet regularly and privately with the Director of Internal Audit; (b) Review and discuss with management and the external auditors and approve the audited financial statements of the organization and make a recommendation regarding inclusion of those financial statements in any public filing. Also review with management and the independent auditor the effect of regulatory and accounting initiatives as well as off-balance sheet issues in the organization’s financial statements; (c) Review and discuss with management the types of information to be disclosed and the types of presentations to be made with respect to the Company's earning press release and financial information and earnings guidance provided to analysts and rating agencies; (d) Confirm the scope of audits to be performed by the external and internal auditors, monitor progress and review results and review fees and expenses. Review significant findings or unsatisfactory internal audit reports, or audit problems or difficulties encountered by the external independent auditor. Monitor management's response to all audit findings; (e) Manage complaints concerning accounting, internal accounting controls or auditing matters; (f) Receive regular reports from the Chief Executive Officer, Chief Financial Officer and the Company's other Control Committees regarding deficiencies in the design or operation of internal controls and any fraud that involves management or other employees with a significant role in internal controls; and (g) Support management in resolving conflicts of interest. Monitor the adequacy of the organization’s internal controls and ensure that all fraud cases are acted upon.
- Personnel benefits committee: The role and the responsibilities of the personnel benefits, in general terms, are to: (a) Approve and oversee administration of the Company's Executive Compensation Program; (b) Review and approve specific compensation matters for the Chief Executive Officer, Chief Operating Officer (if applicable), Chief Financial Officer, General Counsel, Senior Human Resources Officer, Treasurer, Director, Corporate Relations and Management, and Company Directors; (c) Review, as appropriate, any changes to compensation matters for the officers listed above with the Board; and (d)Review and monitor all human-resource related performance and compliance activities and reports, including theperformance management system. They also ensure that benefit-related performance measures are properly used by the management of the organization.
- Operating staff: All staff members should be responsible for reporting problems of operations, monitoring and improving their performance, and monitoring non-compliance with the corporate policies and various professional codes, or violations of policies, standards, practices and procedures. Their particular responsibilities should be documented in their individual personnel files. In performance management activities they take part in all compliance and performance data collection and processing activities as they are part of various organizational units and may also be responsible for various compliance and operational-related activities of the organization. Staff and junior managers may be involved in evaluating the controls within their own organizational unit using a control self-assessment.
Advantages of Internal Controls
- Detection of Errors and Frauds: Internal control systems are structured in such a way that work done by one employee in a process is checked by another without knowledge of the former. In such an environment, any fraud committed is brought to light unless there is collusion among fraudsters.
- Time Saving: Auditor can test check or sample check the transactions to ensure reliability, and accuracy of entries in the books. Hence, he can complete his audit work and prepare financial statements within the prescribed time.
- Minimum Scope for Errors and Frauds: Each employee does only a limited work assigned to him, moreover, consciousness of his work being independently checked by another keeps him to be always alert at work. In such a context, chances for commission of error or fraud are lesser.
- Operational Efficiency: It facilitates fixation of accountability, error – free work performance, accuracy reliability and authenticity of entries and eradicate inefficiency, fraud, theft, etc. Moreover, this system enables the management to assess the performance of employees. All these collectively contribute to enhance the operational efficiency of organization as a whole.
Disadvantages of Internal Controls
Regardless of the policies and procedures established by an organization, only reasonable assurance may be provided that internal controls are effective and financial information is correct. The effectiveness of internal controls is limited by human judgment. A business will often give high-level personnel the ability to override internal controls for operational efficiency reasons, and internal controls can be circumvented through collusion.
Risk of Internal Controls Failures
How often does your organization complete a detailed review of its internal controls? How many changes have occurred within your organization since the internal controls were designed? Have there been employee changes, process changes, new information systems, growth, or other changes that could have impacted those internal controls?
These controls should be re-evaluated on a routine basis to ensure that they are operating properly and still meet their objectives. When designing internal control policies, there are some common risks that every organization should consider, including:
- Management Override of Controls – Management is primarily responsible for the design, implementation, and maintenance of internal control and therefore, there is the inherent potential for management to override these controls. If an executive has the ability and an incentive – such as earnings targets or personal financial issues – to override controls and commit fraud, it is a risk not easily overcome. It requires those charged with governance, such as the shareholders, Board of Directors, or Audit Committee, to take an active approach in evaluating the possibility of fraud occurring at the organization and developing additional steps to control the risk of management override if these fraud risks are identified. In addition, setting the proper tone at the top can help the organization and its employees maintain their integrity.
- Limited Segregation of Duties – No single person should be responsible for the authorization of transactions, recording of transactions, and custody of the impacted assets of transactions. Smaller organizations may have difficulties implementing proper segregation of duties due to limited staffing, although larger companies can also have issues if the segregation is not properly designed. Smaller organizations need to implement compensating controls to help ensure the objectives are met, such as oversight, supervision, and monitoring by management or those charged with governance.
- Overreliance on Detective Controls vs. Preventative Controls – Although detective controls will identify whether something is wrong, it may be too late and the damage may have already been done. A good internal control system not only has detective controls, but also has preventative controls. Preventive controls can include things such as ongoing training of policies and procedures, implementing user names and passwords to limit access to the system or modules within the system, requiring dual signatures on disbursements, or conducting a review and approval of purchase requests prior to purchase.
- Informal vs. Formal Controls –Smaller organizations may have key controls that are performed at the entity level vs. at the activity level. These entity level controls are typically less formal and performed by one or two key individuals, such as the owner or manager. Regardless of whether controls are informal or formal, they need to be actively monitored to ensure they are being performed.
- Overly Trusting – When we hear stories of fraud, quite often the perpetrator is described as being honest, trustworthy, and a great employee whom you never suspected. An organization should trust its employees to be good employees and do their job to the best of their ability, but this trust should not reduce its internal controls. In the words of Ronald Reagan, “Trust, but verify.”
Internal controls serve as the first line of defense in preventing fraud and ensuring the viability of your organization. Even organizations with existing controls in place need to reevaluate them from time to time to ensure the objectives are still being met and identify any areas of weakness or new risks. Consider the internal controls risks outlined above when evaluating your organization’s existing internal controls. It’s important to be proactive in assessing what risks need to be addressed, designing the controls necessary to mitigate those risks, and implementing those controls successfully.
Governance, Risk And Compliance (GRC)
Government Enterprise Architecture (GEA)
Government Interoperability Maturity Matrix (GIMM)
IT Governance Framework
Board of Directors
COSO Internal Control Integrated Framework
Disaster Recovery Plan (DRP)
Disaster Recovery Planning
Disaster Recovery as a Service (DRaaS)
Business Continuity Management (BCM)
Business Continuity Plan (BCP)
Business Continuity Planning (BCP)
- What Does Internal Control Mean? Michigan Tech
- What is the Objective of Internal Controls? Cerini & associates
- The Framework for Internal Control University of Washington
- History of Internal Control Bizfluent
- Types of Internal Controls V Comply
- Examples of Internal Controls Western Illinois University
- Roles and Responsibilities in Internal Control Wikipedia
- Advantages of Internal Controls Brainkart
- Disadvantages of Internal ControlsInvestopedia
- Risk of Internal Controls Failures GMSI Success