Internal Control

Internal Control is a process affected by an organization's governing board, management, administration, and personnel and is designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • effectiveness and efficiency of operations;
  • reliability of financial reporting; and
  • compliance with applicable laws and regulations.

This definition reflects certain fundamental concepts:

  • Internal control is a process. It is a means to an end, not an end in itself.
  • Internal control is affected by people. It involves not only policy manuals and forms but also people functioning at every level of the organization.
  • Internal control is geared toward the achievement of objectives in several overlapping categories.
  • Internal control can be expected to provide only reasonable assurance to an organization's leaders regarding the achievement of operational, financial reporting, and compliance objectives.[1]

Internal controls are one of the most essential elements within any organization. Internal controls are put in place to enable organizations to achieve their goals and missions. Management is responsible for the design, implementation, and maintenance of all internal controls, with the Board responsible for the overall oversight of the control environment. Strong internal controls allow organizations to achieve three main objectives. These three objectives are accurate and reliable financial reporting, compliance with laws and regulations, and effectiveness and efficiency of the organization's operations. In order to achieve these objectives an internal control framework needs to be applied and followed throughout the organization. The five components of the internal control framework are control environment, risk assessment, control activities, information and communication, and monitoring.[2]

Components of Internal Control[3]
The framework of a good internal control system includes:

  • Control environment: A sound control environment is created by management through communication, attitude, and example. This includes a focus on integrity, a commitment to investigating discrepancies, and diligence in designing systems and assigning responsibilities.
  • Risk Assessment: This involves identifying the areas in which the greatest threat or risk of inaccuracies or loss exists. To be most efficient, the greatest risks should receive the greatest amount of effort and level of control. For example, the dollar amount or the nature of the transaction (for instance, those that involve cash) might be an indication of the related risk.
  • Monitoring and Reviewing: The system of internal control should be periodically reviewed by management. By performing a periodic assessment, management assures that internal control activities have not become obsolete or lost due to turnover or other factors. They should also be enhanced to remain sufficient for the current state of risks.
  • Information and communication: The availability of information and a clear and evident plan for communicating responsibilities and expectations is paramount to a good internal control system.
  • Control activities: These are the activities that occur within an internal control system.

Internal Control Framework
source: Reliability First

History of Internal Control[4]
"Internal control" was first defined in 1948 by the American Institute of Accountants, but internal control practices have existed since ancient times. According to the website joeinvestoronline, Hellenistic Egypt had a dual system of internal controls in place for tax collecting, with one set of bureaucrats collecting taxes while another oversaw them. Since 1977, all American publicly owned corporations are legally required to abide by a strictly defined and enforced set of internal-control standards.

Types of Internal Controls[5]

  • Preventive: Preventive Controls are designed to discourage errors or irregularities from occurring. Internal controls best work on the principle, ‘Prevention is better than cure’. They are proactive controls that help to ensure departmental objectives are being met. Examples of preventive controls are:
    • Segregation of Duties: Duties are segregated among different people to reduce the risk of error or inappropriate action. Normally, responsibilities for authorizing transactions (approval), recording transactions (accounting), and handling the related asset (custody) are divided.
    • Approvals, Authorizations, and Verifications: Management authorizes employees to perform certain activities and execute certain transactions within limited parameters. In addition, management specifies those activities or transactions that need supervisory approval before they are performed or executed by employees. A supervisor’s approval (manual or electronic) implies that he or she has verified and validated that the activity or transaction conforms to established policies and procedures.
    • Security of Assets: Access to equipment, inventories, securities, cash, and other assets is restricted; assets are periodically counted and compared to amounts shown on control records.
  • Detective: Detective Controls are designed to find errors or irregularities after they have occurred. Examples of detective controls are:
    • Reviews of Performance: Management compares information about current performance to budgets, forecasts, prior periods, or other benchmarks to measure the extent to which goals and objectives are being achieved and to identify unexpected results or unusual conditions that require follow-up.
    • Reconciliations: An employee relates different sets of data to one another, identifies and investigates differences, and takes corrective action, when necessary.
    • Physical Inventories
    • Audits
  • Corrective: Coupled with preventive and detective controls, corrective controls help mitigate damage once a risk has materialized.
    • Document policies and procedures
    • Enforce them by means of warnings and employee termination when appropriate
    • Wisely back up data to enable restoring a functioning system in the event of a crash. If a disaster strikes, business recovery can take place when an effective continuity and disaster management plan is in place and followed.
  • Compensative: Compensation can take place to an extent only. However, compensative internal control procedures should be adopted at the earliest.
    • Read through the detailed transaction report- Track exactly where the error originated and drive a backlink.
    • Perform analytical reviews- Do a thorough analysis and plug all loopholes.
    • Reassign reconciliation- Shuffle the assignee for performing the reconciliation task.

Types of Internal Control

Examples of Internal Controls[6]

  • Segregation of Duties: When work duties are divided or segregated among different people to reduce the risk of error or inappropriate actions.
  • Physical Controls: When equipment, inventories, securities, cash, and other assets are secured physically. This can occur through the use of locks, safes, or other environmental controls. Access is restricted to those with authority to handle them.
  • Reconciliations: Comparisons are made between similar records maintained by different people to verify transaction details are accurate and that all transactions are properly recorded. Specific examples would include: Performing a reconciliation from bank statements to check register/records. Balancing/reconciling cash on hand to sales or transaction activity on the cash register totals.
  • Policies and Procedures: Established policies, procedures, and documentation that provide guidance and training to ensure consistent performance at a required level of quality. These should be available at all levels of the organization. Departmental and University/Organization-wide.
  • Transaction and Activity Reviews: Management reviews of the transaction, operating, and summary reports help to monitor performance against goals and objectives, spot problems, identify trends, etc. Specific examples include Monthly review of budget statements to actual expenses. Review of telecommunication call activity reports for personal or non-business related phone calls. Review of timecards and overtime hours by employees.
  • Information Processing Controls: When data is processed, a variety of internal controls are performed to check the accuracy, completeness, and authorization of transactions. Data entered is subject to edit checks or matching to approved control files or totals. Numerical sequences of transactions are accounted for, and file totals are controlled and reconciled with prior balances and control accounts. The development of new systems and changes to existing ones are controlled, as is access to data, files, and programs.

Roles and Responsibilities in Internal Control[7]
According to the COSO Framework, everyone in an organization has responsibility for internal control to some extent. Virtually all employees produce information used in the internal control system or take other actions needed to affect control. Also, all personnel should be responsible for communicating upward problems in operations, non-compliance with the code of conduct, or other policy violations or illegal actions. Each major entity in corporate governance has a particular role to play:

  • Management: The Chief Executive Officer (the top manager) of the organization has overall responsibility for designing and implementing effective internal control. More than any other individual, the chief executive sets the "tone at the top" that affects integrity and ethics, and other factors of a positive control environment. In a large company, the chief executive fulfills this duty by providing leadership and direction to senior managers and reviewing the way they're controlling the business. Senior managers, in turn, assign responsibility for the establishment of more specific internal control policies and procedures to personnel responsible for the unit's functions. In a smaller entity, the influence of the chief executive, often an owner-manager, is usually more direct. In any event, in a cascading responsibility, a manager is effectively a chief executive of his or her sphere of responsibility. Of particular significance are financial officers and their staffs, whose control activities cut across, as well as up and down, the operating and other units of an enterprise.
  • Board of directors: Management is accountable to the board of directors, which provides governance, guidance, and oversight. Effective board members are objective, capable and inquisitive. They also have a knowledge of the entity's activities and environment and commit the time necessary to fulfill their board responsibilities. Management may be in a position to override controls and ignore or stifle communications from subordinates, enabling dishonest management which intentionally misrepresents results to cover its tracks. A strong, active board, particularly when coupled with effective upward communications channels and capable financial, legal, and internal audit functions, is often best able to identify and correct such a problem.

Audit roles and responsibilities

  • Auditors: The internal auditors and external auditors of the organization also measure the effectiveness of internal control through their efforts. They assess whether the controls are properly designed, implemented, and working effectively, and make recommendations on how to improve internal control. They may also review Information technology controls, which relate to the IT systems of the organization. To provide reasonable assurance that internal controls involved in the financial reporting process are effective, they are tested by the external auditor (the organization's public accountants), who are required to opine on the internal controls of the company and the reliability of its financial reporting.
  • Audit committee: The role and the responsibilities of the audit committee, in general terms, are to (a) Discuss with management, internal and external auditors, and major stakeholders the quality and adequacy of the organization’s internal controls system and risk management process, and their effectiveness and outcomes, and meet regularly and privately with the Director of Internal Audit; (b) Review and discuss with management and the external auditors and approve the audited financial statements of the organization and make a recommendation regarding the

inclusion of those financial statements in any public filing. Also, review with management and the independent auditor the effect of regulatory and accounting initiatives as well as off-balance sheet issues in the organization’s financial statements; (c) Review and discuss with management the types of information to be disclosed and the types of presentations to be made with respect to the Company's earning press release and financial information and earnings guidance provided to analysts and rating agencies; (d) Confirm the scope of audits to be performed by the external and internal auditors, monitor progress and review results and review fees and expenses. Review significant findings or unsatisfactory internal audit reports, or audit problems or difficulties encountered by the external independent auditor. Monitor management's response to all audit findings; (e) Manage complaints concerning accounting, internal accounting controls or auditing matters; (f) Receive regular reports from the Chief Executive Officer, Chief Financial Officer, and the Company's other Control Committees regarding deficiencies in the design or operation of internal controls and any fraud that involves management or other employees with a significant role in internal controls; and (g) Support management in resolving conflicts of interest. Monitor the adequacy of the organization’s internal controls and ensure that all fraud cases are acted upon.

  • Personnel benefits committee: The role and the responsibilities of the personnel benefits, in general terms, are to (a) Approve and oversee the administration of the Company's Executive Compensation Program; (b) Review and approve specific compensation matters for the Chief Executive Officer, Chief Operating Officer (if applicable), Chief Financial Officer, General Counsel, Senior Human Resources Officer, Treasurer, Director, Corporate Relations and Management, and Company Directors; (c) Review, as appropriate, any changes to compensation matters for the officers listed above with the Board; and (d)Review and monitor all human-resource-related performance and compliance activities and reports, including the performance management system. They also ensure that benefit-related performance measures are properly used by the management of the organization.
  • Operating staff: All staff members should be responsible for reporting problems of operations, monitoring and improving their performance, and monitoring non-compliance with the corporate policies and various professional codes, or violations of policies, standards, practices, and procedures. Their particular responsibilities should be documented in their individual personnel files. In performance management activities they take part in all compliance and performance data collection and processing activities as they are part of various organizational units and may also be responsible for various compliance and operational-related activities of the organization. Staff and junior managers may be involved in evaluating the controls within their own organizational unit using a control self-assessment.

Advantages of Internal Controls[8]

  • Detection of Errors and Frauds: Internal control systems are structured in such a way that work done by one employee in a process is checked by another without the knowledge of the former. In such an environment, any fraud committed is brought to light unless there is collusion among fraudsters.
  • Time-Saving: Auditor can test-check or sample-check the transactions to ensure the reliability and accuracy of entries in the books. Hence, he can complete his audit work and prepare financial statements within the prescribed time.
  • Minimum Scope for Errors and Frauds: Each employee does only a limited work assigned to him, moreover, the consciousness of his work being independently checked by another keeps him to be always alert at work. In such a context, chances for the commission of error or fraud are lesser.
  • Operational Efficiency: It facilitates fixation of accountability, error–free work performance, accuracy reliability, and authenticity of entries and eradicates inefficiency, fraud, theft, etc. Moreover, this system enables the management to assess the performance of employees. All these collectively contribute to enhancing the operational efficiency of the organization as a whole.

Advantages of Internal Control.jpg
source: Brainkart

Disadvantages of Internal Controls[9]
Regardless of the policies and procedures established by an organization, only reasonable assurance may be provided that internal controls are effective and financial information is correct. The effectiveness of internal controls is limited by human judgment. A business will often give high-level personnel the ability to override internal controls for operational efficiency reasons, and internal controls can be circumvented through collusion.

Risk of Internal Controls Failures[10]
How often does your organization complete a detailed review of its internal controls? How many changes have occurred within your organization since the internal controls were designed? Have there been employee changes, process changes, new information systems, growth, or other changes that could have impacted those internal controls?

These controls should be re-evaluated on a routine basis to ensure that they are operating properly and still meet their objectives. When designing internal control policies, there are some common risks that every organization should consider, including:

  • Management Override of Controls – Management is primarily responsible for the design, implementation, and maintenance of internal control and therefore, there is the inherent potential for management to override these controls. If an executive has the ability and an incentive – such as earnings targets or personal financial issues – to override controls and commit fraud, it is a risk not easily overcome. It requires those charged with governance, such as the shareholders, Board of Directors, or Audit Committee, to take an active approach in evaluating the possibility of fraud occurring at the organization and developing additional steps to control the risk of management override if these fraud risks are identified. In addition, setting the proper tone at the top can help the organization and its employees maintain their integrity.
  • Limited Segregation of Duties – No single person should be responsible for the authorization of transactions, recording of transactions, and custody of the impacted assets of transactions. Smaller organizations may have difficulties implementing proper segregation of duties due to limited staffing, although larger companies can also have issues if the segregation is not properly designed. Smaller organizations need to implement compensating controls to help ensure the objectives are met, such as oversight, supervision, and monitoring by management or those charged with governance.
  • Overreliance on Detective Controls vs. Preventative Controls – Although detective controls will identify whether something is wrong, it may be too late and the damage may have already been done. A good internal control system not only has detective controls but also preventative controls. Preventive controls can include things such as ongoing training of policies and procedures, implementing user names and passwords to limit access to the system or modules within the system, requiring dual signatures on disbursements, or conducting a review and approval of purchase requests prior to purchase.
  • Informal vs. Formal Controls –Smaller organizations may have key controls that are performed at the entity level vs. at the activity level. These entity-level controls are typically less formal and performed by one or two key individuals, such as the owner or manager. Regardless of whether controls are informal or formal, they need to be actively monitored to ensure they are being performed.
  • Overly Trusting – When we hear stories of fraud, quite often the perpetrator is described as being honest, trustworthy, and a great employee whom you never suspected. An organization should trust its employees to be good employees and do their job to the best of their ability, but this trust should not reduce its internal controls. In the words of Ronald Reagan, “Trust, but verify.”

Internal controls serve as the first line of defense in preventing fraud and ensuring the viability of your organization. Even organizations with existing controls in place need to reevaluate them from time to time to ensure the objectives are still being met and identify any areas of weakness or new risks. Consider the internal controls risks outlined above when evaluating your organization’s existing internal controls. It’s important to be proactive in assessing what risks need to be addressed, designing the controls necessary to mitigate those risks, and implementing those controls successfully.

See Also

Internal control represents the policies, procedures, and activities implemented by an organization to ensure the integrity of financial and accounting information, promote accountability, and prevent fraud. These mechanisms are designed to ensure the efficiency and effectiveness of operations, the reliability of financial reporting, and compliance with laws and regulations. Internal controls are a critical component of corporate governance and risk management.

  • Corporate Governance: Discussing the system by which companies are directed and controlled, including the roles of boards of directors, shareholders, and other stakeholders in ensuring that an organization's management acts in the best interest of all parties.
  • Risk Management: Explaining how organizations identify, assess, and prioritize risks to their operations and objectives, including the role of internal controls in mitigating financial, operational, compliance, and strategic risks.
  • Financial Reporting: Covering the process of producing statements that disclose an organization's financial status to management, investors, and regulators, emphasizing the role of internal controls in ensuring accuracy and reliability.
  • Compliance: Discussing the measures taken by organizations to ensure they meet legal and regulatory obligations, including internal controls designed to prevent and detect violations.
  • Audit and Assurance: Focusing on the examination of an organization's financial statements and related processes by an independent body to assess the effectiveness of internal controls, accuracy of financial reporting, and compliance with accounting standards and regulations.
  • Fraud Prevention and Fraud Detection: Explaining strategies and systems implemented to prevent fraudulent activities and detect any occurrences, highlighting the critical role of internal controls in safeguarding assets.
  • Operational Efficiency: Discussing the practices aimed at maximizing the effectiveness and efficiency of business operations, including how internal controls contribute to streamlining processes and reducing waste.
  • Sarbanes Oxley Act (SOX): Covering the U.S. federal law enacted in response to a number of major corporate and accounting scandals, detailing the requirements for internal controls over financial reporting for public companies.
  • COSO Internal Control Integrated Framework: Explaining the Committee of Sponsoring Organizations of the Treadway Commission's framework for evaluating and improving internal control systems, including its five components: control environment, risk assessment, control activities, information and communication, and monitoring activities.
  • Information Technology Controls: Discussing controls specific to IT and systems that support the processing and security of information, including access controls, network security measures, and information processing policies.
  • Internal Control Over Financial Reporting (ICFR): Focusing on the processes used by companies to ensure the accuracy and reliability of their financial reporting and compliance with applicable laws and accounting standards.
  • Segregation of Duties (SoD): Explaining the practice of dividing tasks and responsibilities among different people and departments as a control measure to prevent fraud and errors.
  • IT Governance