Every day, during the normal course of our lives, we encounter numerous controls or safeguards.
Whether your place of work requires an identification badge or a key fob, a password to log onto your computer or an access code to use a copier, controls are a way of life.
Internal control is a process. It’s a series of actions that govern an organization’s activities, put into effect by the board of directors, management and other personnel, designed to provide reasonable assurance in:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
Primary internal controls
Internal controls are defined in five broad categories:
- Control environment involves an organization’s attitude about control. It flows from the core beliefs or values of a company.
- Risk assessment includes identifying and analyzing an organization’s risks or vulnerabilities.
- Control activities represent the actual policies and procedures that help ensure that management’s directives are being carried out.
- Information and communication involve identifying, capturing and exchanging information –including accounting information – that allows people to perform their duties.
- Monitoring or self-assessment evaluates the effectiveness of controls over time.
Testing controls
A financial statement audit determines whether an organization’s financial statements are free of material misstatement.
Auditors may assess risk at the maximum and not rely on the internal control system while performing their audit. Therefore, internal controls may not be tested as thoroughly because the auditors rely more on substantive testing.
In contrast, an internal control review determines whether internal controls exist and are sufficient. And it may test whether the controls are working as designed.
Evaluating internal control involves:
- Identifying the internal control objectives relevant to the organization
- Reviewing pertinent policies and procedures and the documentation standards for each
- Discussing controls with the appropriate levels of personnel
- Observing the control environment
- Testing transactions as appropriate
- Sharing findings, concerns and recommendations with senior management and/or the board of directors
- Determining that the organization has taken timely corrective action on weaknesses that were identified
Taking responsibility for internal control
The board of directors is ultimately responsible for a company’s system of internal control. It should set appropriate policies on internal control and seek regular assurance that the system is functioning effectively.
It is the role of management to implement the board’s policies on risk and control. Management should identify and evaluate the risks faced by the company for consideration by the board. And management should design, operate and monitor a suitable system of internal control to meet the board’s intent.
Additionally, all employees have some responsibility and accountability within the internal control environment. They should have the necessary skill, knowledge and authority to operate and monitor the system of internal control that is put in place.
Reviewing internal controls
Internal controls go beyond safeguarding an organization from financial loss. They can also assist in maintaining reliable financial reporting and maximizing effective operations.
The best way to protect and ensure that your organization is operating efficiently is to have an internal control review performed on your operation. Whether you’re a for-profit, not-for-profit or governmental entity, your current practices should be compared against peers in your sector.
The goal is twofold:
- To protect and safeguard your company from being victimized
- To improve your processes to obtain greater efficiencies and become more effective at each level of the organization
An internal control review can highlight weaknesses in the internal control structure or expose processes that could be strengthened to maximize efficiency. Detailed recommendations to mitigate risk or strengthen areas of weakness should be included in a formal report issued to the board of the organization.