The good news about internal controls is that everyone in a company is responsible for them. The bad news about a company’s internal controls is the same — everyone is responsible for them. Each member of an organization plays a critical role in ensuring a strong internal control environment to protect company assets, ensure completeness and accuracy of records, comply with laws and regulations, drive operational efficiency, and ultimately help the business meet its objectives and goals by managing risks effectively.
Promoting a strong internal control environment should be part of every organization’s culture! Infusing that attitude throughout the organization is the responsibility of senior management and the internal audit function, who are uniquely positioned to provide independent and objective assurance on the design and effectiveness of a company’s internal controls.
This article will walk you through the essentials of internal controls, including defining what internal controls are and their limitations, explaining the various types of internal controls, advising on how internal audit and internal controls vary, and offering some best practices for testing internal controls. Read on for details and related guidance that will help you set up your organization for success.
What Are Internal Controls?
An organization’s internal controls are the policies, procedures, and processes designed to safeguard company assets and minimize risk. In fact, internal control compliance plays a vital role in providing reasonable assurance that company objectives are met in an efficient and effective manner, contributing to the overall success and sustainability of an organization. Internal controls are part of a process designed to accomplish a goal, while compliance is the successful execution of the control.
A good example is the password protection system used when accessing technology. The controls put in place might include requiring a password and setting complexity requirements around it (character limitations, session length, timeout for failed login attempts, etc). Compliance is configuring applications to meet those password rules and ensuring they can’t be adjusted without proper approval and justification.
In short, internal controls provide a framework for promoting accountability, integrity, and transparency in an organization. The most widely recognized framework for internal controls is published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which is a private-sector organization dedicated to providing organizational governance and internal controls guidance.
Understanding the Components of Internal Controls and Their Limitations
The five main components of an internal control system under the COSO Internal Control — Integrated Framework are:
- Control Environment: The control environment sets the tone at the top and includes the policies, procedures, standards, processes, and ethical values set forth by an organization’s senior management team and the board of directors.
- Risk Assessment: Within every organization, there is an underlying set of business objectives, related risks that can prevent the company from meeting its objectives, and internal controls in place to mitigate against those risks. A risk assessment helps to determine the impact and likelihood of those risks occurring and influences what types of controls should be implemented in order to reach an acceptable level of residual risk.
- Control Activities: Control activities are the specific actions management uses to enact the policies and procedures established in the control environment. For example, a company may have a policy in place to provide system access based on the minimum access needed for a user to perform their job function. A control activity could include assignment of system access based on user’s established role and reviewed on a periodic basis by the individual’s manager.
- Information and Communication: Internal controls are only effective if employees are aware of them, know how and when to perform a control, and understand what to do if an issue is identified. Information and communication ensure relevant information is shared throughout the organization and with external stakeholders in an effective and timely manner.
- Monitoring: Monitoring involves the ongoing assessment of the design and effectiveness of internal controls. Monitoring activities are performed by management, compliance functions, and internal auditors to provide assurance that internal controls are operating effectively.
While a sound internal control program based on the COSO framework helps to mitigate risk, there are three major internal control limitations that all auditors should be aware of: collusion, human error, and unexpected issues.
Limitation 1: Collusion
Implementing appropriate segregation of duties is a basic component of any successful internal control program to reduce the risk of fraud as it prevents a single employee from having enough power to complete a process end-to-end. Collusion occurs when a group of individuals work together to circumvent internal controls related to segregation of duties to commit fraud. Additionally, it’s not always possible to segregate duties, which can result in an increased opportunity for collusion.
As such, it’s important for auditors to have a solid understanding of all financially significant processes, including responsibilities for performing internal controls as job responsibilities change due to new hire, transfer, or termination, to ensure appropriate monitoring controls to prevent fraud are in place and operating effectively. A material misstatement resulting from fraud could have a lasting impact on a company’s brand and reputation.
Limitation 2: Human Error
The effectiveness of an internal control program will always be limited by the fact that human beings are not perfect. Some examples of human error that can impact internal controls include innocent mistakes made by employees when performing day-to-day responsibilities due to fatigue or distraction, employees misunderstanding instructions, and bad decision making based on limited information available.
Common solutions for reducing the risk of human error include automating internal controls where possible and implementing integrated technology to provide greater visibility into audit, risk, and compliance activities to stakeholders as needed to drive better decision-making.
Limitation 3: Unexpected Issues
Unexpected issues encompass all of the unforeseen circumstances that can impact a business as there simply isn’t a way for an organization to foresee all of the possible risks that may occur while simultaneously implementing controls to mitigate against these risks. In fact, some may argue that a good internal controls program not only enables an organization to mitigate risks where needed, but also allows them to use risk knowledge as a competitive advantage and take on more risk where possible.
Organizations that implement connected risk technology that enables users to perform dynamic risk assessments and continuously monitor risk levels in real-time are better suited for identifying and dealing with unexpected issues before they rise to a level of concern.
What Are the Types of Internal Controls?
While there are inherent limitations to any internal control program, implementing and ensuring the effectiveness of various types of internal controls can help ensure company objectives are met while minimizing undesirable events. The main types of internal controls are: preventive and detective.
Preventive controls are important because they lessen the need to detect mistakes after the fact, however, detective controls are also needed to ensure any issues that do fall through the cracks are discovered before they become a significant problem.
Preventive Internal Controls
Preventive controls are established to avert errors or other adverse events from happening while lessening the need to detect mistakes after the fact. Preventive controls can either be manual or automated, however, automated controls reduce the risk of human error while also helping to streamline audit activities when using a benchmark testing approach. Examples of preventive controls include system access controls, including segregation of duties, invoice approvals for expenditures that reach a specific threshold, background checks for new employees, and physical security systems like laptop locks and alarm systems.
Detective Internal Controls
Detective controls focus on discovering issues or irregularities after the fact and should be implemented in concert with preventive controls to help ensure issues are identified before they become a significant problem. Examples of detective controls include physical inventory counts, account reconciliations, and tie outs of financial statements to supporting documents.
Having a mixture of preventive and detective controls are important aspect of any internal control program to help a company mitigate risks and prevent issues from occurring.
Differentiating Internal Audit From Internal Control Activities
It’s almost impossible to talk about internal audit without mentioning internal controls as both are needed to drive an effective risk management strategy.
Internal controls are the checks and balances put in place by a company to mitigate risk, and usually consist of an ongoing system of policies and procedures directed by senior management and carried out by other members of the organization. An effective internal control system not only helps companies assess and mitigate risk, but also improve operations and processes and make better business decisions.
While management is responsible for identifying risks that may prevent the company from meeting its objectives and implementing internal controls to mitigate against those risks, internal audit is the function that evaluates whether the controls put in place are designed and operating effectively. Auditing internal control procedures provide many benefits, including reducing errors or fraud, improving the accuracy of financial reporting, increasing efficiency and operational efficacy, and improving a company’s overall reputation and credibility.
Internal audit teams can help organizations to regularly assess their internal controls by evaluating the process for identifying risks, advising management on the design and implementation of the related controls, completing control testing, and performing other types of internal audits like operational audits, compliance audits, and fraud investigations to ensure company objectives are met in the most efficient and effective way possible.
What Are Internal Control Objectives in Auditing?
A control objective is the reason that a control is put into place and is typically written as a statement that addresses how a risk is going to be managed by an organization. Control objectives from the COSO Internal Control — Integrated Framework fall into three categories: operational, reporting, and compliance.
Operational objectives revolve around improving business operations. Examples include: performance reviews; physical safeguards of assets; education, training, and coaching for team members; review and approval processes; and segregation of duties.
Reporting objectives relate to trustworthy and timely reporting on internal and external financial transactions. Examples include: spending authorization; reviews and approvals; verification; budget reconciliations; and password protections.
Compliance objectives relate to following and adhering to state and federal laws and industry-wide regulatory requirements fall under this umbrella. Examples include: verification of data; education and training; and regular synthesis of and adherence to policies and procedures manuals and guidance.
How Do Auditors Test Internal Controls?
Determining which internal controls to test in an organization will depend on a variety of factors, including the size and complexity of an organization, the nature of the business, and a risk assessment conducted by internal audit to determine what business units, processes, and applications are in scope for testing. Next, identify internal controls associated with in-scope processes and applications to risk rank the controls, which will determine the testing strategy, or extent of testing.
Testing internal controls involves performing procedures to evaluate the design as well as the effectiveness of a control in preventing or detecting material misstatements in financial reporting. The audit team will document testing procedures performed and the results of testing, including any control deficiencies or weaknesses identified, and ensure these are remediated in a timely manner. The results of testing and remediation activities are shared with management, executive leadership, and other stakeholders on a periodic basis to ensure the control environment is operating effectively to reduce risk and enable the company to meet its objectives.
Stay on Top of Internal Audit Controls With AuditBoard
Having an effective internal controls program is mission-critical for ensuring long-term business success. Companies that invest time and resources in implementing an internal controls program are better able to manage risk, protect company assets, ensure compliance with laws and regulations, and enhance stakeholder trust and confidence. Having a controls management system helps to further streamline the internal control process by centralizing risk and control information, automating workflows and testing, and providing tools for collaboration and dynamic reporting. Get started today!
Kim Pham, CIA, is a Market Advisor, SOX & Compliance at AuditBoard, with 10 years of experience in external and internal audit. She started her career in at Deloitte & Touche LLP., and continued to grow her experience in internal audit focusing on SOX compliance and operational audits at Quiksilver, the California State University Chancellor’s Office, and CKE Restaurants.