Overview of Internal Controls
What is Internal Control?
Internal control is a process effected by an entity's board of directors, managment and other personnel designed to provide reasonable assurance the the following objectives are being achieved:
- Effectiveness and effiiciency of operations,
- Reliability of financial reporting, and
- Compliance with applicable laws and procedures.
An effective control system provides reasonable, but not absolute assurance for the safeguarding of assets, the reliability of financial information, and the compliance with laws and regulations. Reasonable assurance is a concept that acknowledges that control systems should be developed and implemented to provide management with an appropriate balance between risk of a certain business practice and the level of control required to ensure business objectives are met. The cost of a control should not exceed the benefit to be derived from it.
The degree of control employed is a matter of good business judgment. When business controls are found to contain weaknesses, management must choose among the following alternatives:
- Increase supervision and monitoring,
- Implement additional or compensating controls and/or
- Accept the risk inherent with the control weakness.
What is required to achieve sufficient internal control?
Internal control consists of five interrelated components:
- Control (or Operating) environment
- Risk Assessment
- Control Activities
- Information and communication
All five components must be present to conclude that internal control is effective. See Flow Chart of Internal Controls Concepts.
An effective control environment is an environment where competent people understand their responsibilities, the limits to their authority, and are knowledgeable, mindful, and committed to doing what is right and doing it the right way. They are committed to following an organization's policies and procedures and its ethical and behavioral standards. The control environment encompasses technical competence and ethical commitment; it is an intangible factor that is essential to effective internal control.
Click here for tips on Enhancing Your Department's Control Environment
Risk assessment is the identification and analysis of risks associated with the achievement of operations, financial reporting, and compliance goals and objectives. Management must determine how much risk they are willing to assume. Failure to manage risks can result in 1) lack of confidence that goals and objectives will be achieved and 2) significant liability.
Steps for assessing risk:
- Determine Goals and Objectives
- Identify Risks
- Analyze Risk
Analyzing the risks identified includes:
- Assessing the likelihood (or frequency) of the risk occurring
- Estimating the potential impact if the risk were to occur considering both quantitative and
- Prioritizing the risks identified
- Determining what actions are necessary to eliminate or reduce the risk
Control activities are actions, supported by policies and procedures that, when carried out
properly and in a timely manner, manage or reduce risks. Controls can be either preventive or detective.
Preventive controls are proactive controls that help to prevent a loss. Examples are separation of duties, proper authorization, adequate documentation, and physical control over assets.
Detective controls attempt to detect undesirable acts that have occurred. Examples
are reviews, analyses, variance analyses, reconciliations, physical inventories, and audits.
Both types of controls are essential to an effective internal control system. From a quality
standpoint, preventive controls are essential because they are proactive and emphasize quality.
However, detective controls play a critical role providing evidence that the preventive controls are
functioning and preventing losses.
Information and Communication
Information and communication are essential to effecting control. Information about an
organization's plans, control environment, risks, control activities, and performance must
be communicated up, down, and across an organization. Reliable and relevant information must be
communicated to the people who need it and in a form and timeframe that is useful.
Click here for key questions to ask about information and communication.
Monitoring assesses the quality of internal controls over time, making adjustments as necessary. Like the other four components, monitoring is a basic management practice that involves activities such as performance evaluations, ongoing supervisory activities, reviews and analyses, and independent evaluations of internal controls performed by managment or others outside of the process. Proper monitoring ensures that controls continue to be adequate and to function properly before problems occur.
The monitoring process should also include documentation that audit findings and other reviews are promptly resolved. Examples of documentation include policies and procedures created or revised, communication of those policies and procedures, documentation that issues have been promptly addressed, such as an email communicating to a manager of the issue, reference to the policy/procedure in violation if applicable, and expectations of steps to correct or strengthen a vulnerability.