What are internal controls? Why do we need them?
Internal controls are one of the most essential elements within any organization. Internal controls are put in place to enable organizations to achieve their goals and missions. Management is responsible for the design, implementation, and maintenance of all internal controls, while the Board is responsible for the oversight of the control environment. Strong internal controls allow for three main objectives: accurate and reliable financial reporting, compliance with laws and regulations, and effectiveness and efficiency of the organizations operations.
So, how do we achieve this? It all starts with your internal control framework. Each organization’s internal control framework should consist of 5 components:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
This component is the foundation for all other components of internal control. It sets the tone at and from the top of an organization and provides discipline and structure. There are several factors that make up control environment, those include:
- Ethical Values and Integrity: Management and employees must have integrity. If management lacks integrity, it can trickle down to the employees and result in internal control issues and opportunities for fraud.
- Human Resource Policies & Procedures: Control difficulties can be avoided by sound hiring procedures, training of new employees, and appropriate discipline.
- Organization Structure: Organizations that have a clear understanding of who reports to whom within an organization will limit the chance for internal control issues.
- Participation of Those Charged with Governance: It is important for those charged with governance (audit committee, board of directors, etc.) to be involved with the organization and monitor internal control functions.
- Management Style: If management incorporates the importance of internal control in its operating style, employees will know the seriousness of the matter.
- Responsibility Assignment: Responsibilities and authority need to be assigned to different employees throughout an organization. Decision-making responsibilities should not be assigned to one individual.
This component is used to identify and analyze risks that may prevent an organization from achieving its objectives. Risk factors could consist of internal and external factors. Properly identifying risks will allow management to determine how to mitigate and manage these risks. Management should evaluate risk on a regular basis, as changes in an organization, such as staffing, new policies, new software applications, new regulations, etc., could all impact an organization’s risk assessment.
These are the policies and procedures that help ensure that management directives are carried out. One of the most important control activities is segregation of duties. There should be different individuals responsible for authorizing transactions, recording transactions, having custody of assets, and performing comparisons/reconciliations. For example, the individual responsible for hiring employees should not be the individual paying employees because it increases the chances that a ghost employee will go unnoticed. If this isn’t possible, management needs to assess where other controls can be implemented to compensate for the overlapping responsibilities. This will help organizations to better identify any errors or irregularities in a timely manner.
Information and Communication
This component relates to the identification and transfer of pertinent information in a timely manner to allow personnel to carry out their responsibilities. For instance, timely financial reporting can allow management to identify anomalies in its operations prior to year-end so that they can better prepare the business.
And, last but not least, monitoring. This process is ongoing and is a key element of management’s responsibilities. Management is responsible for ensuring controls are operating as intended and whether they are efficient. If controls are not operating effectively, management is then responsible to modify these controls and inform top administration and governing boards. Monitoring is often done through a company’s quality assurance or internal audit departments.
The proper implementation of these five components can help a business achieve its goals while avoiding complications along the way.
LEARN MORE IN THE SHORT VIDEO BELOW!
Nicholle Mezier, CPA, MBA
Nicholle is a Manager of Cerini & Associates’ audit staff where she brings experience in audit, review, and consulting services to our general business, nonprofit and special education clients. Nicholle has worked with a large number of nonprofit clients, predominantly focusing on social service providers, healthcare providers, foundations, educational institutions, and arts and culture organizations. Nicholle’s technical knowledge allows her to provide specific services, including financial statement audits, internal and claims audits, and nonprofit outsourced accounting services. Nicholle has also contributed to the firm’s various newsletters.