Internal controls are one of the most essential elements within any organization. Internal controls are put in place to enable organizations to achieve their goals and missions. Management is responsible for the design, implementation, and maintenance of all internal controls, with the Board responsible for the overall oversight of the control environment. Strong internal controls allow for organizations to achieve three main objectives. These three objectives are: accurate and reliable financial reporting, compliance with laws and regulations, and effectiveness and efficiency of the organizations operations. In order to achieve these objectives an internal control framework needs to be applied and followed throughout the organization. The five components of the internal control framework are control environment, risk assessment, control activities, information and communication, and monitoring.
The first component, control environment, is crucial since it’s the foundation for the four other components of internal control. The control environment sets the tone at the top of an organization and provides discipline and structure. Within the control environment there are several factors that include the following:
Ethical Values and Integrity
Management and employees must show integrity. If management displays issues of lack of integrity, it can trickle down to the employees causing internal control issues and opportunities for fraud.
Human Resource Policies & Procedures
Control difficulties can be avoided by sound hiring procedures, training of new employees, and appropriate discipline.
Organizations that have a clear understanding of who reports to whom within an organization will limit the chance for internal control issues.
Participation of Those Charged with Governance
It is important for those charged with governance (audit committee, board of directors, etc.) to be involved with the organization and monitor internal control functions.
Philosophy of Management & its Operating Style
If management incorporates the importance of internal control in its operating style, employees will know the seriousness of the matter.
Responsibilities and authority need to be assigned to different employees throughout an organizations. Decision-making responsibilities should not be assigned to one individual.
The second component is risk assessment. Risk assessment is the identification and analysis of risks that could prevent the organization from achieving its objectives. Properly identifying risks will allow management to determine how to mitigate and manage these risks. Risk factors could consist of internal and external factors. Management should evaluate risk on a regular basis, as changes in an organization, such as staffing, new policies, new software applications, new regulations, etc., could all impact an organization’s risk assessment.
The third component is control activities, which are the policies and procedures that help ensure that management directives are carried out. One of the most important control activities is segregation of duties. Different individuals should be responsible for authorizing transactions, recording transactions, having custody of assets, and performing comparisons/reconciliations. Having proper segregation of duties is sometimes difficult for small organizations; however, organizations should try to segregate these functions to the best of their ability. In situations where segregation cannot occur, proper management oversight should be implemented so that any errors or irregularities can be timely caught.
Information and communication is the forth component of internal control. This relates to the identification and transfer of pertinent information in a timely manner that permits personnel to perform its responsibilities. For instance, having timely financial reporting can allow management to identify anomalies in its operations such as drops in margins, high reserves, etc.
The last component is monitoring, which is a key element of managements responsibilities when it comes to internal control. Top management is responsible for monitoring all controls and to determine if the controls are operating as they were intended. If controls are not operating effectively, management is then responsible to modify these controls. Monitoring is often done through a company’s quality assurance or internal control departments.
If these five components are implemented and are operating effectively, they can help ensure that an organization will achieve its goals while avoiding complications along the way.
Kenneth R. Cerini, CPA, CFP, FABFA