What is an Internal Control?
Management’s role is to plan, organize, staff, direct and monitor the performance of particular actions, and to provide reasonable assurance that the established goals and objectives will be achieved. Internal controls are the responsibility of management and are put into place to increase the probability those goals and objectives will be achieved efficiently and effectively. The role of the internal auditor is to evaluate the adequacy of those controls to determine compliance, and to evaluate if additional controls are needed. Controls help to ensure the following:
- Financial and operational information is reliable and has integrity
- Operations are performed efficiently and achieve effective results
- Assets are properly safeguarded
- Actions and decisions of the organization are in compliance with laws, regulations and contracts
Types of Controls
A control can be defined as “adequate” if it effectively manages the organization’s risks, and it efficiently and economically increases the likelihood that established objectives and so that goals will be met. Controls can be generalized into three categories:
- Preventive controls deter undesirable events, such as errors and irregularities from occurring. For example, an unauthorized user entering the computer system would be an undesirable event. A preventive control would be log-on passwords, which discourage unauthorized entries.
- Detective controls identify and correct undesirable events, which have occurred. This type of control would uncover any irregularities or errors after they have occurred. An example would be reviewing travel vouchers and receipts for the purchase of alcoholic beverages.
- Directive controls cause or encourage a desirable event to occur, such as employees meeting objectives effectively. Formally written procedure manuals would be a directive control in this case because it would encourage employees to carry out particular functions in an effective manner.
There is more than just the actual control itself. Controls, or control activities, are part of a system. In order for risks to be effectively managed and goals met efficiently and economically, the entire system must be considered when implementing controls. The control framework consists of:
- Monitoring the methodology used for assessing the quality of internal controls over both internal and external environments. Risks are often change driven; therefore, controls often become obsolete and require improvement. Adequate monitoring of controls aids in ensuring that the entity’s system of internal controls is functioning properly.
- Control activitiescould be described as the “hard” controls of an organization. These policies and procedures aid management in its role of achieving the established goals and objectives. Control activities include the following:
- Segregation of Duties
- Safeguarding of Assets
- Transactions Recorded
- Periodic Reconciliation
- Risk assessment identifies which risks, or threats the entity is exposed to while trying to meet its established goals and objectives and the likelihood of their occurrence. Before deciding which controls must be put into place, a risk assessment must first be performed. A risk can either be generated from inside or outside the organization. An external risk would include theft committed by a person outside the organization. An internal risk would include an employee committing fraud within the organization.
- Control environmentis the attitude and actions of the board and management regarding the significance of control within the organization. It is also often conveyed as “the tone at the top” or the “corporate culture”. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. A weak control environment is a primary reason for internal control failures. The control environment includes the following:
- Integrity and ethical values
- Management’s philosophy and operating style
- Organizational structure
- Assignment of authority and responsibility
- Human resource policies and practices
- Competence of personnel
- Information and Communication, an adequate flow of communication allows management to make informed decisions. It is pertinent that information not only be reported in a timely fashion but also flow in both directions through the organization. Information can be either internal or external. Internal information would include, for example, the entity’s established goals and objectives. External information might include best practices found within the industry.