What are Internal Controls?

Internal Controls can be defined as internal security processes that organizations, specially publicly traded companies, need to implement and maintain to provide accurate, reliable and timely information of operations and financial data to public, prevent fraud and promote accountability. Moreover, these internal security controls should be in compliance with SOX (Sarbanes-Oxley Act 2002) regulations and SEC guidelines, contracts, procedures and policies, in order to support the objectives of a company’s operations, compliance and reporting.

Purpose of Internal Controls in Organizations

Internal Controls are just not the set of rules, but can be considered as ongoing dynamic process, which is designed to improve reasonable assurance, meaning that they may focus on reducing risks, but cannot eliminate them completely. The primary definition of internal controls is to prevent irregularities and errors by minimizing mistakes, whether they are deliberate fraudulent activities or unintentional errors, by implementing procedures to make sure that data entry, record keeping and transactions are accurate. Even with preventive controls in place, irregularities can still happen, that is why detective controls should also be in place to identify and address problems. Internal controls also protect assets of the companies, both tangible such as inventory or equipment and intangible such as intellectual property or data. Internal controls ensure the economical and efficient use of resources, such as budgetary controls, performance monitoring and inventory management systems, which contributes to operational efficiency and cost savings. Implementing and maintaining effective controls play a crucial role in achieving operational goals and improved corporate governance.

Historical Context and Evolution

Since centuries, the need for better internal controls has been recognized, such as during the Hellenistic period of Egypt and ancient Chinese dynasties era, to manage the government resources, complex administrative systems such as tax collections or grain storage systems with record keeping, checks and balances to prevent corruption or fraud and early forms of audits have been employed to maintain accountability. Following that, there was a significant development of double-entry bookkeeping in the last couple of centuries as an advancement of financial control, growth of large enterprises has led to the development of formal systems of internal controls, then Sarbanes-Oxley Act 2002 (SOX) further introduced more regulations to recognize the importance of internal controls.

Fundamental Concepts of Internal Controls

• As internal controls are not a one-time event but are continuous activities which are integrated in the operations of an organization, they must be regularly updated and monitored with respect to environment and risks developing, which makes them process oriented and ongoing.

• Internal controls are not just process and policies, they are also human centric involving people from all organizational levels, such as top-level officials (CEOs and CFOs), board directors, to an end level employee entering records manually or systematically, basically the people who implement and operate them.

• Internal controls can only provide reasonable assurance but not absolute, due to inherent limitations such as human error, collusion, cost of implementing controls and management override, that is why these limitations should be recognized by organizations and adopt risk-based approach to internal controls.

Structure of Internal Controls: 5 Components

According to COSO (Committee of Sponsoring Organizations of Treadway Commission) framework, internal control is a people-driven process, which provides businesses with an acceptable level of assurance helping them with their goals and objectives. There are 5 components of COSO framework which defines internal controls.

Control Environment

Environmental control is the foundation of all other components, setting up the overall ethical behavior as tone at the top. It is the commitment of the management to set ethical values and integrity by setting up the standards for employees, their risk-taking and decision-making approach for controlling environment and organizational structure. A strong organizational structure with defined responsibilities and roles with appropriate delegation of authority makes sure the accountability. Setting whistleblower policies, conflict of interest policies and code of conduct, clear guidelines for staff for financial transactions and activities, compulsory ethical training for employees or setting up internal controls audits and ethics committees could be the examples for a strong organizational level internal control system.

Risk Assessment

Organizations must identify and assess risks which could impact on all achievement of their objectives, this includes internal and external risks. Risk assessment can be done by utilizing methods such as independent internal controls risk assessment, regular assessment of risks within specific departments by conducting monthly or quarterly meetings, periodic reviews of operational and financial data for possible trends and potential risks and their documentation.

Control Activities

Control activities are the policies and procedures to carry out management directives to mitigate risks. Which can be achieved by setting up controls for transactions or activities requiring authorization, data comparison from different sources for accuracy, implementation of security controls to protect information and assets such as purchasing limits or approvals, implementation of segregation of duties with roles and responsibilities to prevent fraud.

Information and Communication

Organizations should open all relevant communication channels between all relevant departments, meaning information must be communicated accurately and timely to the right people at the right time, this includes both internal and external communication, by setting up systems for producing reports containing financial, operational and compliance-related information, which enables employees to perform their responsibilities efficiently throughout the organization.

Monitoring

Monitoring systems should be implemented and maintained for the ongoing and periodic assessments of internal controls to verify they are working effectively as intended, management should report the deficiencies found in internal controls and the corrective measures taken by them via internal audits and then those assessments should be attested by external auditors.

Read More:

Internal Control Framework: A Practical Guide to the COSO Framework 7 Proven Benefits Of The COSO Control Framework

Types of Internal Controls

Preventive vs. Detective Controls

Preventive controls are a proactive approach designed to stop irregularities and errors before occurring in the first place, includes segregation of duties such as authorization, record keeping and custody, require approvals for transactions, password protection to prevent unauthorized system access, encryption of data etc.

Detective controls are a reactive approach designed to identify irregularities and errors after they have occurred, such as cybersecurity incidents, comparison of bank statements to internal accounting records, reviewing financial and operational information, reviewing system access attempts logs, audits, system alerts and performance reviews.

Hard vs. Soft Controls

Hard controls are tangible controls such as policies and procedures, typically documented and enforced. Examples are security cameras, access badges and locks such as physical security, computer passwords, formal approval processes, written policies and procedures.

Soft controls are intangible or less easily measured controls, often related to the culture and ethics of an organization, such as management’s tone at the top and employee’s behavior. Integrity and ethical values, the operating style of management, open communication channels or competence and the morale of employees are the prime examples.

Manual vs. Automated Controls

Manual controls are mostly performed by people, such as handwritten approvals, manual reviews of invoices or physical inventory counts. Automated controls on the other hand are performed by computer systems or applications without human interaction, such as automated data validation, automated transactions and approvals based on predefined rules, or system generated reports. They provide benefits of reduced human error, enhanced accuracy, improved efficiency and consistency.

Key vs. Secondary Controls

Key controls are the critical ones which directly address the significant risks, which are important to achieve control objectives, if these controls fail, they can result in compliance violations and issuance of material misstatements. Secondary controls on the other hand supportive controls and are not as critical as the key controls. These controls can help resolve the issues but are not important in control objectives achievement. They provide an extra layer of validation and security.

IT Controls

IT controls are very critical in nowadays technology-driven environments, they are broken down into below categories.

Manual Controls

Manual Controls are performed by individuals but relate to IT processes, such as manual backup of data or system access logs review.

IT Dependent Manual Controls

These are manual IT controls rely on IT systems generated information, such as reviewing a system generated report and then acting on the bases of the report.

Application Controls

These controls refer to the settings and features within an application, such as automated calculations within a financial application, authorization controls, input validation controls, configurations within applications to enable multifactor authentication for users needed to access a system or application.

IT General Controls

These are the controls within an IT infrastructure and systems, such as system development lifecycle controls, disaster recovery plans, change management processes, access controls to servers and databases, and user authorization controls such as role-based access controls.

Preventive and Detective Controls

As discussed earlier in details IT controls can be preventive and detective controls, such as firewalls, access restrictions, passwords, or encryption methods implementation are preventive controls. Audit logs, antivirus software, intrusion detection system, logs reviewing systems such as SEIM systems are the examples of detective controls.

Remote Work Considerations

Remote work can pose cybersecurity threats to data and access to systems, important remote work IT controls are, multifactor authentication, virtual private networks (VPNs), end point security systems, data encryption systems and increased monitoring systems to address the risks related to decentralized work environments.

Examples of Internal Controls

Segregation of duties

Segregation or Separation of Duties refers to Division of responsibilities between different individuals, such as keeping the financial records and its custody to authorized personnel, to prevent errors and fraud, for example, separate role for a person ordering supplies from the person who approves the invoices.

Transaction authorization

Authorization of a transaction based on criteria or limit, such as an approval is requirement from the department head for a purchase order exceeding a specific amount.

Record review and reconciliation

Regular review of financial statements, such as comparison of bank statements with accounting records, or review of inventory records for accuracy.

Physical security and training protocols

Implementation of physical security to protect sensitive information and assets, such as restricted access to server rooms, security cameras in high-risk areas, compulsory data security training for all employees for proper management or sensitive information.

Importance of formalized policies and documentation

Document internal control policies and procedures provide clear guidelines to employees. Prime examples could be documenting procurement, financial and payroll information, documented policies for ethical standards and compliance requirements, and documentation of IT controls and procedures.

Monitoring and Assessment

Regular monitoring and assessment are the last sort of control to evaluate the implemented internal controls for their effectiveness. They should be working as intended, this includes ongoing monitoring and assessment of the daily and periodic controls by the internal audit team, these assessments should be feedback to improve controls by addressing any deficiencies found.

Importance of Internal Controls

Internal controls are fundamental to the health, safety and sustainability of a company, their relevance can be based on multiple perspectives.

Organizational Level

Reliable and accurate financial reporting plays an important role in taking informed decisions by stakeholders, investors and management and internal controls make sure that financial information is reliable and complete and reduces the risk of misstatements. Internal controls also provide timely feedback on the progress of an organization toward its achievements of objectives, by monitoring performance, identifying and resolving problems.

Transaction Level

Internal controls make sure that transactions such as approval processes e.g. large payments requiring multiple signatures, bank statements are compared with accounting records are covered with segregation of duties for authorization, record keeping and custody, and they are accurate and complete.

Legal and Regulatory Role

Foreign Corrupt Practices Act (FCPA) mandates organizations to keep accurate books and records as internal controls to prevent bribery and other corruption forms, SOX requires establishment and maintenance of internal controls over financial reporting, and management to assess the effectiveness of these controls, to be later assessed and attested by external auditors.

Relationship with Corporate Governance

An effective internal control system ensures the ethical behavior of the corporation, it also promotes accountability for the individual for their actions, provides transparency with reliable and accurate information to stakeholders, provides assurance on the risk management strategies being implemented and followed, hence proves its relationship with improved corporate governance.

Implementation of Internal Controls

A structured and systematic approach is required to achieve successful implementation of internal controls. Following sequence reflect the structured approach to implementation of controls.

Objectives -> Risks -> Controls Sequence

Objectives

Start by establishing the specific, measurable, achievable, relevant, and time bound (SMART) objectives of the organization or departments, such as efficient procurement processes, protection of sensitive data, compliance with regulatory requirements, accurate and timely financial reporting.

Risks

Once the objectives are clearly defined, identify the risks which could prevent the objectives achievement, by conducting a comprehensive risk assessment for data breaches, impacting the non-compliance, inaccurate inventory reporting or fraud.

Control Sequence

Once the risks are identified, design and implement internal controls to resolve the identified risks, implement custom controls to specific risks impacting specific objectives. Implement both preventive and detective controls and make sure that the cost of the controls does not outweigh the benefits they provide.

Roles and Responsibilities for Internal Control Implementation

Strong internal controls require collaboration from different teams within the organization, below are some roles and responsibilities defined for each team.

Management

Management is responsible for implementing and maintaining strong internal control systems, they are the ones setting the ethical behavior, integrity and commitment to compliance by setting standards for the whole organization. They are the ones to communicate the importance of internal controls and make sure that they are implemented and function properly, and the allocation of the resources to achieve the control structure. That is why top-level officials such as CEOs and CFOs are required by SOX regulations to certify all reports and assessments conducted by internal teams and external auditors to audit internal controls and to hold them accountable for the effectiveness of internal control systems.

Board of Directors

The overall governance, guidance and oversight of the internal control system is overseen by the board of directors, to ensure that management is fulfilling their responsibilities and internal controls are effective. The board of directors should be independent and provide unbiased strategic risk assessments on their findings, especially oversight of financial reporting through the audit committee.

Auditors (Internal and External)

Auditors play a crucial role in IT and application controls reviewing process and are responsible for the design, implementation and effectiveness assessment provided by internal management, where internal auditors assess the internal control system assessment and external auditors provide independent opinions on the integrity of financial statements, and provide recommendations on how the controls could be improved.

Audit Committee

The Audit Committee is a subcommittee which consists of independent members of the board of directors, and oversees the financial reporting, auditing and risk management processes by overseeing the internal and external auditor’s work, compliance monitoring with laws and regulations.

Personnel Benefits Committee

The Personnel benefits committee oversees the benefits and compensation programs within an organization. This committee makes sure that human resources controls are in place to prevent errors and fraud related to benefits, personnel matters and payroll, such as hiring, promoting and terminating employees.

Operational Staff

Implementing and maintaining the internal control processes is the responsibility of all the operational staff. Any weaknesses in internal controls must be reported to the management by them, in order to comply with all procedures and policies. Management or the organization should implement whistleblower policies to protect those staff members by reporting any discrepancy or fraud, especially in financial reporting.

Continuous Controls Monitoring

Continuous controls monitoring (CCM) involves using technology to automate internal controls systems monitoring in real time, to help organizations identifying and addressing risks quickly and efficiently, by utilizing the data analytics for the assessment of anomalies and trends by automating the internal control testing. Automated alerts, continuous analysis of system access logs and detection of unusual transactions are the examples of continuous control monitoring.

Objectives and Assertions in Describing Internal Controls

The internal controls framework is linked to making sure that financial statements reflect accurately with the financial position of an organization. Management and auditors rely on assertions to achieve this

PERCV Acronym

The PERCV acronym defines and validates the key assertions about the financial statements made by management.

Presentation and Disclosure

Presentation and disclosure require that the financial statements are properly described, classified and disclosed in a clear and understandable way and are in accordance with accounting standards applicable.

Existence/Occurrence/Validity

This validates and addresses the concerns about transactions and balances assertions could be fictitious, making sure whether the liabilities, equity interests or assets actually exist by verifying the recorded physical inventory.

Rights and Obligations

Assertions regarding whether the company holds or controls the rights to the assets or whether the liabilities are the obligations of the company, and are properly attributed in the company’s periodic reports, confirming that the assets such as buildings or other materials are actually owned by the company.

Completeness

Assertions regarding whether the assets, liabilities or transactions should have been mentioned have been recorded properly, addressing the omissions risk. For example, checking all the sales-related transactions have been recorded or an asset is mentioned, not missed leading to financial restatements.

Valuation

Assertions regarding whether the liabilities, assets or equity interests included in financial statements are properly valuated according to the right amounts not lowered or greater than the market price to create misconception, and allocations are properly mentioned in annual reports.

Control Precision

Entity-Level Controls

These controls operate on organization levels and affect multiple processes, provide broad level of assurance for integrity of financial reporting, such as code of ethics in an organization.

Assertion-Level Controls

These controls are designed to address specific account balances or individual transactions assertions, provide more granular assurance, such as an internal control which makes sure that all the shipping documents align with sales invoices.

Fraud Prevention and Internal Controls

Preventing fraudulent activities is a primary and most important concern for any organization, that is why effective internal controls play a crucial role in identifying risks leading to fraud.

Fraud Risk Assessment

It is important to adopt a systematic approach for fraud risk assessments within an organization, this includes assessing asset misappropriation e.g. theft of cash, inventory or equipment, manipulation of financial records or statements, or look for corruption e.g. bribery or kickbacks. It is important to consider fraud triangles as follows.

• Opportunity: The situations which allow fraud to occur.
• Rationalization: The mind set of fraudsters which allows them to justify their act.
• Pressure: The incentive which drives the fraudster to commit the act.

After identifying fraud risks, implement the appropriate internal controls to mitigate them. Below are some key controls to prevent risks.

• Segregation of duties.
• Authorization controls.
• Reconciliation procedures.
• Physical security controls.
• Establishing Whistleblower Hotlines.
• Employees Background checks.
• Data analytics for anomalies detection.

Senior Management Override

It is essential to look for any overrides from senior management, where individuals can have the authority and position to intentionally bypass the internal controls, which can pose significant risk by undermining the effectiveness of strongest control systems. For preventing such conditions there are multiple authorization checks in the form of strong corporate governance, independent board of directors, enhanced auditing processes, whistleblower policies and auditing committees and key performance indicators are in place.

Improving Internal Controls and Processes

In dynamic business environments, organizations should continuously look for ways to improve their internal control processes.

Automating Controls

Automating the internal controls can increase the efficiency and effectiveness of the controls. By automating the repetitive task organizations can reduce the human errors and cost by freeing up resources for other important activities, examples of controls automation are as follows.

• Automated data validation checks.
• Automated approval of transactions based on predefined rules.
• Automatically generated reports.
• Automated system access logs monitoring using SEIM solutions.
• Automation of repetitive tasks using Robotic Process Automation (RPA)

Automation can offer several benefits such as enhanced real time monitoring, improved audit trails, reduced processing time, increased consistency and accuracy and lower labor costs.

Systematic Business Improvement

Internal controls are not just preventing errors or assessing risks, they also serve the purpose of systematic business improvement; by analyzing deficiencies in controls and identifying areas of improvement, they also highlight the process bottlenecks and inefficiencies. Therefore, organizations should hire external auditing firms or external experts to review their internal controls and provide independent valuable insight and improvement recommendations, this can also be achieved using service organization control (SOC 1) and (SOC 2) reports to identify blind spots and areas of weaknesses where controls may be insufficient.

Service Organization Control Report 1

Provide reports on internal controls relevant to financial reporting, which helps organizations for the assessment of the effectiveness of the controls, should be used to improve controls by looking into deficiencies found.

Service Organization Control Report 2

Provide reports on controls related to security, availability, privacy, integrity, and confidentiality, which are non-financial controls, should be used to improve outsourced IT and data-related processes.

Limitations of Internal Controls

Although internal controls provide reasonable assurance, they could have inherent limitations which can prevent them providing absolute assurance to an organization achieving their objectives.

Understanding Reasonable Assurance

Internal controls, despite being based on COSO framework guidance, which helps organizations mitigate the risks, there are major internal control limitations of which all internal and external auditors should be aware of are as follows.

Collusion

Segregation of duties is an important part of internal controls to maintain the integrity of the approval process, but sometime collusion can overthrow the strongest segregation of duties, when two or more people can conspire to bypass the controls and it becomes very difficult to identify or prevent fraudulent activities, and example would be two employees in purchasing and receiving could join hand together and produce fictitious invoices.

Human error

As human judgment is involved in many internal controls and may not always be perfect, people make mistakes. Even with proper procedures and training, it can cause errors due to carelessness, misunderstanding or fatigue. Example could be a clerk might enter an incorrect amount in financial records which could lead to re-statements.

Unforeseen circumstances

Internal controls could be designed to known and assessed risks, but unexpected circumstances or changes in the environment can introduce new risks, which are not properly addressed by existing internal controls, examples of unforeseen issues can be advancement in technology which can make existing security controls obsolete, economic downturns could create new pressure, natural disasters may disrupt operations, a cyber-attack exploiting previously known vulnerabilities or system failures etc.

Conclusion: The Importance of Shared Responsibility

Internal control system’s effectiveness depends on collective commitment from every member of an organization.

Everyone’s Role

It is not solely the management and auditors responsibility to maintain the internal control system. Regardless of their position, every employee should play an important role in maintaining a strong control environment by understanding and adhering to procedures and policies, reporting weak controls and suspected violations, creating and maintaining ethical conduct, or being responsible for potential risks, which makes it a shared responsibility. This involves building a culture where controls are an integral part of everyone’s job not an obstacle, promoting an open communication channel, managers should lead with example of demonstrating commitment to compliance and ethical behavior.

Benefits of Strong Internal Control Environment

Strong Internal Control Environment offers many benefits, such as asset’s safety from fraud, theft and unauthorized use, physical security of assets and sensitive data confidentiality, accurate and reliable operational and financial information with enhanced efficiency, informed decision making and performance monitoring, which are aligned with all applicable regulations and laws, and minimizing the legal penalties and reputational damage risk, leading to stakeholders trust and adherence to compliance.

Strong internal controls culture should be promoted by organizations by providing education and training to employees, clear communication or procedures and policies, regular risk assessments, leading by example, effective monitoring and reporting and recognizing good control practices. Employees should feel comfortable by adhering to the environment and reporting concerns without fear of retaliation. Organizations should continuously seek ways to improve internal control processes, by embracing shared responsibility and strong ethical culture.

Read More:

ITGC Controls: Getting it Right Considering the Alternative: What Are Compensating Controls and Why You Need Them Internal Controls Auditing: Ensuring Compliance What are SOX Controls? A Practical Guide for Compliance