Understanding the importance of internal controls

A strong internal control framework is the foundation of the audit profession and integral for business success.

Definition

According to The Institute of Internal Auditors, a control is: “any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives will be achieved.”

Objective

These objectives typically include improving:

• The effectiveness and efficiency of operations,

• The reliability of financial reporting, and

• Compliance with laws and regulations.

Controls are typically defined against the financial statement assertion that they relate to, such as:

• Presentation and disclosure,

• Existence and validity,

• Rights and obligations, and

• Completeness and valuation.

Assertions are representations made by management that are imbedded in the financial statements.

Examples of internal controls

Internal controls help mitigate risks, they address financial statement assertions, they can detect and prevent frauds from occurring, and they support a company in achieving its’ objectives.

Examples of common internal controls include:

• Segregation of incompatible duties

• Independent checks of performance

• Supervisory reviews and independent checks of performance

• Adequate policies and procedures

• Physical safeguards to prevent loss, damage, and theft of assets

• Digital safeguards of assets

• Retention of records

• Adequate authorization of transactions and delegation of authority

• Information processing controls, IT general controls, and IT application controls

• Standardization of documents, use of checklists, etc.

Additional actions that can be put in place to improve the control environment includes improving soft and hard controls such as: ethics and integrity, management’s operating style, the organisational structure, and the competence of personnel.

At the level of transactions, internal controls are the measures taken by an organization to achieve a specific a goal, such as control over vendor payment for services rendered. The internal controls in place could include: vendor invoice approval, purchase order approval, three-way matching, data entry controls, segregation of duties, etc.

The control environment is comprised of all of the actions that senior management has put in place and it includes their attitudes, as well. These set the tone from the top, and have a pervasive impact on control environment.

Internal controls need strong support from the top

Internal controls by themselves are not sufficient to safeguard against irregularities as they can be overridden by malicious intent, by collusion, or undermined by a poor tone at the top.

We have seen many organizations that have had extensive controls in place and even been applauded for the strong governance framework, however senior management did not abide their ethical obligations, and fundamentally rendered this control framework ineffective.

This is evident in the case of Enron, where the organization was actually lauded for their compliance efforts, but went bankrupt because of management’s malicious override of controls and wanton disrespect for their code of ethics.

SOX and Bill 198

Internal control is a key element of the Sarbanes Oxley Act (for public US corporations) and Bill 198 is similar act legislated in Canada to protect investors and improve the reliability of corporate financial disclosures.

Internal controls are everyone’s responsibility

According to the COSO framework, everyone within an organization has responsibilities for internal controls. This includes management, the board, the staff, and assurance functions like internal audit, compliance and risk.

Q4 Consult can help you improve your internal control framework. Contact us to see how we can tailor our services to best help you meet your objectives and mitigate your risks.