If you’ve been involved with an internal audit in any way, you are familiar with the term internal controls. You may have wondered, though, what exactly internal controls are and why are they important. Here’s a summary to help you answer those questions.
Internal control is defined as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in three categories:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
Internal control can be judged as effective in each of these categories if the board of directors and management have reasonable assurance that:
- They understand the extent to which the entity’s operations objectives are being achieved.
- Published financial statements are being prepared reliably.
- Applicable laws and regulations are being complied with.
Internal control consists of five interrelated components:
- Control environment: Sometimes referred to as the “tone at the top” of the organization, meaning the integrity, ethical values, and competence of the entity’s people; management’s philosophy and operating style; the way management assigns authority and responsibility and organizes and develops its people; and the attention and direction provided by the University. The control environment provides discipline and structure to the other components of internal control.
- Risk assessment: Before conducting a risk assessment, objectives must be set. It’s the identification and analysis of relevant risks to achieve the objectives that form the basis to determine how risks should be managed. This component should address internal and external risks.
- Control activities: Policies and procedures that help ensure that management directives are carried out. Control activities occur throughout the organization at all levels in all functions. These include activities such as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.
- Information and Communication: Pertinent information must be identified, captured and communicated to the right people in a format and timeframe to enable them to carry out their responsibilities. Information systems within the organization are key to this element of internal control. Internal information, as well as external events, activities, and conditions must be communicated to enable management to make informed business decisions and for external reporting purposes.
- Monitoring: The activity undertaken by management and others in the organization with regard to the internal control system. This is the framework element that is associated with the internal audit function, as well as other means of monitoring such as general management activities and supervisory activities. It is important that internal control deficiencies be reported upstream with serious deficiencies reported to top management and the board of directors.
These five components are linked together, forming an integrated system that can react dynamically to changing conditions. The internal control system is intertwined with the organization’s operating activities and is most effective when controls are built into the organization’s infrastructure, becoming part of the very essence of the organization.
An effective internal control structure can actually become part of the competitive advantage of an organization.
- Implement segregation of duties. No one person should have control over all aspects of any financial transaction. Divide duties among staff members to reduce risk of error or inappropriate actions.
- Make sure transactions are authorized and approved.
- Records must be reviewed and reconciled, by someone other than the preparer.
- Equipment, inventory, cash and other property should be secured, counted periodically and verified against control records (bank statements, inventory records, equipment lists).
- Employees should have appropriate training to carry out their job duties and have an appropriate level of supervision. Employees should be aware of the channels for reporting suspected improprieties.
- Have formal policies and procedures, documented, current, and communicated to employees.
Remember, everyone is responsible. Please take a few minutes to answer the questions on our Self-assessment Questionnaire.
If you would like additional information on internal controls or assessing your departmental risks, please contact the Office of Internal Audit at 229-245-2491 or firstname.lastname@example.org. Also, please be sure to check out and attend one our classes.
A risk and internal control assessment is a voluntary activity where Internal Audit serves as a trusted advisor for your department. Your department managers and key employees work together with Internal Audit to identify the department’s risks and determine if existing internal controls adequately reduce these risks. The results of this assessment will not typically be shared with others. The exception of course would be if we were to find a weakness that impacts other areas or evidence of malfeasance. This type of engagement is:
- Customized for your department.
- Not an audit.
At the conclusion of the Assessment, we request that you provide feedback through our Customer Satisfaction Survey