A system of internal control has five components. An accountant must be aware of these components when designing an accounting system, as does anyone who audits the system. The components of an internal control system are noted below.
Control Environment
This is the attitude of management and their employees regarding the need for internal controls. If the controls are taken seriously, this greatly enhances the robustness of the system of internal control. Conversely, if management tends to work around the system of controls, then it is highly likely that employees will ignore the controls, too.
Risk Assessment
This is the process of reviewing the business to see where the most critical risks lie, and then designing controls to address those risks. This assessment must be conducted on a regular basis, to take into account any new risks introduced by changes in the business. This is a more important issue when a business is constantly changing its products and acquiring other businesses, since these activities imply the existence of significant changes to the underlying processes, which introduce new risks.
Control Activities
This is the use of accounting systems, information technology, and other resources to ensure that appropriate controls are put in place and operating properly. For example, there may be accounting systems in place to periodically conduct inventory audits and fixed asset audits. In addition, there may be off-site backups to minimize the risk of lost data.
Information and Communication
Information about controls should be communicated to management in a timely manner, so that shortfalls can be addressed promptly. The amount of information communicated should be appropriate to the needs of the recipient. Thus, major control breaches should be communicated to senior management at once, while minor issues can be dealt with at a lower level of the organization.
Monitoring
This is the set of processes used by management to examine and assess whether its internal controls are functioning properly. Ideally, management should be able to spot control failures and make adjustments to improve the control environment. Otherwise, an improper or ineffective control may allow misstatements to pass through into the financial statements.
Internal controls are one of the most essential elements within any organization. Internal controls are put in place to enable organizations to achieve their goals and missions. Management is responsible for the design, implementation, and maintenance of all internal controls, with the Board responsible for the overall oversight of the control environment. Strong internal controls allow for organizations to achieve three main objectives. These three objectives are: accurate and reliable financial reporting, compliance with laws and regulations, and effectiveness and efficiency of the organizations operations. In order to achieve these objectives an internal control framework needs to be applied and followed throughout the organization. The five components of the internal control framework are control environment, risk assessment, control activities, information and communication, and monitoring.
The first component, control environment, is crucial since it’s the foundation for the four other components of internal control. The control environment sets the tone at the top of an organization and provides discipline and structure. Within the control environment there are several factors that include the following:
Ethical Values and Integrity
Management and employees must show integrity. If management displays issues of lack of integrity, it can trickle down to the employees causing internal control issues and opportunities for fraud.
Human Resource Policies & Procedures
Control difficulties can be avoided by sound hiring procedures, training of new employees, and appropriate discipline.
Organization Structure
Organizations that have a clear understanding of who reports to whom within an organization will limit the chance for internal control issues.
Participation of Those Charged with Governance
It is important for those charged with governance (audit committee, board of directors, etc.) to be involved with the organization and monitor internal control functions.
Philosophy of Management & its Operating Style
If management incorporates the importance of internal control in its operating style, employees will know the seriousness of the matter.
Responsibility assignment
Responsibilities and authority need to be assigned to different employees throughout an organizations. Decision-making responsibilities should not be assigned to one individual.
The second component is risk assessment. Risk assessment is the identification and analysis of risks that could prevent the organization from achieving its objectives. Properly identifying risks will allow management to determine how to mitigate and manage these risks. Risk factors could consist of internal and external factors. Management should evaluate risk on a regular basis, as changes in an organization, such as staffing, new policies, new software applications, new regulations, etc., could all impact an organization’s risk assessment.
The third component is control activities, which are the policies and procedures that help ensure that management directives are carried out. One of the most important control activities is segregation of duties. Different individuals should be responsible for authorizing transactions, recording transactions, having custody of assets, and performing comparisons/reconciliations. Having proper segregation of duties is sometimes difficult for small organizations; however, organizations should try to segregate these functions to the best of their ability. In situations where segregation cannot occur, proper management oversight should be implemented so that any errors or irregularities can be timely caught.
Information and communication is the forth component of internal control. This relates to the identification and transfer of pertinent information in a timely manner that permits personnel to perform its responsibilities. For instance, having timely financial reporting can allow management to identify anomalies in its operations such as drops in margins, high reserves, etc.
The last component is monitoring, which is a key element of managements responsibilities when it comes to internal control. Top management is responsible for monitoring all controls and to determine if the controls are operating as they were intended. If controls are not operating effectively, management is then responsible to modify these controls. Monitoring is often done through a company’s quality assurance or internal control departments.
If these five components are implemented and are operating effectively, they can help ensure that an organization will achieve its goals while avoiding complications along the way.
If you would like to learn more about this topic, please contact:
***This article was featured in Bottom Line Vol 13***