Are Your Internal Controls Running Like Clockwork?

Today, more than ever, emphasis is being placed on the effectiveness, or in some cases the existence of, internal controls. Regardless of how large or small a company, internal controls are being scrutinized. Large companies are still scrambling to understand and comply with Sarbanes-Oxley while mid-sized companies are trying to remain competitive and in business. Every business has some form of internal controls even if they are not formally documented and labeled as such. In order to explain their value, we must first understand what they are. Internal controls are policies, processes and procedures that are designed to detect and prevent errors and/or fraudulent activities, safeguard assets, ensure financial information is accurate and reliable, and assist in the overall mission of the business.

There are several key points that should be made about this definition:

  1. Internal control is a process. It’s a means to an end, not an end in itself. Unfortunately, all too often, time and effort are put into defining, creating and revising internal controls, but adequate monitoring is not put in place to ensure the controls are operating effectively and adequately mitigating the risks of the company.
  2. Internal controls are affected by both people and technology. Internal control is truly everyone’s responsibility. Once again, regardless of how big or small, everyone involved in running a company is responsible for ensuring internal controls are being followed.
  3. Effective internal control is a built-in part of the management process, not an added function that will occur after the fact. Internal control keeps an organization on the road towards achieving its objectives and helps minimize surprises along the way. Internal control should also promote effectiveness and efficiency. To some this may sound like a foreign concept, if not a complete oxymoron, but you can actually achieve both effectiveness and efficiency by implementing internal controls

Based upon the framework developed by the Committee of Sponsoring Organizations (COSO), there are five interrelated components within the internal control process:

  • Control environment
  • Risk assessment
  • Control activities
  • Information and communication
  • Monitoring

All five internal control components must be present to conclude that a company’s internal control structure is effective.

Control Environment

The internal control environment encompasses the tone of an organization and sets the basis for how risk is viewed and addressed by an entity’s personnel, including risk management philosophy and risk tolerance, integrity and ethical values, and the environment in which they operate.

Risk Assessment

The risk assessment process includes the identification and evaluation of the entity’s risks, considering likelihood and impact as a basis for determining how they should be managed. In response to the identified risk, management should develop a risk response—avoiding, accepting, reducing, or sharing risk—in order to develop a set of actions to align the level of risk with the entity’s risk tolerance.

Control Activities

Control activities are the policies and procedures that are established and implemented to help mitigate the identified risks. Control activities are generally separated into two categories: detective and preventative. Detective controls are designed to detect errors after they have occurred and preventative controls seek to prevent the errors from happening in the first place. Both types of controls are essential to an effective internal controls system.

Information and Communication

Reliable and relevant information from both internal and external sources must be identified, captured, processed and communicated to the people who need it. Information and communication systems can be either formal or informal. Formal information and communication systems can range from highly specialized computer technology to simple staff meetings. As far as informal systems, for some it’s a foreign concept, but oldfashion informal conversations with customers, suppliers and employees can sometimes provide some of the most critical information needed to identify both risk and opportunities.

Monitoring

Monitoring is the assessment of internal controls’ performance over time. Just as control activities help to ensure that actions to manage risk are carried out, monitoring helps to ensure that control activities and other planned actions are carried out properly and timely and that the end result is effective internal control.

Conclusion

An adequate internal control structure is critical to all organizations. Unfortunately, many companies fail to focus on internal control until there has been an error or irregularity identified or the perpetration of fraud has occurred due to the lack of adequate controls. Events such as these can be paralyzing to a company, and many companies have been unable to recover from significant internal control disasters.

By David G. Guenther, CPA, Director of Comprehensive Risk Services Group

 

Comments or Questions


First Name:
Last Name:
Reference Article
Company
Phone:
E-mail:
Website
Your Comments or Questions:



All Fields Required
 
 
 
© 2010 Alpern Rosenthal   |   Legal  |  Privacy  |  Sitemap  |  RSS  |  What is RSS?