Every organization needs strong internal controls to ensure the integrity of financial statements, promote ethical values, and drive transparency across the enterprise. Internal controls are the mechanism to do those things; controls help identify risks and reduce them to an acceptable level.
Vital processes supported by robust internal control systems allow an organization to comply consistently with all applicable laws and regulations and to earn confidence, trust, and loyalty among its stakeholders. Internal controls also play an essential role in preventing employees and others from committing fraud.
Conversely, a lack of internal controls can weaken the integrity of accounting and financial reporting. Costs can rise because of reduced operational efficiency and increased potential for fraud and other kinds of crime. Ultimately, these issues affect the company’s reputation and financial standing in the market.
Types of Internal Control Activities
There are two primary types of internal controls: preventive and detective.
Preventive Internal Control Activities
As the name suggests, the aim of preventive controls is to prevent errors or fraud from happening in the first place. These controls are essential because they are proactive and help neutralize problems that could cause a lot of damage if they occur.
Key preventive control activities include:
Segregation of Duties
Also known as separation of duties, this internal control activity divides responsibilities among multiple employees to minimize the risk of errors or inappropriate actions.
By segregating duties, organizations assure that no single person can perform, authorize, and record financial transactions, which reduces the potential to commit fraud. For example, enterprises should separate the duties and responsibilities for:
- Receiving cash or checks, preparing deposits, and reconciling deposits
- Entering new vendors and paying invoices
- Entering and approving expenses
Authorization and Approvals
All financial transactions should be authorized and approved by a suitable person (or persons) to assure that transactions are appropriate and aligned with organizational goals. Here, “suitable” means that the approver has the authority to do so and the skills and knowledge to make informed decisions on behalf of the organization.
For example, a department may implement an internal control activity to assure that a manager should approve all purchase requisitions and perhaps an additional approval from a director-level manager for purchase requisitions over a specific dollar amount.
Verification, Reconciliation, Reviews, and Documentation
Many organizations implement control activities focused on compliance, financial, or operational issues. For example, it’s imperative to have specific people review and verify critical transactions and financial figures to confirm accuracy.
Physical security is another preventive control activity. It’s critical to limit physical access and implement internal controls for cash, equipment, inventory, checks, and all other assets considered business-critical for the organization.
In addition to physical control, financial assets should be counted and compared with amounts shown on control records and documents.
Detective Internal Control Activities
Unlike preventive control activities, detective controls aim to find errors and problems (and their root causes) after the mistakes have already occurred. Although these controls don’t prevent problems from occurring, detective controls are essential because they provide an after-the-fact opportunity to identify, understand, and correct irregularities.
Detective controls are implemented to support organizational objectives such as fraud prevention, legal and regulatory compliance, and quality control. These controls also confirm that the organization’s preventive controls are operating as intended.
Key detective control activities include:
Some organizations perform monthly reconciliations of departmental transactions. Reconciliation involves cross-checking transactions to confirm that the information reported is accurate and up-to-date.
For example, expense activities recorded in accounting reports should be reconciled with relevant supporting documents to verify that the records reflect the correct transaction amount and are recorded in the accurate account. If material differences exist, the relevant department can take appropriate corrective actions.
An enterprise may undertake organizational performance reviews to assess its performance based on specific parameters. For example, a study may compare the annual budget with actual expenses to find unexpected differences and then analyze the source or cause of those differences.
The enterprise may conduct an internal audit by:
- Performing a monthly reconciliation of bank accounts
- Reconciling petty cash accounts
- Reviewing and verifying refunds
- Auditing payroll disbursement
- Conducting a physical inventory
Internal auditors evaluate accounting and corporate governance processes to:
- Identify problems and correct errors early
- Improve the reliability of financial reporting
- Improve or maintain operational efficiency
- Assure compliance with laws and regulations
An organization may hire an external auditing or accounting firm for some or all of the above audit control activities. In this case, the auditing firm will test the organization’s accounting processes, review the control structure, and provide an opinion about the effectiveness of internal controls. The auditors may also offer suggestions to strengthen these controls.
While auditors may provide recommendations, there is a distinction between an audit and an internal control review. An audit verifies that your business is following documented business processes and generating accurate results. An internal control review checks if controls can be improved or automated and detects if they are inadvertently causing operational inefficiencies.
Why Are Internal Controls Critical?
Establishing and using the appropriate internal controls is essential for firms of any size. Internal controls may typically aid in discovering fraudulent activities, even though they cannot always prevent fraud, especially when higher management is involved.
In addition, internal controls can guarantee the timely and accurate preparation of financial statements and identify material misstatements before the final financial accounts are published.
Human error can still happen even when internal controls are established. However, it’s more likely that mistakes will be discovered immediately and addressed right away if the proper control processes are in place.
And last, creating solid internal controls may influence how a corporation operates. By establishing and effectively administering internal controls, businesses of any size may achieve three crucial business goals-accurate financial reporting, compliance with all applicable rules, and efficient operations.
How Do Internal Controls Impact a Business?
Correctly applying internal controls generates significant benefits for your organization. Here are the pros of the correct implementation of these controls.
Standardized business processes and procedures communicate the intended operations for employees in every department. A corporation benefits from cohesion and transparency among functions when processes are established and documented, since everyone knows what is expected of them.
Separation of Functions
A system of checks and balances results from adequately constructed internal controls, ensuring an organization has an acceptable separation of roles. For instance, the person who reconciles bank statements and deposits checks shouldn’t be the same. These verifications help catch errors and reduce the risk of fraud.
Preventing Theft and Fraud
Fraud and theft may be lessened and even prevented with internal controls. Robust internal controls “keep honest people honest” by reducing the opportunities and temptations to do anything inappropriate.
Making Accurate and Timely Financial Statements
Internal controls drive processes for correct and timely transactions in accounting records. Both internal and external stakeholders depend on accurate and timely financial statements, which management uses for decision-making and preparing for the future.
Well-designed internal controls will help your business prevent and detect errors. A robust internal controls review process helps identify where issues are still slipping through the cracks. Quality improvements and error reductions will protect your reputation and brand image with customers and stakeholders.
What Can Happen if Internal Controls Are Weak?
Unfortunately, weak internal controls may give a false sense of security that is worse than having no controls at all.
Weak internal controls will increase the likelihood of errors, fraud, and theft. Besides any money lost, consider the time that management will spend investigating the situation and, potentially, the expense of recruiting a replacement employee.
Weak internal controls are also an indication that business processes are not well-defined, which results in operational inefficiencies. It’s critical to clarify the roles and responsibilities of each department to avoid unnecessary redundancies and ensure nothing falls through the cracks.
Finally, if internal controls are ineffective, an organization could risk losing certifications, exposure to regulatory penalties, or experience a data breach. These costly consequences can cause damage to a company’s finances and its reputation.
What Are Internal Control Objectives?
A system of internal controls should be comprehensive and meet various objectives for the business. Mercer’s system of internal controls defines seven control objectives to assess the effectiveness.
Before a transaction is recorded, all trades must be authorized by responsible personnel.
The goal is to ensure that the accounting records contain all legitimate transactions.
All legitimate transactions must be truthful, consistent with the original transaction data, and recorded in a timely fashion.
The goal is to ensure that all recorded transactions accurately reflect the economic events that took place, are legal, and have been carried out following management’s general approval.
Physical Safeguards and Security
The goal is to ensure that access to physical resources and information systems are adequately managed and limited to authorized persons.
The goal is to guarantee that mistakes found at any processing step are promptly fixed and reported to the proper management level.
Segregation of Duties
Tasks shall be delegated to people in a way that prevents one person from having complete control over the transaction’s recording function and processing operations.
Most, if not all, of these control objectives should be satisfied by a well-designed process with proper internal controls.
How to Determine Which Control Activities Are Most Important for Your Business
Robust internal controls are the key to minimizing uncertainties and boosting an organization’s ability to achieve its stated goals. However, there are many different types of controls, and it can be challenging to determine which control activities are relevant.
Selecting the best control activities and implementing an effective system of internal controls begins with a business first identifying its goals and objectives related to:
- Financial reporting
Next, management should establish a common “language” for risks and controls to:
- Improve risk identification, classification, and response
- Standardize rules using a standard methodology
- Improve reporting, business performance, and decision-making
- Reduce dependence on external oversight and audits
Once the control language and methodology are established, adopt a consistent and disciplined reporting structure to assure that reliable, up-to-date information about risks and controls is available across the company.
Finally, leverage technology to manage internal controls, implement controls for self-assessment and ongoing monitoring, and follow through on corrective actions.
Not all organizations will implement the same internal control activities. But in general, management should select controls that:
- Increase accountability
- Encourage sound management practices
- Assure that functions achieve their intended results
- Provide accurate and timely information and reporting
- Assure compliance with laws and regulations
- Support the requirements of external auditors
How Automation Helps Implement Internal Controls
Eliminating situations when the firm is left exposed by leaving the metaphorical garage door open may be accomplished by moving to the future of controls (FoC). Organizations will use controls on the path to a successful FoC journey to boost investor confidence, business intelligence, and operational performance.
The key to realizing that vision is to maximize automation – not just for its own sake, but also when and where it makes sense. As a result, organizations can reduce the time and effort needed to ensure compliance by intelligently integrating automation and next-generation technology into internal controls frameworks.
- Rapid, real-time risk and exposure detection (not just during quarterly reviews or audits)
- Use data to enable quick, objective decision-making
- Investigate the root cause of problems rather than merely their symptoms
- Change your risk-management strategy from defensive and reactive to aggressive and proactive
Control environments may contain three more crucial lines of sight, such as offering insight, supervision, and foresight, rather than only carrying out actions geared toward looking backward. This allows businesses to operate more effectively in the present and the future.
Internal Control Activities in COSO Internal Control-Integrated Framework
Since 1992, many publicly traded organizations in the United States have used the Internal Control-Integrated Framework published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) to develop and implement specific internal controls that are right-sized to them.
In May 2013, COSO published an updated version of the framework that incorporates changes that have taken place in the business and operating environment over the past few decades. The new framework also makes it easier for companies to see gaps in compliance with Section 404 of the Sarbanes Oxley (SOX) Act.
The COSO 2013 framework comprises five integrated components of internal control:
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring activities
According to COSO compliance, the framework enables organizations to strengthen internal control, which is “a process effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”
The internal control activities can be adapted to an organization’s structure and considered at every level, including entity, divisional, operating unit, and function group.
Include ZenComply in Your Control Plans
Improve your internal controls and manage compliance to frameworks (such as the COSO internal control framework) with ZenComply. Leverage this integrated platform to meet your risk management, cybersecurity, audit, governance, and compliance needs.
ZenComply enables reliable risk, audit, and compliance management with easy access to information and continuous monitoring with dashboards and advanced reporting features. Automated workflows ensure nothing falls through the cracks.
The document repository is a single source of truth to store policies, procedures, business continuity, and disaster recovery plans. You will always be audit-ready with ZenComply.
Schedule a demo to see how ZenComply can help you manage all of your compliance requirements.