Every organization needs strong internal controls to ensure the integrity of financial statements and to promote ethical values and transparency across the enterprise. Internal controls are the mechanism to do those things; controls help to identify risks and then reduce them to an acceptable level.
Strong processes supported by robust internal controls systems allow an organization to comply consistently with all applicable laws and regulations, and to earn confidence, trust, and loyalty among its stakeholders. Internal controls also play an essential role in preventing employees and others from committing fraud.
Conversely, a lack of internal controls can weaken the integrity of accounting and financial information, and thus financial reporting too. Costs can rise due to reduced operational efficiency and increased potential for fraud and other kinds of crime. Ultimately, these issues affect the company’s reputation and financial standing in the market.
Types of Internal Control Activities
Internal control activities can be preventive or detective.
Preventive Internal Control Activities
As the name suggests, the objective of preventive controls is to prevent errors or fraud from happening in the first place. These controls are essential because they are proactive and help to neutralize problems that could cause a lot of damage if they actually occur.
Key preventive control activities include:
Segregation of Duties
Also known as separation of duties, this internal control activity divides responsibilities among multiple employees to minimize the risk of errors or inappropriate actions.
By segregating duties, organizations assure that no single person can perform, authorize, and record financial transactions, which reduces the potential to commit fraud. For example, enterprises should separate the duties and responsibilities for:
- Receiving cash or checks, preparing deposits, and reconciling deposits
- Entering new vendors and paying invoices
- Entering and approving expenses
Authorization and Approvals
All financial transactions should be authorized and approved by a suitable person (or persons) to assure that transactions are appropriate and aligned with organizational goals. Here, “suitable” means that the approver has the authority to do so, as well as the skills and knowledge to make informed decisions on behalf of the organization.
For example, a department may implement an internal control activity to assure that a manager should approve all purchase requisitions and perhaps an additional approval from a director-level manager for purchase requisitions over a specific dollar amount.
Verification, Reconciliation, Reviews, and Documentation
Many organizations implement control activities focused on compliance, financial, or operational issues. It’s imperative to have specific people review and verify critical transactions and financial figures to confirm accuracy.
Physical security is another preventive control activity that organizations implement. It’s important to limit physical access to equipment, inventory, cash, checks, and all other assets considered business-critical for the organization.
In addition to physical control, financial assets should also periodically be counted and compared with amounts shown on control records and documents.
Detective Internal Control Activities
Unlike preventive control activities, detective controls aim to find errors and problems (and their root causes) after the errors have already occurred. Although these controls don’t prevent problems from occurring, detective controls are essential because they provide an after-the-fact opportunity to identify, understand, and correct irregularities.
Detective controls may be implemented to support organizational objectives such as fraud prevention, legal and regulatory compliance, and quality control. These controls also help to confirm that the organization’s preventive controls are operating as intended.
Key detective control activities include:
Some organizations perform monthly reconciliations of departmental transactions. Reconciliation involves cross-checking transactions to confirm that the information reported is accurate and up-to-date.
For example, expense activities recorded in accounting reports should be reconciled with relevant supporting documents to verify that the records reflect the accurate transaction amount and are recorded in the correct account. If there are material differences, the relevant department can take appropriate corrective actions.
An enterprise may undertake organizational performance reviews to assess its performance based on specific parameters. For example, a review may compare the annual budget with actual expenses to find unexpected differences, and then analyze the source or cause of those differences.
The enterprise may conduct an internal audit by:
- Performing a monthly reconciliation of bank accounts
- Reconciling petty cash accounts
- Reviewing and verifying refunds
- Auditing payroll disbursement
- Conducting a physical inventory
An internal audit evaluates accounting and corporate governance processes to:
- Identify problems and correct errors early
- Improve the reliability of financial reporting
- Improve or maintain operational efficiency
- Assure compliance with laws and regulations
An organization may hire an external auditing or accounting firm for some or all of the above audit control activities. In this case, the auditing firm will test the organization’s accounting processes, verify its internal controls, and provide an opinion about its effectiveness. The auditors may also offer suggestions to strengthen these controls.
How to Determine Which Control Activities Are Most Important for Your Business
Robust internal controls are the key to minimizing uncertainties and boosting an organization’s ability to achieve its stated goals. There are many different types of controls, and it can be challenging to determine which control activities are relevant.
Selecting the best control activities and implementing an effective system of internal controls begins with a business first identifying its goals and objectives related to:
- Financial reporting
Next, management should establish a common “language” for risks and controls to:
- Improve risk identification, classification, and response
- Standardize controls using a standard methodology
- Improve reporting, business performance, and decision-making
- Reduce dependence on external oversight and audits
Once the control language and methodology are established, adopt a consistent and disciplined reporting structure to assure that reliable, up-to-date information about risks and controls is available across the company.
Finally, leverage technology to manage internal controls, implement controls for self-assessment, and monitor corrective actions.
Not all organizations will implement the same internal control activities. But in general, management should select the controls that:
- Increase accountability
- Encourage sound management practices
- Assure that functions achieve their intended results
- Provide accurate and timely information and reporting
- Assure compliance with laws and regulations
- Support the requirements of external auditors
Internal Control Activities in COSO Internal Control – Integrated Framework
Since 1992, many publicly traded organizations in the United States have used the Internal Control – Integrated Framework published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) to develop and implement specific internal controls that are right-sized to them.
In May 2013, COSO published an updated version of the framework that incorporates changes that have taken place in the business and operating environment over the past few decades. The new framework also makes it easier for companies to see gaps in their compliance with Section 404 of the Sarbanes Oxley (SOX) Act.
The COSO 2013 framework consists of five integrated components of internal control:
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring activities
According to COSO, the framework enables organizations to strengthen internal control, which is “a process effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”
The internal control activities can be adapted to an organization’s structure and considered at every level, including entity, divisional, operating unit, and function group.
Include ZenGRC in Your Control Plans
Improve your internal controls and manage compliance to frameworks (such as the COSO internal control framework) with ZenGRC. Leverage this integrated platform to meet all of your risk management, cybersecurity, audit, governance, and compliance needs.
ZenGRC enables reliable risk, audit, and compliance management with easy access to information and continuous monitoring with dashboards and advanced reporting features.
Store policies and procedures, implement business continuity and disaster recovery plans, and safeguard your business from risk exposure with ZenGRC.