What Is an Internal Control Review Process?
Internal control review is a company’s process to evaluate the business practices it has designed and implemented to assure that the company achieves its objectives in a legal and appropriate manner.
For example, senior management and the board might review internal controls to assure that the company’s business practices happen according to regulatory requirements or corporate policies. The goal of an internal control review is to provide reasonable assurance that the company is abiding by applicable laws and regulations, operating with maximum efficiency, and following consistent financial reporting procedures. Internal control reviews help to assure transparency and consistency.
The modern system of internal control was first developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) after a series of corporate fraud scandals in the 1980s. COSO first published a framework for effective internal control in 1992; and then another, modern version of the framework in 2013.
The Five Components of Internal Control
The COSO framework for internal control has five components:
- Control environment
- Risk assessment
- Control activities
- Information and communication
When management and the board (or external auditors, for that matter) review internal control, they should consider each component of internal control; and how well that component does or doesn’t support efficient business operations, regulatory compliance, and reliable financial reporting.
Evaluate the Control Environment
The control environment is the broad, overall culture that senior management and the board try to establish — the tone they set in communications to employees, the values they stress in a mission statement, the standards of ethics and competence they expect from employees, and so forth. When performing an internal control review, evaluate the control environment to see how well it supports the other, more specific internal control components.
Review of Risk Assessment
Part of management’s role is to assess potential risks to the company’s achievement of objectives: both the likelihood that a negative event will occur, and the potential harm that event could have on the organization. Risk assessment has four basic steps: asset identification, risk analysis, risk likelihood and impact, and cost of solutions. An internal control review seeks to understand how well the company can perform those steps, and how effective its ability to assess risk truly is.
Oversee Control Activities
Control activities are specific actions the company takes to reduce risks to the achievement of objectives. They can be policies, such as anti-harassment policies to reduce the risk of employee lawsuits or low morale; and they can be procedures, such as security audits of technology providers to reduce the risk of privacy breaches. Many times, management will establish procedures to implement policies.
An internal control review might analyze policies and procedures to confirm that they’re appropriate for the risk in question, designed properly, and work well.
Perfecting Information and Communication
Information and communication are necessary to help management make decisions and support internal control. For example, to assess the risks of data breaches through technology providers, management needs to know how many vendors it actually has, and the results of any security audits or due diligence review the IT security team performed on those vendors. Or if a breach does happen, that fact needs to be communicated to management so it can respond appropriately. (Say, alerting customers that their private data may have been compromised.)
Effectiveness of Monitoring
Monitoring is the review of internal controls to be sure all five components of the internal control framework — yes, including the monitoring component itself — are present and functioning as necessary.
This can take the form of ongoing monitoring activities, embedded directly into a business process: any time a new vendor receives payment without first completing a due diligence check, management gets an alert. Monitoring can also be periodic: an annual audit to see how many vendors still meet the company’s security risk standards. Internal control reviews should see whether monitoring exists for the company’s compliance, security, business, and financial reporting risks and whether those monitoring activities generate appropriate information for management. (See the information and communication component, above.)
Improving internal control keeps an organization in compliance with regulatory obligations, even as those rules, regulations, and laws change all the time. Using automation software to perform internal control reviews can significantly benefit an organization for what is indeed an onerous task— although one that’s well worth the effort regardless.