The perfect recipe for business stability and growth includes a combination of internal and external “ingredients” neatly folded together. As with any recipe, the outcome depends a lot on the quality and right measure of ingredients.
To avoid disasters in the kitchen, a chef employs correct techniques and uses appropriate equipment. To avoid disasters in business, organizations must implement an effective internal control system.
What is the Purpose of an Internal Control System?
The goal of an internal control system is to mitigate an organization’s risk from fraud and loss while furthering business objectives. Although control objectives vary by industry, an organization’s system of control affects activities, attitudes, and accuracy.
Internal controls impact these areas:
- The efficiency of operations
- The reliability of financial reporting
- The safety of assets (both physical and digital)
An internal control system also offers an organization reasonable assurance that it’s in compliance with industry policies, regulations, and applicable laws (state and federal).
What are the Components of an Internal Control System?
There’s no denying that implementing an effective internal control system is a daunting task. Fortunately, there are specific ingredients recommended in a recipe for success. These ingredients, or standards, are laid out in the Internal Control-Integrated Framework.
The framework, developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), defines five necessary components for designing a sound internal control structure:
- Internal control environment
- Risk assessment
- Internal control activities
- Information and communication
Let’s review the menu of control objectives.
Internal control environment
Success in the kitchen starts with setting the oven to the right temperature. In an organization, management is responsible for setting the tone for acceptance and reinforcement of internal controls. This is the internal control environment.
To set the right temperature, management can:
- Emulate and enforce ethical values among all staff
- Inspire confidence in controls through appropriate training, easy access to necessary tools and equipment, and well-defined expectations for each employee
- Provide up-to-date human resources policy and procedure manuals
- Maintain employee and company-wide morale
Risk assessment involves determining potential risks from fraud or loss and assigning specific acceptable risk levels. Furthermore, management identifies and evaluates risks that may hinder the achievement of objectives or prevent an organization from accomplishing its mission. Risk assessment also involves creating guidelines on how to manage risks.
Effective internal control systems may help an organization reduce their vulnerability, but internal controls don’t guarantee a zero probability of risk.
An optimal risk management strategy incorporates three types of internal controls:
- Detective controls
- Preventive controls
- Corrective controls
For an in-depth discussion read: “What are the 3 Types of Internal Controls?”
Internal control activities
Control activities are the meat and potatoes of an effective internal control system.
Control activities represent both the physical and automated policies and procedures an organization uses for risk mitigation and goal accomplishment. These include anything from locking up equipment after hours and requiring dual signatures for checks over $5,000 (physical) to password-protecting accounting records and instituting firewalls and cybersecurity to protect databases and information systems (automated).
The 17 principles of the COSO framework were drafted to better align an organization’s internal control system. Regardless of company size, the implementation of five of the principles—considered key control activities—is a good indicator of adequate internal controls. These five “points of focus” include:
- Segregation of duties
- Authorization and approval of transactions
- Reconciliation and review of financial statements
- Standardized accurate, reliable, and complete documentation
- Securing, protecting, and accounting for an organization’s resources and assets (employees, equipment, inventory, cash, and customer information, to name a few)
Information and communication
Distribution of reliable information in an efficient and timely manner is key internal control. This includes both external and internal communications.
External communications: Any information important to vendors, customers, external auditors, or stakeholders.
Internal communications: Any information affecting internal operations. This can include but is not limited to:
- Employee duties and responsibilities
- Changes in policy
- Financial information
- New marketing strategies
- Modifications of industry regulations
- Yearly reviews and employee evaluations
An essential ingredient for these internal controls includes the promise of confidentiality. Employees should feel comfortable expressing concerns, discussing potential problems, and notifying management of suspected indiscretions.
Why does a chef taste the food throughout preparation?
To make sure the ingredients produce a palate-pleasing dish.
It’s the same with designing and maintaining an effective internal control system. An organization must check the execution of its internal controls, evaluate what is and what isn’t working, and adjust, as necessary.
An effective monitoring system is twofold.
First, an organization has monitoring activities built into the internal control system. For example, monthly reconciliations included as part of the overall accounting system is an ongoing, therefore built-in, monitoring activity.
Secondly, periodic reviews of specific internal control activities are performed, typically in the form of an internal audit.
Not only does monitoring help fine-tune an internal control system, but it also helps your organization identify internal control weaknesses. Internal control weaknesses are often the precursor to data breaches, internal fraud, loss of revenues, or damage to an organization’s reputation.
Who is Responsible for Internal Controls?
Depending on the type of business, internal auditors (often certified public accountants) or an audit committee may be responsible for evaluating the internal control system and making recommendations for revisions and additions.
In fact, as far as responsibility for internal controls goes, there can never be too many cooks in the kitchen. From a business entity’s board of directors and senior leadership to the part-time employee, every person within an organization is ultimately responsible for following, enforcing, and encouraging internal controls.