Internal Controls Definition
Broadly defined, internal controls are those functions within accounting and auditing that involve all of the rules, procedures and systems implemented by a company to assure operational effectiveness, reliability of financial information, compliance with laws, regulations and policies, and the protection of resources, including both physical assets and intellectual property.
There are a number of definitions of internal controls but they fall into these categories:
Application of Internal Controls
Authorization & Approvals
Do people making decisions have the proper authorization to do so? For instance, for purchases exceeding a set amount — $5,000 — must a Controller or CFO or Treasurer review and authorize such a purchase. The company may instruct their purchasers or banks not to honor any such purchase if a check does not bear their signature.
A control for a business may be that checks should be co-signed by authorized officials for anything exceeding a set amount.
Bank reconciliations compare bank statements to general ledger entries. The purpose is to reconcile and correct any errors, unforeseen fees or fraudulent entries.
Employee expenditures, travel, entertainment and credit care policies are a form of control. For example, all travel may need to be pre-approved by a supervisor
Why are internal controls important?
Internal controls have become a key component of good corporate governance.
Protect Investors from Fraud
The emphasis on internal controls grew out of the need to protect investors from fraudulent accounting activities. The Sarbanes-Oxley Act of 2002 was created in part to make managers responsible for financial reporting by creating a step-by-step record of how accounting data can be traced. This is commonly referred to as an “audit trail.” The audit trail is useful to affirm — or possibly call into question –the veracity of an accounting entry, source of funds, validity of revenue and expenses booked, and sources of funds or cash.
The threat of Boards and executives who don’t comply being subject to criminal penalty is a motivating factor for strong internal controls.
Passing the Auditors’ Tests
All companies, both private and public conduct audits. An audit is an unbiased examination of the organization’s financial statements and the underlying accounting therein. The audit is typically overseen by an Audit Committee. A “clean” or unqualified audit is one that is free from material misstatements or non-compliance. Auditors conduct tests of internal controls for the risk, control activities, information and monitoring of processes and procedures for integrity and supporting documentation.
Access to real-time processes and performance measurements means you can quickly remediate errors, gaps, mistakes and problems. Entities will also be able to make smarter decisions promptly and safeguard against legal exposure.
Types of Internal Controls
Financial Reporting & Disclosure
This involves the scope, design, adequacy and effectiveness of internal control over financial reporting and the company’s disclosure controls and procedures.
Items evaluated include the accuracy, timeliness and thoroughness of the company’s financial information, including accounting records and transactions.
Some applications would include monthly close procedures, co-signing checks and bank reconciliations.
Other examples might include how the company ensures its payments to third parties for services rendered are valid.
Reports may be created to test the design of controls and the operating effectiveness of controls.
Items reviewed under the risk umbrella can include information security, competition, and regulation.
Tests may be conducted related to a Company’s investments, cash management and foreign exchange management, and the adequacy of the Company’s information security policies. For example, what are the steps taken by management to monitor and mitigate these exposures and to identify future risks?
Trust Services Principles
For certain services that deal with confidential information or services agreements in health care or software, for example, there are the so-called “trust services principles.”
These include security, confidentiality, availability, process integrity and privacy. Here’s a quick summation of each.
SECURITY – Addresses if the platform or system is protected (both physically and logically) against unauthorized access.
CONFIDENTIALITY – This has much to do with information, in particular, How you use customer information, Who has access to it, and How you protect it. Also, is the company following its contractual obligations to protect client information?
AVAILABILITY – Are systems up and running as agreed? Also, are you providing colocation, data center, or hosting services to clients?
PROCESS INTEGRITY – Particularly for financial services or e-commerce, are your services provided in a complete, accurate and timely manner? Are you ensuring, for example, that transactions are fulfilled? How?
PRIVACY – Different from confidentiality, this deals more with how you collect customer information, especially personal information, and is it in line with what your committed and agreed to?