internal control

Internal Control

Internal control consists of the actions taken by people at every level of an organization to achieve its objectives relating to

  • Operations: Operational objectives focus on completing work efficiently and effectively and protecting assets by reducing the risk of fraud

  • Reporting: Reporting objectives include producing reliable and timely accounting information for use by people internal and external to the organization.

  • Compliance: Compliance objectives focus on adhering to laws and regulations

Components

Most organizations use control components as framework when analyzing their internal control systems

  • Control environment: refers to the attitude people in the organization hold regarding internal control. It is influenced by the policies a company’s board of directors and senior managers set, their demonstrated commitment to integrity and ethical values, the character of the people they hire, and how they evaluate others. A strong control environment helps employees understand the value of internal controls to their organization’s success.

  • Risk assessment: Managers should continuously assess the potential for fraud and other risks that could prevent the company from achieving its objectives

  • Control activities: Control activities include various work responsibilities and duties completed by employees to reduce risks to an acceptable level. 

  • Information and communication: An effective internal control system generates and communicates information about activities affecting the organization to support sound decision making.

  • Monitoring activities: the internal control system is evaluated often to determine whether it is working as intended. Deficiencies should be communicated to those responsible for taking corrective action, including senior management and/or board of directors. 

Control objectives and components apply to all levels of an organization. 

Principles of Control Activities

  • Establish responsibility: Assign each task to only one employee. Doing so will allow you to determine who caused any errors or thefts that occur. 

  • Segregate duties: Segregation of duties involves assigning responsibilities so that one employee can’t make a mistake or commit a dishonest act without someone else discovering it. It is most effective when a company assigns responsibilities for related activities to two or more people and assigns responsibilities for record keeping to people who do not have access to the assets for which they are accounting. 

  • Restrict Access: Companies restrict access to check-signing equipment, require a passcode to open cash registers, and protect computer systems with firewalls. If employees do not need assets or information to fulfill their assigned responsibilities, they are denied access.

  • Document procedures: By documenting each business activity, a company creates a record of whether goods were shipped, customers were billed, cash was received, and so on. WIthout these documents, a company wouldn’t know what transactions have been or need to be entered into the accounting system. Most companies assign sequential numbers to their documents and check they are used in numerical sequence. This check occurs frequently, sometimes daily, to ensure every transaction is recorded and each document number corresponds to one and only one accounting entry. 

  • Independently verify: A business can perform independent verification in various ways. An auditor can ensure the work done by others within the company is appropriate and supported by documentation, independent verification can be made part of a person’s job, and the company’s accounting information can be compared to information kept by an independent third party. 

Control Limitations

Internal controls can never completely prevent and detect errors and fraud for: 

  • An organization will implement internal controls only to the extent their benefits exceed their costs 

  • Internal controls can fail as a result of human error or fraud.

Criminally minded employees also have been known to override (disarm) or collude (work together) to get around them. 


Other examples of internal controls:

  • Mandatory vacation: for employees who handle cash because it is difficult for them to cover prior thefts while they are away from business

  • Anonymous hotline: allows anyone to tip off independent auditors about suspected fraud

  • Bonding employees: obtaining insurance policy that partially reimburses the organization for losses caused by employee fraud