Internal Control

Internal Control Basics

Objectives of Internal Control

An internal control system comprises policies and procedures to protect assets, promote efficient operations, and ensure reliable accounting and record keeping and is based on controls for operations, reporting, and compliance.

An internal control system is designed to achieve the following objectives: (1) safeguarding assets and promoting operational efficiency, (2) checking the accuracy and reliability of accounting data, and (3) complying with regulations and legislation. A well-designed internal control system is based on certain key principles. A good manager places a high priority on internal control and internal control systems. Internal control systems, when they are working, can prevent theft and losses, help plan operations, and facilitate the financial reporting of operations and monitoring. This aligns with the three categories of umbrella objectives provided in the Committee of Sponsoring Organizations (COSO) framework; namely, operations, reporting, and compliance objectives.

Operations—The operations objective of internal control refers to the effectiveness and efficiency of the organization's operations, including operations and financial performance goals as well as safeguarding assets against loss. Effective operations enable employees and management to perform their assigned responsibilities to increase efficiencies.

Reporting—The reporting objective of internal control relates to internal and external financial and nonfinancial reporting and record keeping. It may incorporate reliability, timeliness, transparency, and additional terms as set forth by regulators, recognized standard setters, or the entity's policies. This facilitates the production of accurate financial statements and reliable financial and nonfinancial information.

Compliance—The compliance objective of internal control relates to the business activity of adherence to laws set by governing bodies and regulations set by regulatory bodies to which the entity is subject. Businesses implement policies to comply with rules and regulations.

Internal Control Objectives

Categories of internal control objectives-operations, reporting, and compliance-allow organizations to focus on differing aspects of internal control and to design internal control.

Integrated Control Elements

An integrated framework for internal controls and risk assessment consists of five control elements: (1) the control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring.

Integrated Control Elements

Internal control consists of five integrated processes per the Committee of Sponsoring Organizations (COSO) framework, including the control environment, risk assessment, control activities, information and communication, and monitoring activities.
A control element is an integrated control for risk assessment, including (1) the control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring.

The control environment is composed of standards, processes, and structures that provide the basis for carrying out internal control across the organization. A company's control environment is very much driven by its management philosophy and operating style. If the tone or atmosphere set by management is one that condones and encourages ethical behavior, employees will be more likely to follow suit. Conversely, if managers receive kickbacks or management uses a shell company to launder money, pay bribes, or evade taxes, this behavior displays a lack of integrity and care for ethical values. This behavior will likely encourage unethical behavior in employees and provide the temptation to commit fraud. Setting a good example is a key ingredient in creating a strong control environment. Other good indicators of a strong control environment include a well-designed organizational structure, as well as the maintenance and adherence to policies and procedures.

A risk assessment is a process involving identification and assessment of internal and external risks regarding the objectives of a business so that risk control measures can be specified to manage the assessed risks. Specifically when assessing financial statement risk, both the importance of the item (such as cash) and the risks associated with the process to generate the financial statement number (personnel, processes) are evaluated.

Risks that would adversely impact achieving corporate objectives are appropriately managed through the risk assessment process and implementation of appropriate controls to manage these risks. PepsiCo is a good example of a company that believes in a strong control environment. For instance, the PepsiCo board of directors is made up of one executive director and 12 independent directors. Their four board committees—audit, compensation, nominating and corporate governance, and public policy and sustainability—are made up of independent directors.

Once a risk assessment is completed, control activities are put into place to help reduce the risks identified in the risk assessment. As it pertains to accounting recording risk, control activities are called internal controls. For example, an accounting manager has access in the financial system to create new vendors, approve purchase orders, and authorize payments. A risk assessment should detect that the accounting manager has the potential to create a new vendor in the system, naming their spouse as the vendor, approving a purchase order for "consulting work" for that vendor (their spouse), and then approving and paying the spouse, all without anyone else in the company knowing it is happening. This is a significant risk. It can be mitigated with a control activity (internal control) called segregation of duties. This means that the accounting manager would no longer have the authority to complete all the tasks described. Someone else would have to approve new vendors or approve payments, thus stopping the accounting manager from being able to set up and pay friends and family with company funds.

Information and communication are also important elements of an organization's internal control environment. Adequate information is necessary in order to make informed business decisions regarding operational performance and in designing and implementing internal controls. Communication is also crucial. A system should be in place to ensure good flow of information up, down, and across levels within the organization.

Finally, monitoring activities are necessary to ensure that once internal controls are put into place, they are functioning properly. An organization could design a highly effective set of internal controls. However, if the controls are not implemented and maintained properly, they will not be effective. Thus, monitoring is required in order to ensure internal controls continue to be maintained and are functioning properly.