What Are Internal Controls & Their Purpose?

Internal controls form an integral part of any business. A type of feedback, internal controls look at the quality and functionality of different aspects of a business. Several models of internal controls exist as part of standard business practices. The monitoring of internal controls is also required by law.

  1. What Are Internal Controls?

    • Simply put, "internal controls" can be defined as actions and procedures by which a company monitors itself. By self-monitoring, a company can increase the likelihood that certain goals will be met, as well as ensure efficiency in operations and legal compliance.

      There are several models of internal control that have rapidly become standard business practice.

    The COSO Model

    • The most popular of internal control models today, the COSO model is based upon a model published by the Committee of Sponsoring Organizations of the Treadway Commission in 1992. That report defined internal controls as, according to a business article on eNotes.com, "a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the ... effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations."

      The COSO model outlines five components of an internal control system: the control environment, risk assessment, control activities, information and communication, and monitoring.

      The COSO model is often depicted as a pyramid, with "the control environment" forming the base. "The control environment" is related to the environment formed by all levels of employees of the company, particularly regarding competence, integrity, operating style, etc. The remaining four components are rather interrelated.

      "Risk assessment" refers to the methods by which risks are identified and monitored and whether risks have been accurately identified. Related to "risk assessment," "control activities" are the actual policies and procedures in place to mitigate risk.

      "Information and communications" can be defined as how the information regarding data integrity is actually captured, the timeliness of that capture, etc. Similar but different, "monitoring" refers more to the quality of the internal controls and the methods that contribute to that quality.

    The CoCo Model

    • While the COSO model is quite popular, there are many who believe that it is too difficult. The Criteria of Control (CoCo) model was published in 1995 by the Canadian Institute of Chartered Accountants with this in mind. The CoCo model defines internal control as "actions that foster the best result for an organization ...[and] those elements of an organization (including its resources, systems, processes, culture, structure and tasks) that, taken together, support people in the achievement of the organization's objectives" (eNotes.com).

      The CoCo model identifies three objectives: effectiveness and efficiency of operations, reliability of internal and external reporting, and compliance with applicable laws and regulations and internal policies.

      The CoCo Model goes on to define four elements of internal control: purpose, capability, commitment and monitoring.

    Other Models of Internal Control

    • Although there are certainly several models of internal control in use today, including models that are not defined, there are two primary models of internal control that rank in popularity just behind the COSO and CoCo models.

      One is called the SAC, which stands for Systems Auditability and Control. It was created by the Institute of Internal Auditors Research Foundation in 1991; a revision of the SAC was issued in 1994. The primary intent of the SAC is "to provide guidance to internal auditors on internal controls related to information systems and information technology (IT)" (eNotes.com).

      The other model of note is the Control Objectives for Information and Related Technology, or COBIT.

      COBIT was created in 1996 by the Information Systems Audit and Control Foundation. It "focuses primarily on efficiently and effectively monitoring information systems ... [and] emphasizes the role and impact of IT control as it relates to business processes" (eNotes.com).

    Why Use Internal Controls?

    • Regardless of the model chosen, all models of internal control possess similar concepts and intents. Each of the models reviewed here focuses on the actual policies and procedures, the quality of the data collected, the timeliness of response and the role played by the people involved in the company's internal controls.

      Although the use of an internal control system can by no means guarantee the relative success of a company as it relates to the goals it has outlined, nor can it guarantee the sanctity of the information collected, by monitoring the company internally, the company can forestall and even mitigate potential problems, be they legal or otherwise.

      According to Tommie Singleton in "The COSO Model: How IT Auditors Can Use It to Evaluate the Effectiveness of Internal Controls," internal controls are believed to be of such importance that the Sarbanes-Oxley Act of 2002 includes a special section (404) to that regard, which "requires management to evaluate internal controls every year and requires financial auditors to opine on the evaluation."

Related Searches


You May Also Like

Related Ads

Related Searches
Check It Out

#eHowHacks: Self Watering Tip