Internal controls is defined by the Committee of Sponsoring Organizations of the Treadway Commission, an organization made up of The American Accounting Association, American Institute of Certified Public Accountants, Financial Executives International, Institute of Internal Auditors and the Association for Accountants and Financial Professionals in Business. COSO defines internal control as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of the following objectives: effectiveness and efficiency of operations, reliability of financial reporting and compliance with applicable laws and regulations.” This is the official definition used by the United States government and is applied broadly to all companies when evaluating business practices.
An effective system of internal controls ensures safe and sound operations; the integrity of financial records and managerial reports; the compliance with laws, regulations and supervisory requirements; the decreased risk of unexpected losses and damage to the company’s reputation; the adherence to internal policies and procedures; and the efficient operations and long-term profitability goals. Evidence that a company’s management organization is lacking in these attributes can be found in various management policies and procedures.
A sign that there is a lack of internal control is the absence of specific reporting procedures that track actual performance against budgets, forecasts and prior period performance. These should include independent verification of performance evaluations and reconciliation of balances.
Physical control over assets is an important aspect of internal control. A lack of physical control is evidenced by financial and other sensitive records residing in unsecured areas, failing to protect computer applications and databases from unrestricted or unauthorized access, and the failure to secure property in locked facilities.
Segregation of Duties
An effective system of internal control must include a separation of duties among employees. An employee who has the responsibility of approving transactions must not be the one responsible to record the transaction and maintain the custody of assets. Also, when employees do not adhere to vacation schedules and periodic rotation of duties, especially employees in sensitive positions, it could be a sign that there is an increased opportunity to perpetuate and conceal errors, irregularities or wrongdoing.
Internal control systems must be monitored on an ongoing basis to ensure that the systems are relevant and effective in addressing new risks. When reviews of internal controls are not evaluated periodically through an independent audit or separate risk management group, this is a sign that internal controls are inadequate. Not only must the evaluations be performed independently from the operating groups, but the findings of these periodic evaluations must be reported to the appropriate people with all serious matters brought to the attention of top management.
Internal control systems are most effective when they are integrated into the infrastructure of business management procedures. Controls that are implemented as an adjunct process are not sufficient to avoid potential noncompliance of regulations, provide adequate risk protection and ensure the soundness of business practices.