Internal control is defined as a process, implemented by an organization’s management, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. Internal controls play a pivotal role in the operations of private companies, serving as the basis of financial integrity, operational efficiency, and regulatory compliance.
First and foremost, private companies must conduct a comprehensive risk assessment to identify potential threats to financial reporting, operational efficiency, and compliance. This is commonly referred to as an accounting department diagnostic and can be performed internally, but more often is conducted by a third party such as a CPA firm.
The Committee of Sponsoring Organizations of the Treadway Commission, or COSO, has identified the five pillars and components of internal control which provide guidance on how organizations can implement controls to prevent, detect, and manage fraud risk related to external financial reporting. These five pillars are:
- Control Environment. The control environment represents the set of standards, processes, and procedures that provide a basis for carrying out internal control across the organization. Company owners and management establish the tone at the top regarding the importance of internal control and the expectations of employee conduct.
- Risk Assessment. Every company faces a variety of risks from both external and internal sources. This component is used to identify and analyze risks that may prevent an organization from achieving its objectives.
- Control Activities. Control activities are the actions established through processes, activities, actions, and communications performed to mitigate risks and maintain strong internal controls.
- Information and Communication. Information is necessary for the organization to carry out its internal control objectives. Communication enables the organization’s personnel to understand internal control responsibilities and their importance to achieve management’s objectives.
- Monitoring Activities. Ongoing evaluations are used as a basis to determine whether each of the five components of internal control are present and functioning. Risks can evolve as updates and improvements are made to the organization’s systems, processes, and procedures. Monitoring ensures that these updates don’t expose the organization to new risks.
There are two basic categories of internal controls: preventive and detective. Effective internal controls at a company will have both types of controls, as each serve a different purpose.
Preventive Controls
Preventive controls are designed to decrease the chance of errors and fraud before they occur. These controls are important because they are proactive and focused on quality.
Some examples of preventive controls include:
- Segregation of duties, which ensures that the various steps in a process are dispersed over multiple individuals or departments. The intent is to eliminate theft or other fraudulent activities that occur when an individual has an excessive amount of control over a process (i.e., a person who receives goods from suppliers in the warehouse cannot sign checks to pay the suppliers for those goods).
- Pre-approval of actions and transactions by management.
- Access controls (i.e., passwords to systems).
- Physical controls over assets (i.e., a safe for checks, locks on doors, etc.).
Detective Controls
Detective controls are designed to find errors or problems after the transaction has occurred. These controls are important because they provide evidence that preventive controls are operating as intended and offer an after-the-fact chance to detect issues.
Some examples of detective controls include:
- Monthly reconciliations
- Budget-to-actual comparisons
Remember, the effectiveness of internal controls depends on consistent monitoring, adaptation to changes, and a commitment to ethical behavior throughout the organization. Private companies need to assess and refine their internal control framework to address emerging risks and challenges as they arise.