Jump to content

Internal control

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by 124.29.203.33 (talk) at 07:46, 1 July 2007 (→‎References). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

In accounting and organizational theory, Internal control is defined as a process, effected by an organization's people and information technology (IT) systems, designed to help the organization accomplish specific goals or objectives.[1] It is a means by which an organization's resources are directed, monitored, and measured. It plays an important role in preventing and detecting fraud and protecting the organization's resources, both physical (e.g., machinery and property) and intangible (e.g., reputation or intellectual property such as trademarks). At the organizational level, internal control objectives relate to the reliability of financial reporting, timely feedback on the achievement of operational or strategic goals, and compliance with laws and regulations. At the specific transaction level, internal control refers to the actions taken to achieve a specific objective (e.g., how to ensure the organization's payments to third parties are for valid services rendered.) Internal control procedures reduce process variation, leading to more predictable outcomes. Internal control is a key element of the Foreign Corrupt Practices Act (FCPA) of 1977 and the Sarbanes-Oxley Act of 2002, which required improvements in internal control in United States public corporations.

Definitions

There are a variety of definitions of internal control, as it affects the various constituencies (stakeholders) of an organization in various ways and at different levels of aggregation.

Under the COSO Internal Control-Integrated Framework, a widely-used framework in the United States, internal control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a) Effectiveness and efficiency of operations; b) Reliability of financial reporting; and c) Compliance with laws and regulations.

COSO defines internal control as having five components:

  1. Control Environment-sets the tone for the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control.
  2. Risk Assessment-the identification and analysis of relevant risks to the achievement of objectives, forming a basis for how the risks should be managed
  3. Information and Communication-systems or processes that support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities
  4. Control Activities-the policies and procedures that help ensure management directives are carried out.
  5. Monitoring-processes used to assess the quality of internal control performance over time.

The COSO definition relates to the aggregate control system of the organization, which is comprised of many individual control procedures.

Discrete control procedures, or controls are defined by the SEC as: "...a specific set of policies, procedures, and activities designed to meet an objective. A control may exist within a designated function or activity in a process. A control’s impact...may be entity-wide or specific to an account balance, class of transactions or application. Controls have unique characteristics – for example, they can be: automated or manual; reconciliations; segregation of duties; review and approval authorizations; safeguarding and accountability of assets; preventing or detecting error or fraud. Controls within a process may consist of financial reporting controls and operational controls (that is, those designed to achieve operational objectives)."[2]

Context

Under the COSO Framework, objective setting is considered a precondition to internal control. By setting objectives, management can then identify risks to the achievement of those objectives. To address these risks, management of organizations may implement specific internal controls. The effectiveness of internal control can then be measured by how well the objectives are achieved and how effectively the risks are addressed.

More generally, setting objectives, budgets, plans and other expectations establish criteria for control. Control itself exists to keep performance or a state of affairs within what is expected, allowed or accepted. Control built within a process is internal in nature. It takes place with a combination of interrelated components - such as social environment effecting behavior of employees, information necessary in control, and policies and procedures. Internal control structure is a plan determining how internal control consists of these elements [3].


The concepts of corporate governance also heavily rely on the necessity of internal controls. Internal controls help ensure that processes operate as designed and that risk responses (risk treatments) in risk management are carried out.

Roles and responsibilities in internal control

According to the COSO Framework, everyone in an organization has responsibility for internal control to some extent. Virtually all employees produce information used in the internal control system or take other actions needed to effect control. Also, all personnel should be responsible for communicating upward problems in operations, noncompliance with the code of conduct, or other policy violations or illegal actions. Each major entity in corporate governance has a particular role to play:

Management: The Chief Executive Officer (the top manager) of the organization has overall responsibility for designing and implementing effective internal control. More than any other individual, the chief executive sets the "tone at the top" that affects integrity and ethics and other factors of a positive control environment. In a large company, the chief executive fulfills this duty by providing leadership and direction to senior managers and reviewing the way they're controlling the business. Senior managers, in turn, assign responsibility for establishment of more specific internal control policies and procedures to personnel responsible for the unit's functions. In a smaller entity, the influence of the chief executive, often an owner-manager, is usually more direct. In any event, in a cascading responsibility, a manager is effectively a chief executive of his or her sphere of responsibility. Of particular significance are financial officers and their staffs, whose control activities cut across, as well as up and down, the operating and other units of an enterprise.

Board of Directors: Management is accountable to the board of directors, which provides governance, guidance and oversight. Effective board members are objective, capable and inquisitive. They also have a knowledge of the entity's activities and environment, and commit the time necessary to fulfill their board responsibilities. Management may be in a position to override controls and ignore or stifle communications from subordinates, enabling a dishonest management which intentionally misrepresents results to cover its tracks. A strong, active board, particularly when coupled with effective upward communications channels and capable financial, legal and internal audit functions, is often best able to identify and correct such a problem.

Auditors: The internal auditors and external auditors of the organization also measure the effectiveness of internal control through their efforts. They assess whether the controls are properly designed, implemented and working effectively, and make recommendations on how to improve internal control. There are laws and regulations on internal control related to financial reporting in a number of jurisdictions. In the U.S. these regulations are specifically established by Sections 404 and 302 of the Sarbanes-Oxley Act. Guidance on auditing these controls is specified in PCAOB Auditing Standard No. 5 and SEC guidance, further discussed in SOX 404 top-down risk assessment. To provide reasonable assurance that internal controls involved in the financial reporting process are effective, they are tested by the external auditor (the organization's public accountants), who are required to opine both on the internal controls of the company and the reliability of its financial reporting.

Internal control activities

Common internal control activities include, but are not limited to, the following:

  • Segregation of duties
  • Prompt and proper recording of transactions and events
  • Authorization of transactions and events
  • Documentation and record retention
  • Monitoring operations (supervision)
  • Access to and accountability for resources and records

In addition there needs to be in place circumstances ensuring that the aforementioned procedures will be performed as intended: right attitudes, integrity and competence, and monitoring by managers.

Limitations

Internal control can provide reasonable, not absolute, assurance that the objectives of an organisation will be met. The concept of reasonable assurance implies a high degree of assurance, constrained by the costs and benefits of establishing incremental control procedures.

Effective internal control implies the organization generates reliable financial reporting and substantially complies with the laws and regulations that apply to it. However, whether an organization achieves operational and strategic objectives may depend on factors outside the enterprise, such as competition or technological innovation. These factors are outside the scope of internal control; therefore, effective internal control provides only timely information or feedback on progress towards the achievement of operational and strategic objectives, but cannot guarantee their achievement.

Internal control involves human action, which introduces the possibility of errors in processing or judgment. Internal control can also be overridden by collusion among employees (see separation of duties) or coercion by top management.

Fraud and internal control

Internal control plays an important role in the prevention and detection of fraud.[4] Under the Sarbanes-Oxley Act, companies are required to perform a fraud risk assessment and assess related controls. This typically involves identifying scenarios in which theft or loss could occur and determining if existing control procedures effectively manage the risk to an acceptable level.[5] The risk that senior management might override important financial controls to manipulate financial reporting is also a key area of focus in fraud risk assessment.[6]

References

  1. ^ COSO Definition of Internal Control
  2. ^ SEC Interpretive Guidance
  3. ^ Matti Mattila: The ECAR Model
  4. ^ Rezaee, Zabihollah. Financial Statement Fraud: Prevention and Detection. New York: Wiley; 2002.
  5. ^ AICPA Management Antifraud Programs and Controls
  6. ^ AICPA Management Override
  • International Organization of Supreme Audit Institutions (INTOSAI): Guidelines for internal control standards (1992)
  • Committee of Sponsoring Organizations of the Treadway Commission: Internal control - integrated framework (1994)
  • A A Baig & Co., Chartered Accountants (Pakistan)
Retrieved from "https://en.wikipedia.org/w/index.php?title=Internal_control&oldid=141760710"