Introduction to Internal Controls

Internal controls, internal control frameworks, COSO, segregation of duties, controls over financial reporting, control environment, control activities, information and communication, monitoring, information technology controls, application controls, financial fraud.

1. Internal control systems defined

Effective internal control systems are designed to provide the owners and managers of a company with some assurance that business goals are met. These goals can be split up into three categories, which can be defined by the group of individuals and entities who will be most interested in the particular goals.

  • Controls over the financial reporting process – These internal controls are targeted towards the manual and technological processes that bring transactions from initiation all the way to the financial reports. They are designed to prevent or detect errors that could lead to the release of false financial information to concerned parties. Corporate investors are most interested in these controls; in addition, external auditors tend to focus on this category when performing their audits.
  • Controls over business operations – These controls are designed to assure the corporate management team that the business is operating efficiently. They tend to involve day-to-day business functions, which means that upper management is most interested in this category of controls.
  • Controls over regulatory requirements – A business has to comply with laws and regulations that often carry tough penalties if broken, so management establishes controls to make sure the company doesn’t run afoul of government agencies and industry watchdogs. Managers, investors, and regulatory agencies are all interested in this category of controls.

2. Importance of internal controls

In 2002, the U.S. Congress responded to high-profile accounting scandals at Enron and WorldCom by enacting the Sarbanes-Oxley Act (SOX). SOX dealt with many aspects of the financial reporting process, but tucked neatly into the law was section 404, which requires a public corporation’s upper management to tell financial statement users whether they believe the system of internal control currently in place is designed properly and is operating effectively. By including this section in the law, a group of politicians recognized the great importance of good internal control.

A business is made up of many different processes. For example, a clothing retailer has to buy inventory, sell inventory, manage its personnel and real estate. A bank has to process loan applications, deposits, investments, etc. and handle a lot of cash. Without internal controls, upper managers (who can’t be involved with every tiny aspect of the business at all times) would have no way of knowing whether employees are following company policies or whether the business is struggling to maintain a decent bank balance. If a properly-designed system of internal control is in place, managers can rest a little easier knowing that the business is operating the way it’s supposed to.

You should be aware that a system of internal control can never guarantee that mistakes or fraud will be avoided. Many controls can break down simply because someone makes an honest mistake. For example, if a loan officer is supposed to verify an applicant’s address, he may simply forget to do so before approving the loan. Certain controls, especially those that segregate incompatible duties, can be circumvented when two or more employees work together to defraud the company. Finally, most managers have the ability to override controls as a necessary part of their duties. Carrying on the example from above, the loan officer’s manager might push through a loan without proper proof of income because of mitigating circumstances. Although the manager has good intentions, the business will lose money if the loan ends up being written off.

Not a member?
See why people join our
online accounting course: