Internal control, as defined by accounting and auditing, is a process for assuring of an organization’s objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization.
It is a means by which an organization’s resources are directed, monitored, and measured. It plays an important role in detecting and preventing fraud and protecting the organization’s resources, both physical (e.g., machinery and property) and intangible (e.g., reputation or intellectual property such as trademarks).
At the organizational level, internal control objectives relate to the reliability of financial reporting, timely feedback on the achievement of operational or strategic goals, and compliance with laws and regulations. At the specific transaction level, internal controls refers to the actions taken to achieve a specific objective (e.g., how to ensure the organization’s payments to third parties are for valid services rendered.) Internal control procedures reduce process variation, leading to more predictable outcomes. Internal control is a key element of the Foreign Corrupt Practices Act (FCPA) of 1977 and the Sarbanes–Oxley Act of 2002, which required improvements in internal control in United States public corporations. Internal controls within business entities are also referred to as operational controls. The main controls in place are sometimes referred to as “key financial controls” (KFCs).
Under the COSO Internal Control-Integrated Framework, a widely used framework in not only the United States but around the world, internal control is broadly defined as a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
COSO defines internal control as having five components:
- Control Environment-sets the tone for the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control.
- Risk Assessment-the identification and analysis of relevant risks to the achievement of objectives, forming a basis for how the risks should be managed
- Information and Communication-systems or processes that support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities
- Control Activities-the policies and procedures that help ensure management directives are carried out.
- Monitoring-processes used to assess the quality of internal control performance over time.
Types and examples of these controls could be:
- Automated preventive control: Having firewalls, system backup features, etc.
- Manual preventative control: Hiring security guards, identification verification procedures, etc.
- Manual detective control: Carrying out audits, inspections, etc.
- Manual corrective control: Disciplinary actions, refined policies, etc.
- Automated detective control: Reconciling information from one system to another, etc.
- Automated corrective control: Installing software patches, maintaining password secrecy, etc.
Components of Internal Control
Multiple components comprise the framework. The first thing to ensure that the companies’ controls work perfectly is an appropriate control environment. This is what sets the conscious levels, making everyone from top management to staff members follow and keep a check on the policies, procedures, principles, and technology deployed. In addition, it sets the values, commitment, policies, responsibilities, operating style, participation, structure, and overall tone of the company.
- Control over Sale and Purchase: With proper and efficient control system for transactions regarding purchase and sale of material, handling of material and accounting for the same is must.
- Cash: Here, internal control is applied over payments and receipts of an organization. This is to safeguard from misappropriation of cash.
- Financial Control: It deals with the efficient system of accounting, recording and supervision.
- Capital Expenditure: Internal control system ensures the proper sanction of capital expenditure and also the use of it for the purpose intended.
- Employee’s Remuneration: Internal control system is applied to preparation and maintenance of records of employees and the payment methods also. It is also necessary to safeguard against misappropriation of cash.
- Inventory Control: It covers the proper handling of inventory, minimization of slow-moving items or dead stock, proper valuation of stock, recording of it, etc.
- Control over Investments: Internal control system is applied to the proper recording of transactions be it purchases, additions, sale or redemption, income on investments, profit or loss on investment.
- There are chances of misuse by a person of authority who is operating on internal control system.
- Management decision to choose to cost effective control system may reduce the effectiveness of internal control system.
- Objectives of internal control systems may be defeated by manipulation of management.
- Since internal control system is involved in routine transactions, irregular transactions may be overlooked.
- Changes in conditions may affect the effectiveness of internal control system.
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Internal auditing might achieve this goal by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform the internal auditing activity.
The scope of internal auditing within an organization may be broad and may involve topics such as an organization’s governance, risk management and management controls over: efficiency/effectiveness of operations (including safeguarding of assets), the reliability of financial and management reporting, and compliance with laws and regulations. Internal auditing may also involve conducting proactive fraud audits to identify potentially fraudulent acts; participating in fraud investigations under the direction of fraud investigation professionals and conducting post investigation fraud audits to identify control breakdowns and establish financial loss.
Internal auditors are not responsible for the execution of company activities; they advise management and the board of directors (or similar oversight body) regarding how to better execute their responsibilities. As a result of their broad scope of involvement, internal auditors may have a variety of higher educational and professional backgrounds.
The Institute of Internal Auditors (IIA) is the recognized international standard setting body for the internal audit profession and awards the Certified Internal Auditor designation internationally through rigorous written examination. Other designations are available in certain countries. In the United States the professional standards of the Institute of Internal Auditors have been codified in several states’ statutes pertaining to the practice of internal auditing in government (New York State, Texas, and Florida being three examples). There are also a number of other international standard setting bodies.
Role in internal control
Internal auditing activity is primarily directed at evaluating internal control. Under the COSO Internal Control Framework, internal control is broadly defined as a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of the following core objectives for which all businesses strive:
- Effectiveness and efficiency of operations.
- Reliability of financial and management reporting.
- Compliance with laws and regulations.
- Safeguarding of Assets
- To give suggestions about improvement of internal control system in organization.
- To comment about effectiveness of internal control system in force.
- To check and ensure whether policies and procedure as laid down by the top management are being followed or not.
- Whether assets of organization are properly accounted for and safeguarded.
- To ensure whether standard accounting practices are followed by the organization.
- Earlier detection and prevention of errors and frauds.
- To ensure correctness, accuracy and authenticity of financial accounting.
- To do investigation at the special request of the management.
- To check whether liabilities of organization are valid and legitimate.
As per Section 138 of the Companies Act, 2013:
- The Central Government may, by rules, prescribe the manner and intervals in which the internal audit shall be conducted and reported to the Board.
- Such class or classes of company as may be prescribed shall be required to appoint an internal Auditor, who shall either be a Chartered Accountant or Cost Accountant or such other professional as may be decided by the Board to conduct internal audit of the functions and activities of the company.
Similarities between internal control and internal audit
People: Both internal control and internal audit need people to deliver on their objectives.
Reporting format: Both internal audit and internal control do not have a generally agreed reporting format.
Achievement of objectives: Both internal audit and internal control help organizations achieve objectives.
|Internal control||Internal audit|
|Nature||Internal control is a system.||Internal audit is a function.|
|Performance||It is the responsibility of operational management.||It is performed by internal auditors.|
|Necessity||Internal controls are essential for every organization.||Internal audits are applicable as the company law rules.|
|Objective||To ensure that management policies and procedures are properly followed||To detect errors and inconsistencies, in addition to evaluating internal controls|
|Frequency of conduct||These are on-going tests to ensure that quality and effectiveness in operations are maintained.||Internal audit is conducted at specific intervals.|