In the early 2000s, several well-known accounting scandals rocked the business world. Enron, Tyco, and Worldcom were a few of the biggest names.
Lawmakers enacted the Sarbanes-Oxley Act of 2002 in response. SOX increased management’s responsibility for financial reporting and documentation. It also put in place stricter punishments for fraud.
Internal controls have been around for a long time, but SOX brought internal controls to the forefront of accounting issues.
What Are Internal Controls?
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) stated that internal controls are “designed to provide reasonable assurance of the achievement of objectives” in the following three areas:
- Operational effectiveness and efficiency: Good internal controls can streamline operations.
- Financial Reporting reliability: Internal controls increase the reliability of financial information you record, making your financial statements more accurate.
- Compliance with relevant laws and regulations: Proper internal controls help ensure compliance with SOX and numerous other regulations.
A robust internal control framework sets the structure for effective internal controls. COSO developed a framework consisting of the following five elements:
- Control environment: The control environment consists of company policies and procedures including company culture. A business’s mission, goals, leadership, ethics policy, etc. are all vital to running an efficient business with strong internal controls. Leadership must also provide proper “tone from the top,” leading by example and setting proper expectations.
- Risk assessment: Companies must identify which areas are at greatest risk of fraud, inaccuracy, etc. Companies must dedicate effort to ensuring sufficient internal control in these areas. This can vary depending on industry and business model. For example, healthcare companies have unique compliance risks (HIPAA).
- Monitoring and reviewing: Management should regularly review internal controls to assure controls are properly carried out or the right type of controls are in place.
- Information and communication: Each company must share information necessary to maintain internal controls, as well as information about the controls themselves — both inside and outside the organization.
- Control activities: Control activities are the current internal controls set in place.
Management is responsible for addressing each of these. Staff members are required to carry out the internal controls set forth by management.
The Three Types of Internal Controls
Business should institute three types of controls.
Detective internal controls help determine the cause of some error that has already taken place.
For example, a company may find a discrepancy in the amount of actual inventory. A physical inventory check can be used to identify why the difference exists.
Other examples of detective controls include
- Financial statement preparation
- Reviews (limited, inquiry based)
Preventative controls minimize the chances of errors or fraud from occurring. Detective controls are important, but preventative controls are more pragmatic.
A common preventative control is segregation of duties. Tasking an individual the responsibility of both recording and handling cash increases the chance of fraud. For example, this individual may record a $100 cash receipt as $80 in your books and pocket the other $20.
Splitting these activities among two separate individuals lowers the chances of this fraud occurring — thus, segregation of duties is a preventative control.
Other examples of preventative controls include
- Checks and balances in information systems (such as requiring thee senior accountant to verify transactions entered by junior accountants/bookkeepers before posting)
- Requiring login credentials or special permissions to access certain areas of information systems
- Physical safeguards, like security guards requiring identification to enter certain areas
- Employee screening/training
Corrective controls are used to follow up on the discoveries of internal controls to rectify the error. Perhaps you hired an employee without thorough screening, for example, and they slack off on the job. Disciplinary action would be a corrective internal control, in this case.
Internal Audit: The Auditors of Internal Controls
Internal auditors evaluate all your internal controls, including those associated with accounting systems and corporate governance. They assess if your policies and procedures are being followed, ensure compliance with all regulations, evaluate how well your internal controls safeguard your business’s assets, and make recommendations for further internal controls.
Internal controls are vital to keeping your business as safe as possible from losses, but much of the information out there is confusing. CFO Hub is here to help. Our experts can evaluate your internal controls and recommend areas in which you can improve them. Contact us today for your free, no-obligation consultation.