What are Internal Controls?

Internal controls are the set of procedures, processes, and mechanisms through which a company’s operational efficiency is captured, leading to a stronger and more accurate financial reporting and accounting system.Internal controls lay down a set of control objectives encompassing control procedures, governed by applicable laws and the regulatory climate under which organizations operate in order to conduct operations with integrity and accountability. Internal Controls have been culled out in detail under the Sarbanes-Oxley Act (2002) which dictates that management is responsible for creating and maintaining a robust and effective internal controls system, which must be assessed and attested by internal auditors, who then report on the internal control mechanism. This report is included as part of the financial statements for shareholders and stakeholders to understand the effectiveness of the organization’s financial and qualitative effectiveness.

How do Organizations use Internal Controls?

Organizations, irrespective of their size require certain policies, processes, and procedures in order to safeguard their assets, manage liabilities, and ensure that correct and relevant financial records are maintained with integrity and reliability. Internal controls add value to an organization by aiding in planning, monitoring, and reporting business operations.

Internal controls also enable the organization to ensure compliance with statutory and governing laws, thus promoting more accountability towards the various stakeholders of the organization. Internal controls are the responsibility of the management and must ensure that they diligently focus on maintaining records for the same. Internal audits are performed by an external auditor who comments on said processes, enquires if they are in place, and offers suggestions and scope for improvement to tighten such protocols.

Responsibilities

Management is responsible to ensure appropriate planning and execution of an effective internal control system. ‘Management’ refers to those charged with governance and include the board of directors, who are accountable to the shareholders. Management also constantly revamps the framework and constantly upgrade the internal control structure so as to keep with the expanding capabilities of the business. Thus, it is the responsibility of the management to ensure appropriate formulation of the internal control system and also its effective adherence.

Framework and Principles

While the system of internal controls varies from one organization to another, they are based on certain basic principles, which are governed by a solid framework. This is designed to ensure that the management does not provide misleading or false information as part of their accounting system, which thereby flow into the financial statements.

Before we discuss the best practices, let us understand the broad framework under which internal controls effectively operate.

Control environment

It is the duty of the management of the organization to lay a responsible system and related protocols to focus on identifying and bridging inaccuracies and discrepancies in the system as and when they arise. The control environment reflects on the operational efficiency and financial effectiveness, thereby improving corporate responsibility towards its stakeholders. The control environment is however, dynamic and volatile. This is especially true in today’s parlance, given the COVID-19 pandemic. Considering the heavy reliance on technology, internal controls are the bedrock of reliability and accountability, while implementing fraud-prevention measures.

Risk assessment

One of the most important tenets of internal control is to identify and assess areas of risk in order to effectively mitigate the threats and inaccuracies. These risks come in different forms—in security issues, timely and appropriate maintenance of cash and bank balances, monitoring of production lines and fraud assessments.

Review

Management needs to periodically invest time and effort in reviewing and monitoring the strength of the internal control activities and efficiency. A key step is reviewing the accounting records, which pave the way for self-assessment and provide reasonable assurance to the shareholders and auditors that there are no material misstatements in the functioning of the organization. They must also be upgraded to mitigate the latest risk factors that have arisen as part of the evolving risk assessment activities.

Communication

It is important to communicate regularly within the organization regarding the updated protocols and processes in order to effectively assign duties and responsibilities and constantly upgrade the effectiveness of the internal control procedures.

Control activities

The activities that are part of the internal control ecosystem are discussed below and can be segregated into two broad types. Regular audit is an important facet of diligently monitoring and testing the effectiveness of the system.

Types of Internal Control

Internal controls essentially aim to streamline the process of documentation, embed controls where there are layers of authority and ensure segregation of responsibilities to prevent fraud and improve operational efficiency. There are two common types of internal control—Preventative and Detective.

Preventative controls

Mechanisms included under preventative controls aim to ensure that by understanding the system, they provide checks preventing the occurrence of errors and frauds. These may include segregation of duties and responsibilities to ensure that no single person is entirely responsible for the entire flow of transactions and has the authority to approve, authorize, and retain custody of the financial records. This may be especially applicable in a company handling large volumes of cash/ bank transactions where there is a serious risk of fraud. Preventative controls also include authorization and verification of transactions and records, while also restricting access and authority to fixed assets, inventory, cash and bank operations, receivables, and other assets.

Detective controls

As the name suggests, detective controls are put in place to spot and catch errors and frauds that may not have been caught by exercising preventative controls. By exercising these controls such as providing and updating reconciliation statements, the organization can take corrective action and upgrade the internal control process to make it more robust and reliable. Detective controls can be exercised through internal audits as well as regular inventory and other asset monitoring.

Internal Control Audit

Regular audit provides a fair assessment of the effectiveness of the internal controls, ensuring compliance and diligent follow-up of the procedures in terms of financial reporting and documentation. Audit also ensures that there is a paper trail and identifies discrepancies which can be reviewed and corrected in time.

An internal control audit encompasses the following activities:

• Monitoring of the existing internal control environment and provide an assessment of the accuracy, reliability, and transparency of accounting data and financial reporting.
• Detection and assessment of fraudulent activities and unearthing lapses in internal controls such as missed approvals and unsegregated responsibilities.
• Evaluate control environment in terms of non-accounting responsibilities and procedures as well such as asset safeguarding, access controls, production or assembly line wastages and securing of raw materials. 

Common Mistakes and Pitfalls

Some of the common possible errors while performing internal control assessments are as follows:

• Inaccurately understanding the control environment and its workings.
• Inaccurate performance of reconciliation and miscalculation of data entry.
• Not maintaining and checking the correct reports and Management Information System (MIS) statements or inaccurately verifying authorization and approval systems.
• Miscommunication with the management and/or with sub-departments in terms of legal or statutory compliance and other control activities.
• Undocumented processes and trail of business operations and transactions.

Context and Applications

This topic is significant in the professional exams for both undergraduate and graduate courses that have accounting and commerce at its core. This may be especially applicable for

• B. Com
• M.Com
• MBA (Finance)

This topic may also be significant for professional certifications including:

• Chartered Accountancy;
• Certified Public Accountant (CPA);
• Association of Chartered Certified Accountants (ACCA);
• Certified Internal Auditor (CIA)