Why Internal Controls – And Reviews – Are Needed 

by Jim Marasco , CPA, CFE, CIA
Director, Corporate Services
StoneBridge Business Partners

Reprinted with permission from Audit America of CPA America .

Every day, during the normal course of our lives, we encounter numerous controls or safeguards. Whether your place of work requires an identification badge or a key fob, a password to log onto your computer or an access code to use a copier, controls are a way of life.

Defining ‘internal control’

Broadly defined – internal control is a process. It’s a series of actions that govern an organization’s activities.

COSO (Committee of Sponsoring Organizations of the Treadway Commission) defines internal control as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives.

The objectives are in the following categories:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations

Identifying the main internal controls

Internal controls are defined in five broad categories:

  • Control environment involves an organization’s attitude about control. It flows from the core beliefs or values of a company.
  • Risk assessment includes identifying and analyzing an organization’s risks or vulnerabilities.
  • Control activities represent the actual policies and procedures that help ensure that management’s directives are being carried out.
  • Information and communication involve identifying, capturing and exchanging information – including accounting information – that allows people to perform their duties.
  • Monitoring or self-assessment evaluates the effectiveness of controls over time.

Testing controls

A financial statement audit determines whether an organization’s financial statements are free of material misstatement.

Auditors may assess risk at the maximum and not rely on the internal control system while performing their audit. Therefore, internal controls may not be tested as thoroughly because the auditors rely more on substantive testing.

In contrast, an internal control review determines whether internal controls exist and are sufficient. And it may test whether the controls are working as designed.
Evaluating internal control involves:

  • Identifying the internal control objectives relevant to the organization
  • Reviewing pertinent policies and procedures and the documentation standards for each
  • Discussing controls with the appropriate levels of personnel
  • Observing the control environment
  • Testing transactions as appropriate
  • Sharing findings, concerns and recommendations with senior management and/or the board of directors
  • Determining that the organization has taken timely corrective action on weaknesses that were identified

Taking responsibility for internal control

The board of directors is ultimately responsible for a company’s system of internal control. It should set appropriate policies on internal control and seek regular assurance that the system is functioning effectively.

It is the role of management to implement the board’s policies on risk and control.

Management should identify and evaluate the risks faced by the company for consideration by the board. And management should design, operate and monitor a suitable system of internal control to meet the board’s intent.

Additionally, all employees have some responsibility and accountability within the internal control environment. They should have the necessary skill, knowledge and authority to operate and monitor the system of internal control that is put in place.

Reviewing internal controls

Internal controls go beyond safeguarding an organization from financial loss. They can also assist in maintaining reliable financial reporting and maximizing effective operations.

The best way to protect and ensure that your organization is operating efficiently is to have an internal control review performed on your operation. Whether you’re a for-profit, not-for-profit or governmental entity, your current practices should be compared against peers in your sector.

The goal is twofold:

  1. To protect and safeguard your company from being victimized
  2. To improve your processes to obtain greater efficiencies and become more effective at each level of the organization

An internal control review can highlight weaknesses in the internal control structure or expose processes that could be strengthened to maximize efficiency. Detailed recommendations to mitigate risk or strengthen areas of weakness should be included in a formal report issued to the board of the organization.

If you suspect payroll fraud within your organization or need help safeguarding against it, please call one of our professionals.

James I. Marasco, CPA/CFF, CFE, CIA
Jim is a partner at EFP Rotenberg. He brings more than 18 years of public accounting and auditing experience. He is a full-time management consultant and travels extensively throughout the country while leading StoneBridge Business Partners (an EFP Rotenberg affiliate company). Read more about Jim . Article republished with the permission of CPAmerica.