Internal control is an accounting and auditing term, used primarily to denote the systems designed to help the organization achieve its goals and objectives, by making sure the various structural components of the organization such as hierarchy, management information systems, human resources and the flow of information remains functioning according to established protocol. Another important function of internal control is to minimize the incidence of fraud and mismanagement and to protect the property of the organization, both physical (goods, machinery) and intangible (goodwill, brand name).
Accounting is a system of record keeping and data reporting, however, this data must be checked and re-checked before it can become part of the books of accounts, as they reflect the financial position of the organization to both, the management and the investors. Internal controls ensure that any deviation or error in the information flow is immediately identified and suitable steps taken for its rectification.
Internal control has been defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as a process, effected by an entity’s board of directors, management and other personnel. This process is designed to provide reasonable assurance regarding the achievement of objectives in effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. The definition further explains internal control as:
➤ Internal control is a process. It is a means to an end, not an end in itself.
➤ Internal control is not merely documented by policy manuals and forms. Rather, it is put in by people at every level of an organization.
➤ Internal control can provide only reasonable assurance, not absolute assurance, to an entity’s management and board.
➤ Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.
There are many statutory requirements that have to be fulfilled by companies worldwide. Accounting standards and controls are some of the essential compliances that not only help the companies manage their finances well, but also help them to keep track of liabilities, duties and taxes. The laws regarding internal controls in public corporations are especially stringent due to the fact that public money and the common man’s interest is to be safeguarded with the help of such controls.
Need for Internal Controls
Internal controls of an organization are subject to annual audit, conducted by authorized and certified chartered accountants. The following is a small list of factors that explains the need and audit of such controls.
It is extremely essential for any company to keep track of all accounting records and financial statements that are transacted and authenticated by the company in one financial year. This kind of control ensures that the public finances are not misused.
Internal controls are also required to ensure timely payment of liabilities and taxes. These controls are required to uphold the reputation and credit rating of the company. Tax calculations change with every transaction the company makes, in such a case these internal accounting controls are the surest way to maintain order in the books of the company.
As will be discussed later in this article, fraud prevention is an important function of internal controls in any organization. This is in light of the many corporate fraud cases that have come to light in recent times and have caused billions of dollars in losses and the collapse of several Wall Street heavyweights.
Internal Controls and the Sarbanes-Oxley Act, 2002
Enacted by the 107th United States Congress in 2002 the Sarbanes-Oxley Act (SOX), named after US Senator Paul Sarbanes and US Representative Michael G. Oxley, is a landmark Act which attempts to ensure safety of investors by making it mandatory for all US public companies and accounting firms to abide by certain standards specified in the Act, whereby the accuracy of financial information will be certified for the benefits or investors and auditors. The Act was passed as a result of the massive fraud and embezzlement cases that came to light after the collapse of industry giants such as Enron and WorldCom. These cases resulted in staggering losses to the shareholders and there was a call for stricter control on the reporting of financial data. There are two key aspects of this law which are important to the functioning of internal controls in any organization.
Sarbanes-Oxley Act Section 302
This section of the Act deals with the disclosure controls operating in an organization. Disclosure controls are procedures to be followed when the company declares its financial results, and also to certify the accuracy of the disclosed data. Section 302 puts forth a set of procedures to be followed for financial disclosure and requires a certification by the management that it has followed all necessary internal controls during accounting and the subsequent financial reporting, also that the data so disclosed is correct in all aspects. It ensures responsibility on part of the management of an organization this way. The section has two components, civil and criminal and has various provisions for the reporting of financial data.
Sarbanes-Oxley Act Section 404
Possibly the most important section of the Act, the Section 404 specifies guidelines for the management regarding Internal Control on Financial Reporting (ICFR). The aim of this section is to ensure the standards for ICFR are met by the management and the audit team in charge of preparing the financial statements. An Internal Control Report is the cornerstone of this section as this is the document that the management must prepare for the organization’s annual Exchange Act report. The report is an assessment of the effectiveness of the internal controls of the company and whether they have been functioning in accordance with SOX guidelines. The internal control report is an exhaustive coverage of the various control procedures such as the evaluation of fraud risk and assessing controls involved in the transactions of the organization.
Elements of Internal Controls
There are several elements or policies that are implemented by companies in order to ensure effective internal control:
➤ Segregation of Duties
There are several functions that are always going on in the accounts department of a company, which have to be monitored with the help of internal controls. Segregation of duties is an excellent policy where two different people handle the accounts and physical operation of assets. This policy also involves a series of cross checks and tallies. The double entry system is a very crucial instrument for such a process.
➤ Transactional Authorization
All the transactions are authorized such as the purchase of raw materials, pricing of goods, salary payment to employees and so on. It means that, during sale and purchase, employees need to follow a particular upper and lower limit policy, regarding prices. Moreover, the transactions must be authorized by an officer who has the right to do so, only then will the internal controls matter, otherwise the transaction will be treated as an invalid one.
➤ Documentation and Records
There are several different documentation and records that are stored in the company’s computer systems with the help of accounting software. These systems basically ensure a simple functionality, easier cross checks, and reliable audits. With the implementation of modern accounting methods, which are essentially electronic in nature, internal controls too have to be structured to include this new method of financial reporting. There are several productivity software used by organizations today which log data and maintain detailed records of all transactions that go through the system.
➤ Independent Checks
Internal or external auditors of the company can conduct audits and surprise checks within the organization, in order to ensure that the internal controls are effectively working.
Many directors, owners and managers of companies make public statements regarding the follow-up of internal controls. Public statements also carry the control checklist, that is used by the employees and auditors. It must be noted that internal controls have become a statutory compliance, and directives are issued by the government from time to time for their implementation.
➤ Real-time Controls
Under this the physical controls used for the prevention of theft and mismanagement are covered. These may be the usage of locks, warehouses, gates and other barriers which prevent physical damage or intrusion onto property.
➤ IT Controls
Such controls have gained prominence since the heavy dependency on information systems for business transactions and covers the whole gamut of data protection, from passwords and authorized access, to the management of personnel handling sensitive data and protection of important codes used in production processes.
➤ Fraud Prevention
One of the most important aspects of internal controls in any organization, fraud prevention and its detection is covered extensively under the previously mentioned Sarbanes-Oxley Act. It sets guidelines for organizations to carry out independent assessments of their fraud prevention controls. They can do this by simulating break-ins, thefts and financial manipulation and checking if the existing controls have the ability to detect them in time.
➤ Improvement in Controls
like any other process internal controls in an organization can also be improved by regular monitoring and evaluation. This happens in various ways, one of the most common is the cost-reduction strategies employed by a company to price its products cheaper.