Internal controls are the set of procedures and policies designed to prevent errors and fraud and manipulation of the organization's processes for personal gratification. The Enron and other related corporate debacles occurred partially because of the lack of appropriate internal controls. These incidents also made the government take notice and implement the Sarbanes Oxley Act, 2002. The act while laying regulations for corporate governance also stresses on the need for effective internal controls.
To understand the concept of internal controls, consider the human body. When we are cold, we shiver—a process, which warms our body. Shivering is the nature's internal control to prevent exposure to cold. Basically, we are vulnerable to cold and the nature has built a safeguard (shivering) against this vulnerability. Similarly, companies also require a strong Internal Control System (ICS) that addresses all possible vulnerabilities of the company.
ICS is a process, effected by a company's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of the following objectives:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
ICS mainly consists of a control environment and a set of control activities. The control environment establishes the tone of a company, influencing the control awareness of the company's employees. It is the foundation for all the other internal control components, providing discipline and structure. An important component of the control environment is to have regular reviews of a company's actual operations to determine if they comply with management's operating policies. This activity is known as an audit. There are public accounting firms, which conduct audits of companies. However, large enterprises (and certain medium-sized ones) often have separate internal audit subsystems, or departments, with internal auditors performing these reviews. The internal auditors spend considerable time evaluating whether previously designed and implemented internal controls are functioning properly. In small enterprises, where they typically cannot afford the cost of internal audit departments, the owners and managers commonly perform the reviews of compliance with operating policies.
Control activities encompass the policies and procedures that help ensure that management directives are carried out. Within the company's control activities, it is important to design and implement specific control procedures to help ensure that necessary actions are taken to address risks to the achievement of a company's objectives.
The first step while implementing internal control activities is to identify the vulnerabilities that the company faces. To achieve this, a risk assessment of all the procedures and processes of the company might be conducted. This assessment process recognizes that every organization faces risks to its success. These risks come from both external and internal sources of the organization. For control purposes, risks that appear to affect the accomplishment of a company's goals are identified, analyzed, and acted upon. Risk is measured as the probability that a control problem will occur. Exposure is the amount of potential loss associated with a control problem. It can also be defined as the expected loss for a control area where risk is 100 percent.
Risk assessment also helps the company determine the control areas that should be safeguarded on a priority basis. This is useful, because implementation of internal controls requires considerable time and effort. After identifying the risks and the corresponding control areas, the company needs to evaluate various control activities and control procedures that can be used to mitigate the risks.
Information is for educational and informational purposes only and is not be interpreted as financial or legal advice. This does not represent a recommendation to buy, sell, or hold any security. Please consult your financial advisor.