Why Good Internal Controls and Related Procedures are Important for a Company?

Ruchi Gandhi

06 Sep, 2022

An overview

The concept of internal controls became increasingly important with the corruption of Enron and WorldCom. Internal controls play a key role in both public and private businesses, as well as in all major business functions and collateral activities. The reasons being that internal controls provide safeguards for the assets of an organization, minimize opportunities for fraud, and disallow errors to go undetected in the day-to-day operations of an organization.

Internal control procedures play a significant role in any organization to augment the degree of transparency in the entity’s systems, thereby leading to enhanced operational efficiency and effectiveness. They enable a company to identify risk areas, implement adequate measures to keep a check on those high-risk areas, and aid in developing an environment conducive to risk mitigation.

In this article, we will address the importance of internal controls in accounting to help you create an efficient internal control framework within an organization.

Meaning and purpose of internal controls

Internal controls are a company’s processes, rules, and procedures for maintaining the accuracy of financial and accounting records, encouraging transparency, and preventing fraud.

In addition to compliance with rules and regulations, and preventing workers from stealing assets or committing fraud, internal controls may help enhance operating performance by improving the quality and timeliness of financial reporting.

As per SA-315 issued by the Institute of Chartered Accountants of India, “Identifying and Assessing the Risk of Material Misstatement Through Understanding the Entity and its Environment”, the internal control may be defined as “the process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to the reliability of financial reporting, effectiveness and efficiency of operations, safeguarding of assets, and compliance with applicable laws and regulations. The term “controls” refers to any aspects of one or more of the components of internal control.”

Although the way we design, implement and maintain internal control varies with the size and complexity of an entity, it is imperative for every company to have proper internal controls in place.

Internal controls are planned, implemented, and managed to resolve the business risks that may threaten the achievement of any of the entity’s objectives. The company’s objectives that can be threatened due to the non-existence of a proper internal control system include the following:

• Reliability of the financial statements of the companies
• Its operational efficiency and effectiveness
• Adherence to relevant laws and regulations
• Asset protection and asset safeguarding

What are the objectives of Internal Controls?

The following are the objectives served by an internal control system operating in a business entity:

• To assure that transactions are carried out in accordance with the general or special authorization of the management
• To ensure that all transactions are correctly and promptly documented in the required records and in the accounting period during which they are carried out in order to facilitate the preparation of financial statements within the context of established accounting policies and practices
• To assure proper transparency and accountability for the assets
• To ensure that assets are protected from unauthorized access, exploitation or disposal
• To oversee that the recorded assets are compared at reasonable intervals with existing assets and appropriate action is taken in respect of any discrepancies

What does an internal control system consist of?

No two internal control structures are similar, but several key philosophies on financial transparency and accounting procedures have become common practices in management. While internal controls can be expensive, properly implemented internal controls can help streamline business processes and improve operational performance, as well as deter fraud.

An effective framework of an internal control system in an organization is comprised of the following elements:

The control environment:

The control environment includes the roles/functions of governance and management and the attitudes, knowledge and behaviour of those responsible for governance and management. The control environment sets the organization’s tone and influences its people’s control consciousness on a holistic basis.

It seeks to assure that the management has developed and established an honest and ethical culture behaviour. An entity’s control environment consists of the following parts:

• Communication and enforcement of integrity and ethical values
• Commitment to competence levels for particular jobs
• Participation by those charged with governance
• Management’s philosophy and operating style to taking and managing business risks, actions toward financial reporting, and attitude towards information processing
• Organizational structure
• Assignment of authority and responsibility
• Human resource policies and practices

Collectively, the strengths of the control environment elements provide an acceptable basis for the other components of internal control.

The entity’s risk assessment process:

This is the process that the entity has invoked for the sake of identifying business risks relevant to financial reporting objectives, estimating the relevance of the risks, assessing the probability of their incidence, and deciding on the measures to address those risks.

The risk assessment process for the organization forms the basis for managing the risks. If that process is appropriate, the auditor would be assisted in identifying risks of material mistakes.

The information system, including the related business processes, relevant to financial reporting, and communication:

An understanding of the information system of an organization covers the below-mentioned processes:

• Classes of transactions in the operations of the entity which are relevant to the financial statements
• The processes by which those transactions are initiated, registered, processed, corrected when required, transferred to the general ledger and reported in the accounts
• The related accounting records, supporting details and particular accounts used to initiate, register, process and disclose transactions in the financial statements
• Checks for journal entries
• The financial reporting mechanism used to compile the financial statements for the company

Control Activities:

Control activities are referred to as the policies and procedures which help to ensure that directives on management are enforced. Such control operations, be they in IT or manual processes, have specific objectives, and they are implemented at various functional levels of an organization. Some examples include the following:

• Authorization and approval limits ensuring that transactions must be approved by designated employees acting within their range of knowledge and proper span of control
• Segregation of duties in the sense that no one person has sole control over the lifespan of a transaction
• Physical controls such as restrictions on access to buildings, specified office or factory areas or equipment
• Information processing and data backups
• Periodic reconciliations in Accounting Systems
• Performance reviews at regular intervals

Monitoring of controls:

This component is comprised of the major activities that the entity uses to monitor internal control over financial reporting. Monitoring of controls is a method for assessing the effectiveness of the internal control output over time. It involves a timely assessment of the effectiveness of the controls and taking necessary remedial action.

Monitoring activities of management may include the use of communications from outside parties such as customer complaints and comments from regulators that may indicate problems or highlight areas that need to be improved.

In addition, the management may also rely on separate evaluations such as ‘internal audit procedure‘ to supervise control activities and identify significant variances from expectations and inaccuracies in financial data. The judgment opined by the internal auditor may relate to the monitoring of internal controls, risk management, and review of compliance with rules and regulations.

Preventative and Detective Controls

Typically, internal controls are broadly divided into two categories, namely, preventive activities and detective activities.

Preventive controls are intended to reduce the probability of mistakes and fraud before they occur, and often revolve around the principle of division of duties. Preventive controls are essential from a quality standpoint because they are proactive and quality-focused. Such management programs aim to prevent mistakes or fraud from happening in the first place and provide rigorous procedures for verification and authorization.

Some examples of preventive controls can be:

• Separating responsibilities
• Pre-approval of purchases and acts (such as a Travel Authorization)
• Access controls (like passwords and authentication)
• Physical asset control and safety (i.e. door locks or cash / check safe)
• Screening and training for employees

On the other hand, detective tests are designed to detect errors or problems following the occurrence of a transaction. Detective controls are important as they provide proof that preventive controls are working as expected, as well as render a chance to detect anomalies after the fact. Such management programs act as backup protocols intended to capture defaulting activities or incidents which have been skipped by the first line of protection.

Some examples of detective controls can be:

• Reconciliations of departmental transactions on a monthly basis
• Review the performance of organizations (such as a budget-to-actual comparison to look for any unexpected differences)
• Physical inventories (like measuring cash or raw materials inventory)
• Internal audit system

There is yet another category called ‘Corrective control’ activities. Once detective control activities find a mistake or irregularity, corrective control activities will then kick in and see what could or ought to be done to repair it, and ideally put in place a new program to avoid it next time. These safeguards may include administrative or disciplinary action, complaints filed, updates or changes in software, and new policies that restrict activities such as employee tailgating.

Responsibilities of Internal control

Among its many roles, the Board of Directors of an organization is responsible for establishing corporate accountability and ensuring the maintenance of reasonable internal controls within the organization through the company’s internal or independent third-party reviews.

The management of an organization is responsible for setting up the control environment and maintaining it. Auditors also play a role in an internal control system through conducting assessments and making recommendations for improved controls. In addition, each employee plays a role either in strengthening or weakening the system of internal control of the institution. All employees, therefore, need to be aware of the meaning and function of internal controls.

Responsibilities of auditor towards the assessment of internal controls

As far as the auditor is concerned, the analysis and assessment of the internal control framework is an integral aspect of the overall audit programme. The auditor requires a fair assurance that the company’s accounting procedure is appropriate and that, in fact, all the accounting information to be reported is documented. Normally, internal controls contribute to that assurance.

The auditor needs to obtain a thorough understanding of the entity’s internal control relevant to the audit. A comprehension of internal controls prevailing in an organization helps the auditor to identify possible types of misstatements, locate factors affecting the risks of material mistakes, and define the nature, timing, and scope of additional audit procedures.

Only after getting a clear and fair understanding of the internal control mechanisms and their actual functions, the auditor will be able to devise his entire audit program. Following the exercise of assimilation of the internal control system, the auditor must examine whether and to what extent the same is actually in operation. For this purpose, selective testing is carried out by applying procedural tests and in-depth auditing.

The auditor applies the concept of materiality both in the planning and performance of the audit, as well as in the evaluation of the effect of identified misrepresentations on the audit and of uncorrected misrepresentations, if any, on the financial statements. This plays an important role in the formulation of the opinion in the auditor’s report.

Clause(i) of Sub-section 3 of Section 143 of the Companies Act, 2013^[1] mandates the auditors’ report to state that the company has an appropriate system of internal financial controls in place and if these controls are operationally effective. Thus, external auditors will test the accounting processes and internal controls of a company as part of an audit, and provide an opinion on their effectiveness.

Takeaway

Also, read: Audit Exposure Draft of Standards on Internal Audit (SIA) 120, Internal Control