The concept of internal controls became increasingly important with the corruption of Enron and WorldCom. Internal controls play a key role in both public and private businesses, as well as in all major business functions and collateral activities. The reasons being that internal controls provide safeguards for the assets of an organization, minimize opportunities for fraud, and disallow errors to go undetected in the day-to-day operations of an organization.
Internal control procedures play a significant role in any organization to augment the degree of transparency in the entity’s systems, thereby leading to enhanced operational efficiency and effectiveness. They enable a company to identify risk areas, implement adequate measures to keep a check on those high-risk areas, and aid in developing an environment conducive to risk mitigation.
In this article, we will address the importance of internal controls in accounting to help you create an efficient internal control framework within an organization.
Internal controls are a company’s processes, rules, and procedures for maintaining the accuracy of financial and accounting records, encouraging transparency, and preventing fraud.
In addition to compliance with rules and regulations, and preventing workers from stealing assets or committing fraud, internal controls may help enhance operating performance by improving the quality and timeliness of financial reporting.
As per SA-315 issued by the Institute of Chartered Accountants of India, “Identifying and Assessing the Risk of Material Misstatement Through Understanding the Entity and its Environment”, the internal control may be defined as “the process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to the reliability of financial reporting, effectiveness and efficiency of operations, safeguarding of assets, and compliance with applicable laws and regulations. The term “controls” refers to any aspects of one or more of the components of internal control.”
Although the way we design, implement and maintain internal control varies with the size and complexity of an entity, it is imperative for every company to have proper internal controls in place.
Internal controls are planned, implemented, and managed to resolve the business risks that may threaten the achievement of any of the entity’s objectives. The company’s objectives that can be threatened due to the non-existence of a proper internal control system include the following:
The following are the objectives served by an internal control system operating in a business entity:
No two internal control structures are similar, but several key philosophies on financial transparency and accounting procedures have become common practices in management. While internal controls can be expensive, properly implemented internal controls can help streamline business processes and improve operational performance, as well as deter fraud.
An effective framework of an internal control system in an organization is comprised of the following elements:
The control environment includes the roles/functions of governance and management and the attitudes, knowledge and behaviour of those responsible for governance and management. The control environment sets the organization’s tone and influences its people’s control consciousness on a holistic basis.
It seeks to assure that the management has developed and established an honest and ethical culture behaviour. An entity’s control environment consists of the following parts:
Collectively, the strengths of the control environment elements provide an acceptable basis for the other components of internal control.
This is the process that the entity has invoked for the sake of identifying business risks relevant to financial reporting objectives, estimating the relevance of the risks, assessing the probability of their incidence, and deciding on the measures to address those risks.
The risk assessment process for the organization forms the basis for managing the risks. If that process is appropriate, the auditor would be assisted in identifying risks of material mistakes.
An understanding of the information system of an organization covers the below-mentioned processes:
Control activities are referred to as the policies and procedures which help to ensure that directives on management are enforced. Such control operations, be they in IT or manual processes, have specific objectives, and they are implemented at various functional levels of an organization. Some examples include the following:
This component is comprised of the major activities that the entity uses to monitor internal control over financial reporting. Monitoring of controls is a method for assessing the effectiveness of the internal control output over time. It involves a timely assessment of the effectiveness of the controls and taking necessary remedial action.
Monitoring activities of management may include the use of communications from outside parties such as customer complaints and comments from regulators that may indicate problems or highlight areas that need to be improved.
In addition, the management may also rely on separate evaluations such as ‘internal audit procedure‘ to supervise control activities and identify significant variances from expectations and inaccuracies in financial data. The judgment opined by the internal auditor may relate to the monitoring of internal controls, risk management, and review of compliance with rules and regulations.
Typically, internal controls are broadly divided into two categories, namely, preventive activities and detective activities.
Preventive controls are intended to reduce the probability of mistakes and fraud before they occur, and often revolve around the principle of division of duties. Preventive controls are essential from a quality standpoint because they are proactive and quality-focused. Such management programs aim to prevent mistakes or fraud from happening in the first place and provide rigorous procedures for verification and authorization.
Some examples of preventive controls can be:
On the other hand, detective tests are designed to detect errors or problems following the occurrence of a transaction. Detective controls are important as they provide proof that preventive controls are working as expected, as well as render a chance to detect anomalies after the fact. Such management programs act as backup protocols intended to capture defaulting activities or incidents which have been skipped by the first line of protection.
Some examples of detective controls can be:
There is yet another category called ‘Corrective control’ activities. Once detective control activities find a mistake or irregularity, corrective control activities will then kick in and see what could or ought to be done to repair it, and ideally put in place a new program to avoid it next time. These safeguards may include administrative or disciplinary action, complaints filed, updates or changes in software, and new policies that restrict activities such as employee tailgating.
Among its many roles, the Board of Directors of an organization is responsible for establishing corporate accountability and ensuring the maintenance of reasonable internal controls within the organization through the company’s internal or independent third-party reviews.
The management of an organization is responsible for setting up the control environment and maintaining it. Auditors also play a role in an internal control system through conducting assessments and making recommendations for improved controls. In addition, each employee plays a role either in strengthening or weakening the system of internal control of the institution. All employees, therefore, need to be aware of the meaning and function of internal controls.
As far as the auditor is concerned, the analysis and assessment of the internal control framework is an integral aspect of the overall audit programme. The auditor requires a fair assurance that the company’s accounting procedure is appropriate and that, in fact, all the accounting information to be reported is documented. Normally, internal controls contribute to that assurance.
The auditor needs to obtain a thorough understanding of the entity’s internal control relevant to the audit. A comprehension of internal controls prevailing in an organization helps the auditor to identify possible types of misstatements, locate factors affecting the risks of material mistakes, and define the nature, timing, and scope of additional audit procedures.
Only after getting a clear and fair understanding of the internal control mechanisms and their actual functions, the auditor will be able to devise his entire audit program. Following the exercise of assimilation of the internal control system, the auditor must examine whether and to what extent the same is actually in operation. For this purpose, selective testing is carried out by applying procedural tests and in-depth auditing.
The auditor applies the concept of materiality both in the planning and performance of the audit, as well as in the evaluation of the effect of identified misrepresentations on the audit and of uncorrected misrepresentations, if any, on the financial statements. This plays an important role in the formulation of the opinion in the auditor’s report.
Clause(i) of Sub-section 3 of Section 143 of the Companies Act, 2013 mandates the auditors’ report to state that the company has an appropriate system of internal financial controls in place and if these controls are operationally effective. Thus, external auditors will test the accounting processes and internal controls of a company as part of an audit, and provide an opinion on their effectiveness.