You may have heard the term "internal control(s)," but what exactly is it? Evaluating internal controls is one of internal auditing's primary responsibilities. The Institute of Internal Auditors (IIA) defines control and control processes as follows:
A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.
Control processes are the policies, procedures, and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerances established by the risk management process. Risk management is a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives.
A broadly accepted definition of internal control comes from the Committee of Sponsoring Organizations (COSO)1 of the Treadway Commission's report entitled The Control-Integrated Framework (COSO Report) as follows:
Internal control is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objective in the effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.
Key points about internal control include:
- It is a process.
- It is achieved by people.
- It can only provide reasonable assurance.
- It is geared to the achievement of objectives.
In the California State University (CSU) environment, internal controls serve the following purposes:
- Protect the University's Assets
- Ensure Records Are Accurate
- Promote Operational Effectiveness and Efficiency
- Encourage Adherence to Policies
- Ensure Compliance with Laws, Regulations, and Contracts
Generally, controls are of two types:
- Preventative Controls: Designed to discourage errors or prevent irregularities from occurring. They are proactive controls that help prevent a loss. Examples: Separation of duties, proper authorization, adequate documentation, and physical control over assets.
- Detective Controls: Designed to find errors or irregularities after they have occurred. Examples: Reviews, analyses, variance analyses, reconciliations, physical inventories, and audits.
The COSO Report further defines five interrelated components of internal control:
- Control Environment: This sets the tone of the organization and is the foundation for all other components.
- Risk Assessment: Management establishes activity-level objectives and mechanisms for identifying and analyzing risks related to their achievement.
- Control Activities: Polices and procedures that ensure management's directives are carried out and help ensure that necessary actions are taken to address risks to achievement of the entity's objectives.
- Information and Communication: Information identified, captured, and communicated in a form and timeframe to enable people to carryout their responsibilities.
- Monitoring: The process that assesses the quality of the system's performance over time, which includes ongoing monitoring activities, separate evaluations or a combination of the two.
Who is responsible for internal controls?
The auditors, right? Wrong! Everyone plays a part in the CSU's internal control system. Ultimately, it is CSU management's responsibility to ensure that controls are in place. That responsibility is delegated to each area of operation, which must ensure that internal controls are established, properly documented, and maintained. Every employee has some responsibility for making this internal control system function. Therefore, all CSU employees need to be aware of the concept and purpose of internal controls. Internal audit's role is to assist management in their oversight and operating responsibilities through independent audits and consultations designed to evaluate and promote the systems of internal control.
What is internal auditing?
The IIA defines internal auditing as an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
The internal audit activity evaluates the adequacy and effectiveness of controls encompassing the organization's governance, operations, and information systems. Internal audit reviews include the reliability and integrity of financial and operational information, effectiveness and efficiency of operations, safeguarding of assets, and compliance with laws, regulations, and contracts. These reviews also ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization, as well as the extent to which results are consistent with established goals and objectives and whether operations and programs are being implemented or performed as intended.
1. COSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance.