What Are Internal Controls and Why Are They Important

Defining internal controls: 

Internal controls encompass the policies, procedures, and practices established by an organisation to achieve specific objectives. These objectives primarily revolve around the reliability of financial reporting, compliance with laws and regulations, and the effectiveness and efficiency of operations. Internal controls are designed to mitigate risks and provide reasonable assurance that the company’s goals are achieved.

The structure of internal controls: 

1. Control environment

At the core of internal controls lies the control environment, shaping the organisation’s ethical framework. This component encapsulates the culture of integrity, management’s commitment to ethical values, and the overall atmosphere in which internal controls operate. A robust control environment fosters a culture of accountability and sets the stage for effective internal controls.

2. Risk assessment

The dynamic business landscape is fraught with risks. Internal controls initiate with a thorough risk assessment, identifying potential vulnerabilities to the company’s objectives. This step involves evaluating both internal and external factors that could impede the achievement of goals, providing a foundation for subsequent control measures.

3. Control activities

Control activities are the tangible safeguards implemented to address identified risks. These include segregation of duties, approval processes, access controls, and reconciliation procedures. For instance, segregating duties ensures that no single individual has unchecked control over a critical aspect of a process, reducing the risk of errors or intentional misconduct.

4. Information and communication

Internal controls rely heavily on effective communication and information flows. This component ensures that relevant information is identified, captured, and disseminated across the organisation. It involves clear communication of control responsibilities, expectations, and updates on changes in policies or procedures that may impact internal controls.

5. Monitoring activities

Internal controls are not static; they require ongoing monitoring and periodic evaluation. Regular assessments ensure that controls operate as intended and are effective in mitigating risks. Monitoring activities include internal and external audits, management reviews, and assessments of control deficiencies, enabling timely adjustments to enhance control effectiveness.

Types of internal controls:

1. Preventive controls:

• Segregation of duties (SoD): Dividing responsibilities among different individuals to prevent any single person from having too much control over a process. For example, separating the roles of approving transactions, recording transactions, and reconciling accounts ensures that no one person can both perpetrate and conceal fraudulent activities.

• Authorisation processes: Requiring appropriate approvals before transactions or activities can proceed. This can include authorisation for expenditures, access to sensitive information, or changes to critical systems. Authorisation limits and hierarchies ensure that decisions are made by authorised personnel according to established guidelines.

• Physical controls: Implementing security measures such as locks, access cards, and surveillance systems to protect assets. Physical controls also include safeguards such as restricted access areas, security guards, and alarms to prevent unauthorised access or theft of physical assets.

2. Directive controls:

• Standard operating procedures (SOPs): Documenting step-by-step guidelines for performing specific tasks consistently. SOPs provide detailed instructions on how to execute routine operations, ensuring uniformity and adherence to established standards across the organisation.

• Manuals and policies: Providing written directives outlining organisational policies, guidelines, and expectations. Manuals and policies communicate expectations regarding employee conduct, ethical standards, and compliance requirements, serving as a reference for employees to understand their responsibilities and obligations.

• Documented workflows: Mapping out the sequence of activities and decision points in a process to ensure clarity and consistency. Documented workflows illustrate the flow of tasks, approvals, and information within a process, facilitating understanding and adherence to established procedures.

3. Detective controls:

• Reconciliations: Comparing different sets of records to identify discrepancies and errors. This could involve reconciling bank statements with accounting records, inventory counts with records, or sales data with customer orders. Reconciliations help detect errors, omissions, or fraudulent activities that may have occurred.

• Variance analysis: Analysing differences between expected and actual outcomes to detect anomalies. Variance analysis is commonly used in budgeting, where discrepancies between budgeted and actual expenses or revenues can highlight areas of concern or potential fraud.

• Exception reporting: Generating reports for unusual or suspicious activities that may require further investigation. Exception reports flag transactions, events, or behaviours that deviate significantly from established norms or expectations, enabling management to identify and address potential issues promptly.

4. Compensating controls:

• Additional reviews: Implementing secondary checks or reviews to compensate for weaknesses in primary controls. Additional reviews may involve independent verification of transactions, documentation, or processes by personnel not directly involved in the original activity.

• Alternative approval processes: Establishing alternative pathways for obtaining approvals in cases where primary processes are unavailable. Alternative approval processes may be invoked during emergencies, system outages, or instances where the designated approver is unavailable, ensuring that critical activities can proceed without delay.

• Secondary authentication requirements: Requiring multiple levels of authentication or authorisation for sensitive transactions or access. Secondary authentication may involve additional passwords, PINs, biometric verification, or token-based authentication to verify the identity of users and prevent unauthorised access or fraudulent activities.