Internal control is an essential part of every company, and ensures that the operations of the company run as smooth as possible. Without proper internal controls, companies become vulnerable to risks that may reflect poorly on their potential investors. Since a major part of an audit is testing these internal controls, a company that does not have in place a system that is effective will result in an undesirable audit opinion.
The COSO framework defines internal control as “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of reporting, and compliance with applicable laws and regulations”. In essence, when conducting an audit, these are many of the same areas that are focused on, and the term “reasonable assurance” is also synonymous with what level of confidence they have that financial statements are free of material misstatement.
In total, there are 5 components of internal control. They include: control environment, risk assessment, control activities, information and communications, and monitoring activities. As the COSO framework states, it is not only important for these components to be working effectively on their own, but how they are being applied by management and other responsible personnel. Poor application and execution of these components can result in a weakened system of internal control even if the components are working effectively on their own.
Aside from their application, the components should be treated as an “integrated system” that works together efficiently. The framework clarifies, however, that this does not mean they should all work identically. In additional to the components, there are 17 principles that each correspond to one of these components. The first of the internal controls that will be discussed is Control Environment. The phrase typically heard that is associated with this component is “tone at the top”. This is one of the most important components, since it lays the foundation for all of the other controls to function.
As part of “tone at the top”, top management and high level executives are the ones responsible for setting the ethical standards and attitude which the rest of the employees should follow. Many times people will hear references to a company’s “culture”. This culture is created by this component, and sets the tone by having a trickle-down effect on lower levels employees to follow by. It is formally defined by the COSO framework as “the set of standards, processes, and structures that provides the basis for carrying out internal control across the organization. Of the 17 principles in internal control, 5 apply to this component.
The first principle deals with ethics, and top managements enforcement of them. This is the principle that most closely explains the concept of “tone at the top”. Top management is expected to “lead by example in developing values, a philosophy, and an operating style in the pursuit of the entity’s objectives”. Companies will achieve this in many different ways, prioritizing what they think is important in their own unique way. This is what makes this component the most subjective of them all.
As part of the ethical aspect of a company, consistency is a key element. In order for the company’s culture to remain untarnished, everyone in the company should all behave in a way that helps the company achieve its objectives in an ethical manner. In order for a company to try and solidify what they want their ethical values to be, they have to establish a clear set of standards of conduct so employees know is right and wrong. In order to monitor this, companies can put into place many different programs that can offer incentives for employees to act ethically.
One really great program that many companies already put into place is whistle-blowing programs that allow employees to disclose unethical or fraudulent behavior while also maintaining job security. Another program, which KPMG strongly promotes from my experience interning there, is an ethics hotline where employees can also disclose that type of behavior. Programs like these strengthen internal controls by demonstrating to employees that there is a strong commitment to ethical behavior. The second principle deals with making sure that the board of directors and the importance of independence.
In the case of Board of Directors, independence is important because it allows them to make question the actions by management and hold them to a higher standard. In the Simply Steam case we studied in class, there was a significant deficiency in this component since the board of directors consisted of the two brothers and their wives, and only held one major meeting a year. The third principle deals more with the entity’s organizational structure. It emphasizes accountability, and making sure that the structure promotes clear communication within the entity.
In order for this information flow to be as efficient as possible, companies should put policies into place that hire and retain competent employees. This is what the 4th principle mainly deals with. Finally, the last principle of Control Environment deals with accountability. In order to meet its objectives, all employees need to be held accountable for any actions that may hinder the objectives of the company. The second component of the Control Environment is Risk Assessment. As the name suggests, this component deals with how manages and identifies risks, both internal and external.
The framework defines it as “the possibility that an event will occur and adversely affect the achievement of objectives. ” For this component, there are four principles. The first of these four acknowledges that management needs to first set clear objectives before they can identify what potential risk they face. This is an important action because in order to know what internal or external factors can hinder their success, they first need to know what objectives they will set to achieve their success.
The framework describes different objectives that companies achieve, including Operating Objectives, Reporting Objectives (external financial and external non-financial), Internal Objectives, and Compliance Objectives. It is important for a company to have a clear understanding of what they want to achieve in all of these areas of their company. Operating objectives, being the core of the business, need to be clearly stated to meet the needs of their customers and maximize their efficiency when it comes to areas such as production.
The framework states that “a clear set of operation objectives provides a clear focus on which the entity will commit substantial resources needed to attain desired performance goals”. In terms of risk, management will have to identify a level of “risk tolerance”, or what level of deviation they will accept from meeting their objectives. Once objectives are recognized, the company can then identify and analyze their risks. This is what the next principle under Risk Assessment explains. As with an audit, a company will conduct their risk assessment in their planning stages.
Identifying risks considers all the factors that can hinder the company from achieving their objectives, including internally and externally in relation to their supplier, customers, and competitors. After these risks are identified, the next part of this principle describes the company must then analyze the risk. In regard to this, the framework states “the process-which may be more or less formal-usually includes assessing the likelihood of the risk occurring and estimating its impact. In addition, the process could consider other criteria to the extent management deems necessary”.
The company must also considers the risk of fraud in their company, which is what the focus of the third principle of risk assessment is. This is different in the case of an audit, where detecting risk is not part of their responsibility. Instead, they are only required to make sure there is reasonable assurance that financial statements are free of material misstatement. Despite this, management still needs to take actions to prevent fraud and identify different ways that fraud can potentially occur within the organization.
The last principle of risk assessment is changes in the entity that can affect internal control. A critical aspect of this principle is how well a company can adapt to changes, including environmental and economic. Technology is also something important companies should consider due to the rate it changes today in our society. Companies like Microsoft and Apple have to constantly adjust and upgrade their products to adapt to all of these changes. Their success will be dependent on how well they can adjust to this. The third component of internal control is control activities.
The framework defines it as “the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. ” Under this objectives are 3 principles that further describe it. As the framework acknowledges, the first principle explains how this component of internal control aligns with the component of risk assessment. This is due to the nature of control activities being meant to mitigate risk. The first principle of control activities describes this function.
A part of this that is commonly discussed when mitigating risks is the concept of segregation of duties. The main purpose of this is to avoid having someone with responsibly that will put them in the position to commit fraud. For example, someone who prepares a listing of checks that are received should not be the person who also deposits these checks into the bank. As discussed earlier, technology is an important factor to consider in control activities. Therefore, the next principle is that the company “selects and develops general control activities over technology to support the achievement of objectives”.
The company needs to make sure that all of their internal technology is functioning well in order to meet their goals. This is especially important for automated controls. The infrastructure of the technology is what will allow the technology of the company to function effectively. This includes things such as communication networks for linking technologies and maintaining technology with backup procedures. When it comes to mitigating risks, who has access to technology is something that should be considered. This is why part of this principle deals with the security management of technology.
This includes access to data. Only certain employees should have the rights to access certain systems of technology for a number of reasons. The most important is to avoid the chance of someone breaking into the system to commit fraud. Another reason the framework describes is an untrained employee using a system and committing an unintended error. The last principle of control activities deals with the policies and procedures that are put into place to meet objectives. As with the other principles, these policies and procedures should be constructed in a way to mitigate risks.
Some policies, as the framework explains, can be presented orally. These apply to policies that are more established and well-understood. Whether they are written or not, they should promote responsibility and accountability for all employees. The fourth component of internal control is Information and Communication. Communication and information work hand-in-hand. In order to help with the internal control of all aspects of the company, obtaining quality information, both internal and external, is imperative. To obtain provide and share this information within the organization, proper communication is necessary.
External communication is also important, especially when it comes to financial reporting. For this component, there are three underlying principles. The first deals with the company generating or using relevant information. It should be of quality that helps support how the internal control functions. In order to know what information is relevant, specific information requirements need to be identified by management. Each component of internal control will have a different requirement of information that is necessary. Aside from the content of the information, the sources of information also need to be relevant.
Changes in the entity will also affect the requirements of the information that is needed. As with the component of control activity, changes have a great impact on an organization and their objectives. To meet its needs, management needs to re-evaluate its information requirements and the relevance of information needed. For information to be as beneficial as possible, it should be have quality. The framework describes different factors that will affect quality such as whether it is: sufficient, timely, current, correct, accessible, predictable, verifiable, and retained.
The next two principles deal with communicating this information internally and externally. TALK MORE?? Finally, the last component of internal control is Monitoring Activities. This component is more evaluative in nature, and uses ongoing or separate evaluation to determine whether the different components of internal control are functioning properly. This last component has two final principles associated with it. The first principle deals with the development and implementation of these evaluations to make sure that the internal control components are properly functioning.
Ongoing evaluations are built into the business which occur on a routine basis, while separate evaluations happen more sporadically and depends on the judgment of management. Technology has allowed for ongoing evaluations to operate more efficiently. If separate evaluations are happening too frequently, the company may need to re-consider how they perform their ongoing evaluations since they happen on a regular basis and should be the primary way of monitoring the entity. The final principle of internal control deals with communicating any deficiencies in internal control to management and the board of directors.
This is crucial since any deficiencies will require corrective action, and the sooner they are communicated the faster these deficiencies can be resolved. The results of the ongoing and separate evaluations will disclose is there is anything important that should be communicated. Things that will generally require this type of communication include deficiencies that will prevent the entity from achieving its objectives. http://oversight. house. gov/wp-content/uploads/2012/06/10-27-11-Subcommittee-on-Govt-Org-Hearing-Transcript. df While internal control weaknesses are undesirable, there have been many instances of this in companies over the years. The Sarbanes-Oxley act holds companies to a higher standard than in the years preceding it. A case involving The Department of Homeland Security revealed control deficiencies in regard to their information systems. These weaknesses were uncovered by the Committee on Oversight and Government Reform. Their responsibility is to hold the government accountable as to how their handle and spend their money, and to let the American public know about information regarding their finances.
These deficiencies were described in a transcript of a hearing with the Committee. In the transcript, it stated, “In fiscal year 2010, KPMG identified 161 IT deficiencies, of which approximately 65 percent are repeated from fiscal year 2009. KPMG also noted that DHS’s financial systems had many functional limitations that affect the Department’s ability to implement and maintain internal controls”. This definitely presents a problem as to how they are handling the different components of their internal controls. A deficiency relating to security management was found by KPMG.
They “found scenarios where roles and responsibilities were not clearly defined and a lack of policies and procedures and compliance with existing policies”. The example that they used was that “procedures for IT-based specialized security training were not in place. ” In regard to the component of control activities, this is definitely an issue. As stated earlier, the third principle of control activities states that there needs to be policies and procedures put into place in order to meet objectives. If these procedures aren’t being followed, it’s going to consequently hinder the company from trying to reach its objectives.
The principle also states that the procedures should be made in a way to mitigate risks. By not having a proper procedure for specialized security training, there is a potential risk that errors will occur by undertrained employees. These errors can, in turn, lead to misstatements. To avoid these misstatements, management needs to set a clear set of procedures that all employees must follow. As monitoring component describes, there can be an ongoing evaluation of trainings by employees, and whether they are working. This will allow management to closely observe their training programs and their effectiveness.
This will also lead to an increased level of accountability to make sure that employees are completing all required trainings, and that required training are being specifically laid out. In my experience at KPMG as an intern, we spent a whole week in training completing self-studies and training simulations. Every employee also had a compliance profile, which tracked our progress with trainings which insured that we were all up to date on what we needed to do. Practices like this will lead to a lower level of potential errors by employees with a lack of expertise.
KPMG also found deficiencies in regard to DHS’s security management. Another principle of control activities deals with control activities over technology that will help the company achieve their goals and mitigate risks. KPMG found “excessive potential for unauthorized access to key financial applications. ” This included a lack of enforcement of strong passwords and some applications not being properly restricted. Having unauthorized access to an application can lead an untrained worker to make an error if they are not properly trained to use it.
A control that can be put into place to prevent this would be, as the framework suggests, to put into place an authentication system where everyone gets a unique identification and is authenticated against an approved list. This way, only those users who are authorized will be able to access the application. An ongoing evaluation of access rights can also be put into place to make sure that any changes in an employee’s status do not affect their access rights. For example, if an employee leaves the company, there should be a control in place to know that they should no longer have access to restricted applications.
Courtney from Study Moose