BoardAndFraud

Internal Controls – A Process to Help Ensure Internal Controls are Designed Consistently and Appropriately

Developed by: Jonathan T. Marks with Robert Mainardi

Background

The concept of Internal Control appeared as a practice in the USA at the beginning of the 20th century, whereas in the economic literature began to be extensively approached after the ‘50s.

The internal control concept originated in 1949 from the American Institute of Certified Public Accountants (AICPA), with a plan to coordinate organizations’ activities to increase effectiveness in organizational operations (Lakis & Giriunas 2012). Internal controls denote the rules or standards by which the objectives of an organization are attained. Through compliance, to the set procedures, the organization ensures that employees implement these standards in an optimistic manner to accomplish the business maximize the competency of the organization (Flair 2017).

Hightower 2009 refers to internal controls as operational procedures and processes to establish efficiency and effectiveness of operations within an organization’s procedures and compliance with applicable laws. Providing an auditors view, Mihaela and lulian 2012 explain that internal controls and procedures form part of an organization’s control system and mention that internal control is not only for accounting purposes but also a system through which people interact with one another. Mihaela and Iulian 2012 stress the importance of an effective leadership plan for the long-term achievement of effective internal controls.

I have realized that many don’t understand what internal controls are or what they are supposed to do. For example, Recently, a twenty-year professional told me that internal control starts with a strong set of policies and procedures. That’s incorrect.  Internal control starts with a strong control environment based on a clear understanding of the business process objectives.  Here are some other inaccuracies –

It’s no secret the regulators continue to scrutinize compliance.  There are many deferred prosecution, non-prosecution, and enforcement releases that hammer companies for poor internal controls. The regulators don’t seem to realize that companies need a methodology to have properly designed internal controls; everyone consistently follows without exception. Many are treating the symptom and not the ROOT CAUSE!

Definition of Internal Control

An “internal control” is an action or a process of interlocking activities designed to support the policies and procedures detailing the specific preventive, detective, corrective, directive, and corroborative actions required to achieve the desired process outcomes or the objective(s).

This, along with CHECKS AND BALANCES that could include continuous monitoring, continuous auditing, and training, reasonably assures:

Enemies of Internal Controls

Control Design Steps

BACKGROUND

Fraud, including financial reporting, misappropriation of assets, bribery
Poor or inappropriate accounting
Business interruption
Loss or destruction of assets
Incorrect management decisions
Statutory sanctions
Excessive or high costs
Competition
Recordkeeping

A variety of actions make up a process.  All may have a role in achieving the final result, but only a few are truly critical to the outcome; that is, their absence would make it difficult, if not impossible, to achieve the desired result.  These critical actions are referred to as key or critical controls.  This step focuses on identifying and documenting the key controls in a process.

PROCESS

VALIDATION

REPORTING

CONTROL CONSIDERATIONS

CONTROL CONTROL TYPE
APPROVAL PREVENTATIVE
CHECK or (RE)CALCULATE DETECTIVE/DIRECTIVE
DOCUMENT DETECTIVE/DIRECTIVE
MATCH OR COMPARE CORROBORATIVE/CORRECTIVE/DETECTIVE
MONITOR DETECTIVE/DIRECTIVE
OBSERVE PREVENTATIVE/DETECTIVE
REPORTING DETECTIVE
RESTRICT DIRECTIVE/PREVENTATIVE
SEGREGATE DIRECTIVE/PREVENTATIVE
SUPERVISE PREVENTATIVE
VERIFY DIRECTIVE/DETECTIVE

There are undoubtedly many other categories and examples of controls, all of which are necessary to achieve the desired result.  Control models (e.g., COSO, COCO, COBIT) have been developed to focus on the roles controls play in a business environment.  For further information, readers should consult these control frameworks as well as introductory auditing books.

Also, controls can be –

PROACTIVE

Proactive management actions and controls include prevention but go beyond it. Proactive management actions and controls should encourage desirable conditions, events, or outcomes and prevent undesirable errors or irregularities.

DETECTIVE

Detective management actions and controls determine progress toward objectives and identify the actual or potential occurrence of desirable and undesirable conduct, conditions, and events. These controls are the most common type of mitigating or compensating controls.

RESPONSIVE

Responsive management actions and controls do more than correct errors. They help the organization recover from undesirable conduct, events, and conditions; fix identified weaknesses; execute necessary discipline; recognize and reinforce desirable conduct and deter future undesired conduct or conditions.

Lastly, when designing a control, always consider the EcoSystem and your objective(s)!

Copyright 2021 Jonathan T. Marks

Closing

We hope you find this information useful. I don’t believe guidance like this exists anywhere, and that is why I embarked on developing something useful.

Thoughts and comments are always welcome and appreciated!

Best,

Jonathan T. Marks, CPA, CFF. CFE

Robert Mainardi 

Please follow and like us:
Skip to toolbar