Internal controls are methods and procedures adopted by management to achieve its corporate objectives. Thus, the responsibility for ensuring adequate internal controls is part of management’s overall responsibility for the day-to-day operations of the organization. Internal controls techniques can be identified through review of processes, documentation such as policies and procedures, application system’s design, and so forth. Obviously, there will be several control techniques identified that will satisfy a given control objective. It is, therefore, important to concentrate only on that technique critical to the satisfaction of the control objective. Key controls can be defined as “those critical techniques that are acts to compensate, in the eventuality of a failure of every other control technique, for the absence or ineffectiveness of the other control techniques”.
Internal control systems are set up to help mitigate against risks, threats, and (include vulnerabilities of financial information system used) to the company. The purpose of internal control systems is to reasonably ensure that the following goals are achieved:
- Obligations and costs comply with applicable laws.
- All assets are safeguarded against waste, loss, unauthorized use, and misappropriation.
- Revenues and expenditures that apply to organization operations are recorded and properly accounted for, so that accounts and reliable financial and statistical reports may be prepared and an accounting of these assets may be maintained.
Control Objectives and Key Controls
In order to understand control objectives and key controls, it is important to know what a system of internal controls is. The AICPA Guidelines of Internal Control define it as:
The plan of organization and all the methods and procedures adopted by the management of an entity to assist in achieving management’s objective of ensuring, as far as practical, the orderly and efficient conduct of its business, including adherence to management policies, the safeguarding of assets, the prevention and detection of fraud and error, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information. The system of internal controls extends beyond those matters which relate directly to the functions of accounting system.
Control objectives are high-level statements of intent by the management to ensure that departmental programs designed to fulfill the organization’s strategic plans are carried out effectively and efficiently. These statements of intent embody the plan of organization and all the related systems established by management to safeguard assets, check the accuracy and reliability of financial data, promote operational efficiency and encourage adherence of prescribed management policies.
Control objectives can be defined as The Purpose For Having Internal Controls.
The organization’s internal control structure must meet several control objectives to prevent, detect and correct errors, omissions and irregularities in business transactions and processes, and to assure continuity of business operations. They are a link between the risks and internal controls.
Control objectives may differ, depending upon the type, scope, and purpose of the audit. There could be several internal control objectives for a given business risk, so that the risk is adequately addressed.
Some of the common internal control objectives that one should look for are:
- Transactions are properly authorized (Authorized).
- Transactions are recorded on a timely basis (Timeliness).
- Transactions are accurately processed (Accuracy).
- All existing transactions are recorded (Completeness).
- All recorded transactions are valid (Validity).
- Transactions are properly valued (Valuation).
- Transactions are properly classified and posted to proper accounts and subsidiary records (Classification).
- Transactions are properly summarized and reported (Reporting).
- Assets, including software programs, data, human resources, computer facilities, etc. are safeguarded against damage, theft, and so forth (Security).
- System and data integrity is maintained (Integrity).
- System availability is assured (Availability).
- System controllability and auditability is maintained (Controllability and Auditability).
- System maintainability is assured (Maintainability).
- System usability is assured (Usability).
- System economy and efficiency are maintained (Efficiency).
Each control objective is met by one or more control techniques. These techniques are the ways and means that management controls the operations, are varied in nature. If the key internal controls are not observed, there is the distinct possibility that the dependent control objective will not be satisfied. Control objectives are what we want to ensure and control techniques are how we are going to ensure it.
The minimum level of internal control is divided into the following two levels:
Level 1—General Standards
Reasonable assurance. Internal control systems are to provide reasonable assurance that the objectives of the systems will be accomplished.
Supportive attitude. Managers and employees maintain and demonstrate a positive and supportive attitude toward internal controls at all times.
Competent personnel. Managers and employees have personal and professional integrity and maintain a level of competence that allows them to accomplish their assigned duties, as well as understand the importance of developing and implementing good internal controls.
Control objectives. Internal control objectives are identified or developed for each agency activity and are logical, applicable, and reasonably complete.
Control techniques. Internal control techniques are effective and efficient in accomplishing their internal control objectives.
Level 2—Specific Standards
Documentation. Internal control systems, all transactions and other significant events are clearly documented, and the documentation is readily available for examinations.
Recording of transactions and events. Transactions and other significant events are promptly recorded and properly classified.
Execution of transactions and events. Transactions and other significant events are authorized and executed only by persons acting within the scope of their authority.
Separation of duties. Key duties and responsibilities in authorizing, processing, recording, and reviewing transactions are separated among individuals.
Supervision. Qualified and continuous supervision is provided to ensure that internal control objectives are achieved.
Access to and accountability for resources. Access to resources and records is limited to authorized individuals, and accountability for the custody and use of resources is assigned and maintained. Periodic comparison is made between the resources and the recorded accountability to determine whether the two agree. The frequency of the comparison is a function of the vulnerability of the asset.