Table of Contents |
Internal controls are systems to provide reasonable assurance of efficient operations, reliable financial statements, and compliance with laws.
Regarding internal controls, we need to comply with Sarbanes-Oxley. This law was enacted in 2002 and requires additional work and investigations surrounding the accuracy of financial reporting. It creates individual responsibility, forcing management to be individually responsible for the accuracy of their financial information.
This law was created to help prevent fraud and misconduct within the accounting industry.
Now that we've covered a brief background of internal controls, let's discuss the five key elements of internal controls.
The control environment is the policy and procedures of an organization. It's the mindset of management, or the structure management has put in place for that organization. Some might refer to it as the "tone at the top."
The control environment can be defined in the employee handbook as well as in the annual statement of an organization.
The next element is risk assessment. Risk assessment is a process for identifying, reviewing, and responding to business risks.
Business risks can be internal as well as external.
There are several ways to perform risk assessments, such as through internal audit, fraud analysis, as well as employee training. We can identify items through internal audits and fraud analyses. We can review the results of the audit of that analysis, and we can respond by performing additional employee training.
The third element is control activities. Control activities are the protection of assets and records, as well as client information.
Control activities also include proper documentation so that we have formal policies, and authorization procedures to regulate different authorizations for certain transactions.
The most important control activity is separation of duties.
EXAMPLE
One example is a bank reconciliation. The person preparing that bank reconciliation should not be the same person that makes the deposits or the same person that signs off on the review of that reconciliation. You would need to separate those duties among different people to help strengthen your controls.Another key element is information and communication systems, which is similar to control activities. Information and communication systems comprise procedures for the protection and security of our computerized systems.
Note, information and communication systems refers specifically to computerized systems. It is essentially all about the protection of our data--our sales data and customer data.
We as an organization could have very sensitive information about our customers, so we need to have certain controls and checkpoints for our information and communication systems to make sure that data is not compromised.
The final element is our monitoring processes. This includes auditing of our systems, including our security systems--in other words, we need to monitor our systems by auditing them.
However, we can't stop there. Once we perform that audit, then we have to analyze the results of that audit. Were there any weaknesses? What are the strong points of our systems?
Monitoring process also includes a review of transactions, such as monetary transactions, returns of merchandise, and non-monetary customer emails.
Essentially, this element involves checking if we're following our procedures, referring to those things that we put in our control environment and making sure we're operating within those policies and procedures.
We perform bank reconciliations to ensure that our financial systems match the bank balance. Essentially, it's to have control over our cash--because cash is very important to any business.
The elements of our internal control that a bank reconciliation involves are:
Source: Adapted from Sophia instructor Evan McLaughlin.
