DEFINITION | MEANING OF INTERNAL CONTROLS
Internal controls in its broadest sense is the collection of policies, procedures, practices, conventions, norms and organizational structures which managers implement in order to reduce risks to a business model of an organization.
Internal controls are developed with the aim of providing management reasonable assurance that an organizations business objectives will be achieved while at the same time preventing risks, detecting risks, and taking corrective actions. Internal controls could either be a manual process, automated or a combination of manual and automated processes all aimed at reducing risks that may pose potential threat to the achievement of an organizational goal(s)/ objectives.
Internal controls cuts across all cadre of management and staff in an organization. This is to say that internal control function is not the exclusive right of any class of people in a business environment as all hands must be on deck to mitigate a company’s exposure to a situation whereby vulnerabilities are exploited thereby causing an entity not to achieve its objectives.
FORMS OF CONTROLS
There are three kinds of internal controls that a company can have in place. These are detective controls, corrective controls, and preventive controls.
The detective controls are those measures that are put in place by management as part of the management functions as regards safeguarding the assets of the company. Detective controls though useful are not the best controls that are typically desired by management. This type of control is there to alert management when things are going wrong. Without management taking any meaningful action, detective controls are useless, but what isn’t when not backed up by action?
Corrective controls are the sets of controls that are put in place by management to make right whatever might have gone wrong. Monitoring activities are classed under this kind of controls. Through the analysis of variances, management will have an idea of where things have not gone according plans. Budgetary control also helps in identifying deviations in plans. Having a reliable backup of data as part of business continuity plan is a very good example of corrective controls.
Preventive controls are the most robust and highly recommended type of controls that every management board are encouraged to promote as part of the overall corporate governance. Preventive controls are deeply incorporated into the strategic risk management of an enterprise. The adoption and implementation a control framework like ISACA’s COBIT5 is a best practice that has been recommended by all internal control and compliance experts.
OBJECTIVES OF INTERNAL CONTROLS
The broad objective of control is to ensure that assets of a company are safeguarded while at the same time working towards achieving the strategic goal of an organization. Internal control objectives are those sets of documents that contain the desired results of management that can be achieved by implementing control activities.
Internal controls objectives can apply to any area of business and to any kind of business. Decision makers relies three types of controls in order to ensure that preventive control which is the best form of controls is fully established and implemented.
TYPES OF CONTROLS
Operational controls: these are sets of laid down rules, principles, procedures, guidelines and ways of running the day-to-day activities of an organization. Controls that are put in place to ensure that employees do their work according to their job description are a good example of operational control in action.
Administrative controls: this type of controls revolves around the effective and efficient running of administrative works.
Accounting controls: the accounting controls are there to make sure that the accounting information system is working according to plan. The accounting controls are there to ensure the security of accounting systems, completeness of accounting data, and the validity of any input that goes into the AIS. Part of the job of an accountant is to participate in the design of effective accounting control system that will contribute toward achieving the objectives of an organization.
EXAMPLES OF CONTROL OBJECTIVES
The following are lists some examples of control objectives that managements strive for:
- Achievement of good change management process
- Accuracy and completeness of data
- Upholding positive and effective cash management
- Confidentiality of customers data
- Authorization and authentication of processes
- Safeguarding of both IT and non IT resources
- Achieving efficiency and effectiveness in implementing operations
- Promotion of reliability of processes
- Complying with corporate policies and legal requirements
- Achievement of high level of employees motivation
INTERNAL CONTROLS TOOLS
There are tools that aid management implement internal controls. One of such tool is internal control questionnaires. When used properly, questionnaires and other management accounting tools like the balanced scorecard can make a whole lot of difference in term of promoting sound business ethics. There are softwares that easily linked to cloud accounting platform and accounting software to enhance the internal control of a company.
COMMON INTERNAL CONTROL WEAKNESSES AND LOOPHOLES
The weakest link in any internal control is the human link. Irrespective of the strength and robustness of an internal control system, it will still amount to nothing if not well implemented. This presupposes the fact that the common internal control weakness is the employees.
Another common weakness of internal control is the lack of proper segregation of duty. Controls can easily be circumvented when there is no properly implemented segregation of duties. Internal control is nothing without good separation of duties.
Another weakness of internal control is the lack of positive organizational structure. There has to be an enabling control environment for results to be achieved. This makes it possible for top management to for example view the business case for certain improvement with unbiased and objective mind.
FIVE (5) ELEMENTS OF INTERNAL CONTROLS
The five elements of effective internal control as contained in COSO framework and other frameworks are discussed below:
Control environment: you cannot expect magic to happen as far as process implementation is concerned when those at the top do little or nothing to ensure that things are done rightly so as to achieve the strategic plan of the organization. The attitude of management on internal control maters is a major juice that ensures the success of a business. Management must be fully aware of the need to have functional, flexible and operation internal control. Board members that does not understand the importance asset register for instance will not bother having controls in place to ensure the implementation of asset register procedures
Scalable and flexible risk assessment: internal control will be vague and incomplete without properly integrating risk assessment into other business processes of a business. For example, management are inclined to accept only projects with low risk in comparison with other business opportunities ensuring that greater control is placed in areas with higher business risks.
Control activities: this is where management ensure that details of every process are made available to the staff members. Classification of controls into vital and non vital is important here.
Effective Information and communication channels: effective information communication channel is both the live blood and the medium of any meaningful internal control system you can ever have. Remove effective communication of information and watch all the efforts that have been put into building a sustainable investment crumble to the ground.
Robust monitoring: without effective monitoring, controls would become counterproductive. What is the point putting measures in place when they are not actually monitored to see if stipulated procedures are been followed. Managers would for example engage in suboptimal activities if their actions are not monitored against a carefully set standard.