What are Internal Controls
Internal controls are the mechanisms, rules and procedures implemented by a company to ensure the integrity of financial and accounting information, promote accountability and prevent fraud. Besides complying with laws and regulations, and preventing employees from stealing assets or committing fraud, internal controls can help improve operational efficiency by improving the accuracy and timeliness of financial reporting.
BREAKING DOWN Internal Controls
Internal controls have become a key business function for every U.S. company since the accounting scandals in the early 2000s. In their wake, the Sarbanes-Oxley Act of 2002 was enacted to protect investors from fraudulent accounting activities and improve the accuracy and reliability of corporate disclosures. This has had a profound effect on corporate governance, by making managers responsible for financial reporting and creating an audit trail. Managers found guilty of not properly establishing and managing internal controls face serious criminal penalties.
Importance to Auditors
The auditor’s opinion that accompanies financial statements is based on an audit of the procedures and records used to produce them. As part of an audit, auditors test a company’s accounting processes and internal controls and provide an opinion as to their effectiveness.
No two systems of internal controls are identical, but many core philosophies regarding financial integrity and accounting practices have become standard management practice. While internal controls can be expensive, properly implemented internal controls can help streamline operations and increase operational efficiency, in addition to preventing fraud.
Preventative vs. Detective Controls
Internal controls are typically comprised of control activities such as authorization, documentation, reconciliation, security and the separation of duties. And they are broadly divided into preventative and detective activities.
Preventive control activities aim to deter the errors or fraud from happening in the first place, and include thorough documentation and authorization practices. And the separation of duties ensures that no single individual is in a position to authorize, record and be in custody of a financial transaction and the resulting asset. Authorization of invoices and verification of expenses are internal controls. In addition, preventative internal controls include limiting physical access to equipment, inventory, cash and other assets.
Detective controls are backup procedures that are designed to catch items or events that have been missed by the first line of defense. Here the most important activity is reconciliation, used to compare data sets, and corrective action is taken upon material differences. Other detective controls include external audits from accounting firms and internal audits of assets such as inventory.
Limitations of Internal Controls
Regardless of the policies and procedures established by an organization, only reasonable assurance may be provided that internal controls are effective and financial information is correct. The effectiveness of internal controls is limited by human judgment. A business will often give high-level personnel the ability to override internal controls for operational efficiency reasons, and internal controls can be circumvented through collusion.