Financial information, especially for medium-sized and large enterprises, contains valuable information which needs to be protected to avoid manipulation. Internal controls management assists in meeting this requirement. By managing key accounting, operational, financial and compliance risks through internal controls implementation, firms can reduce their exposure to risk and hence enable their management to efficiently run the business operations.
Internal controls are created based on organizational policies, procedures, practices and structure and they provide reasonable assurance that organizational objectives are achieved.
THE IMPORTANCE OF GOOD INTERNAL CONTROLS:
The main objective of Internal controls is to prevent, detect and correct undesired events within an organization. Internal controls define what should be achieved and what should be avoided within an organization.
We give you a detailed analysis of the need for and importance of Internal controls implementation in any organization
CLASSIFICATIONS and COMPONENTS of INTERNAL CONTROLS:
- Preventive Control: Preventive control prevent an error, omission, or malicious act from occurring. They predict potential problems before they occur and make the adjustments. Examples of preventive controls are Segregation of Duties, Approvals, Authorization and Verification.
- Detective Control: Detective control detects and reports an error, omission, or malicious act. Examples of detective controls are Review of Performance, Reconciliation, Physical Inventory and Audits.
- Corrective Control: Corrective control correct errors arising from a problem. Examples of corrective controls are Data Backups, Data Validity test, Management Variance reports, Training and Operations Manual.
In addition to the 3 categories of internal controls, there can be some other categories that need to be implemented during audits as mentioned below:
- Compensating Control: Compensating control compensate another control to minimize risk. Examples of compensating controls are maintaining and reviewing logs and audit trails where Segregation of Duties is not maintained.
- Deterrent Control: Deterrent controls attempts to discourage someone from taking an action. Examples of deterrent controls are lock, barricades, security guard and encryption.
- Overlapping Control: Overlapping controls are two strong controls where either control might be enough to check access, but the two complement each other. Example of overlapping controls is a Datacentre employs a card key system to control physical access and the security guard inside the door requires employees to show their identity card or key.
- Directive Control: Directive controls ensure that a desirable outcome is achieved. Example of directive controls are organizational policies, procedures, and guidelines.
Control objectives provide requirements to be considered by management to address risks that controls are designed to mitigate.
A control measure is defined as an activity contributing to the fulfilment of a control objective.
General controls apply to several areas within an organization as mentioned below:
- Internal accounting controls
- Operational controls
- Administrative controls
- Organizational security policies and procedures to confirm correct usage of assets
- Controls that facilitate to confirm correct recording of transactions— transactional audit path
- Procedures and practices to confirm adequate safeguards over access to and use of assets and facilities
- Physical and logical security policies for all, Datacentres, and IT resources
INFORMATION SYSTEM SPECIFIC CONTROLS
Information System specific control includes the following:
- Strategy and direction of the IT domain
- General organization and management of the IT domain
- Access management of all IT resources
- Application programming, development methodologies and technical support functions
- Change Management domain
- Operations procedures
- Physical access controls
- Business Continuity Management in event of a disaster
- Network management
- Database administration
- Protection and detective mechanisms against threats and vulnerabilities within an organization
EFFECTIVE INTERNAL CONTROLS AND RISK MANAGEMENT IMPLEMENTATION
Step 1: Establish an Appropriate Control Environment
The nucleus of any organization are its people and their individual attributes like integrity, ethics, and skill. They lay the foundation for an appropriate control environment within an organization.
Step 2: Internal Controls and Risk Assessment
Management should identify, analyse, and evaluate risks within an organization and ensure that measures, processes, and controls are considered reduce the impact of these risks to business function.
Step 3: Implement Control Activities
Control activities should be deployed in accordance with organizational policies and procedures that can mitigate risks within an organization. Then controls should be developed that can help in mitigating those organizational risks.
Step 4: Communicate Information
Control activities are encircled by information and communication systems, and they help to obtain and share the information needed to conduct, monitor, and control an organization. Information should be provided to the right people timely and in detail so that they carry out their responsibilities competently.
Step 5: Monitor
All controls should be monitored on regular basis and modified if necessary. An organization can take help of Auditors and reviewers in monitoring controls. Periodic review of internal control should be performed to ensure controls are operating in accordance defined risk control matrix, and compliance of internal processes. All documentation obtained for selected samples should be reviewed and followed up to ensure that any identified problems are corrected.
BENEFITS OF INTERNAL CONTROLS IMPLEMENTATION
Some of the benefits of an effective internal controls implementation are:
- Help protect assets within an organization by reducing the possibility of fraud
- Enhance operational efficiency within an organization
- Enhance financial reliability and integrity within an organization
- Ensure legal and statutory compliance with laws and regulations within an organization
A successful approach to implementing internal controls management should encompass defining the right outcomes for the organization, ensuring appropriate governance; and incorporating internal controls considerations into any new activities. Understanding this approach is vital to the success of IT transformation efforts, including those that are globally distributed.
Jade Global’s Managed Services experts help implement internal controls, not just as tools to limit downside risks, but open new opportunities through this internal controls management implementation and Internal Control Advisory Services. You can manage up-side opportunities for your organization, enabling the business to take advantage of emerging growth opportunities through innovation or re-engineering of internal functions, and helping businesses embark on their transformation journey.