People often think that internal controls are only for large multi national or multi million corporations….that is really not the case. Arguably the complexity will increase the bigger your organisation but it is never too small an entity to have in place adequate controls. But what is mean by Internal controls, taking the definition as set out in Investopedia it states that Internal Controls are “are the mechanisms, rules, and procedures implemented by a company to ensure the integrity of financial and accounting information, promote accountability, and prevent fraud. Besides complying with laws and regulations and preventing employees from stealing assets or committing fraud, internal controls can help improve operational efficiency by improving the accuracy and timeliness of financial reporting“.
So whose responsibility is it to ensure the internal controls are working and in place, quite simply its managements responsibility. Taking it one step further it is important to be cognisant of the fact that internal controls are inextricably linked with financial reporting and if you are a US business and fall into the category where the 2002 Sarbanes Oxley Act applies to you, it is impetrative you understand how the provisions relate to your internal control environment. If you are unsure this great guide will prove invaluable assistance.
Internal controls are usually classified into three main categories:
- Preventative – meaning those which aim to prevent the loss of companies assets, be it monetary or otherwise. They are often perceived to be the most cost effective to implement. In its simplest form an example of a preventative control is a password on a employees computer or cctv camera in a warehouse.
- Detective – those time of controls seek out he breach, so detecting when a control breach has occurred. They can be very useful to show where a preventative control has broken day and may need to be tightened of done away with altogether. Some practical examples of detective controls would be for example week bank reconciliation or a weekly warehouse stock count.
- Corrective – this is the next logical step. When a detective control picks up a breach, the corrective control decides what happens next, ie how do we fix this going forward to prevent it happening again. An example of a corrective control would be a variance report or even simpler having adequate insurance in place in the event that stock did go missing from a warehouse.
It is of paramount importance not just to have the controls in place but to track and monitor them regularly and take corrective action as necessary. It can be a very daunting prospect but there are a huge volume of resources and organisations operating in this space who you could call on for assistance. As expensive as it might be it is still likely to less costly that a significant control breach occurring in your organisation. Many larger entities would have a full time staff member dedicated to this area conducting regular internal control audits. It is certainly something to keep in your mind.
Note: This is a collaborative post