What Are Internal Controls?

Internal controls are accounting and auditing processes used in a company's

finance department that ensure the integrity of financial reporting and
regulatory compliance.

Internal controls help companies to comply with laws and regulations, and
prevent fraud. They also can help improve operational efficiency by ensuring
that budgets are adhered to, policies are followed, capital shortages are
identified, and accurate reports are generated for leadership.

KEY TAKEAWAYS

 Internal controls are the mechanisms, rules, and procedures

implemented by a company to ensure the integrity of financial and
accounting information, promote accountability and prevent fraud.
 Internal controls aid companies in complying with laws and regulations,
and preventing employees from stealing assets or committing fraud.
 They also can help improve operational efficiency by improving the
accuracy and timeliness of financial reporting.
 Internal audits play a critical role in a company’s internal controls
and corporate governance.
 The Sarbanes-Oxley Act of 2002 made managers legally responsible
for the accuracy of their companies' financial statements.1
0 seconds of 1 minute, 19 secondsVolume 75%

Internal Controls

Understanding Internal Controls

Internal controls have become a key business function for every U.S.
company since the accounting scandals of the early 2000s. In the wake of
such corporate misconduct, the Sarbanes-Oxley Act of 2002 was enacted to
protect investors from fraudulent accounting activities and to improve the
accuracy and reliability of corporate disclosures.

This had a profound effect on corporate governance. The legislation made

managers responsible for financial reporting and creating an audit
trail. Managers found guilty of not properly establishing and managing
internal controls face serious criminal penalties.1
The auditor’s opinion that accompanies financial statements is based on an
audit of the procedures and records used to produce them. As part of an
audit, external auditors will test a company’s accounting processes and
internal controls and provide an opinion as to their effectiveness.

Importance of Internal Controls

Internal audits evaluate a company’s internal controls, including its corporate
governance and accounting processes. These internal controls can ensure
compliance with laws and regulations as well as accurate and timely financial
reporting and data collection. They help to maintain operational efficiency by
identifying problems and correcting lapses before they are discovered in an
external audit.

Internal audits play a critical role in a company’s operations and corporate

governance, now that the Sarbanes-Oxley Act of 2002 has made managers
legally responsible for the accuracy of its financial statements.1

No two systems of internal controls are identical, but many core philosophies
regarding financial integrity and accounting practices have become standard
management practices. While they can be expensive, properly implemented
internal controls can help streamline operations and increase operational
efficiency, in addition to preventing fraud.

The U.S. Congress passed the Sarbanes-Oxley Act of 2002 to protect

investors from the possibility of fraudulent accounting activities by
corporations. The Act mandated strict reforms to improve financial
disclosures from corporations and prevent accounting fraud.2

Components of Internal Controls

A company's internal controls system should include the following
components:

 Control environment: A control environment establishes for all

employees the importance of integrity and a commitment to revealing
and rooting out improprieties, including fraud. A board of directors and
management create this environment and lead by example.
Management must put into place the internal systems and personnel to
facilitate the goals of internal controls.
  Risk Assessment: A company must regularly assess and identify the
potential for, or existence of, risk or loss. Based on the findings of such
assessments, added focus and levels of control might be implemented
to ensure the containment of risk or to watch for risk in related areas.
 Monitor: A company must monitor its system of internal controls for
ongoing viability. By doing so, it can ensure, whether through system
updates, adding employees, or necessary employee training, the
continued ability of internal controls to function as needed.
 Information/Communication: Solid information and consistent
communication are important on two fronts. First, clarity of purpose and
roles can set the stage for successful internal controls. Second,
facilitating the understanding of and commitment to steps to take can
help employees do their job most effectively.
 Control Activities: These pertain to the processes, policies, and other
courses of action that maintain the integrity of internal controls and
regulatory compliance. They involve preventative and detective
activities.

Preventative vs. Detective Controls

Internal controls are typically comprised of control activities such as
authorization, documentation, reconciliation, security, and the separation of
duties. They are broadly divided into preventative and detective activities.

Preventative control activities aim to deter errors or fraud from happening in

the first place and include thorough documentation and authorization
practices. Separation of duties, a key part of this process, ensures that no
single individual is in a position to authorize, record, and be in the custody of
a financial transaction and the resulting asset. Authorization of invoices and
verification of expenses are internal controls.

In addition, preventative internal controls include limiting physical access to

equipment, inventory, cash, and other assets.

Detective controls are backup procedures that are designed to catch items or
events that have been missed by the first line of defense. Here, the most
important activity is reconciliation, which is used to compare data sets.
Corrective action is taken upon finding material differences. Other detective
controls include external audits from accounting firms and internal audits of
assets such as inventory.
Limitations of Internal Controls
Regardless of the policies and procedures established by an organization,
internal controls can only provide reasonable assurance that a company's
financial information is correct.

The effectiveness of internal controls can be limited by human judgment. For

example, a business may give high-level personnel the ability to override
internal controls for operational efficiency reasons.

What's more, internal controls can be circumvented through collusion, where

employees whose work activities are normally separated by internal controls,
work together in secret to conceal fraud or other misconduct.

Auditing techniques and control methods from England migrated to the

United States during the Industrial Revolution. In the 20th century, auditors'
reporting practices and testing methods were standardized.

Why Are Internal Controls Important?

Internal controls are the mechanisms, rules, and procedures implemented by
a company to ensure the integrity of financial and accounting information,
promote accountability, and prevent fraud. Besides complying with laws and
regulations and preventing employees from stealing assets or committing
fraud, internal controls can help improve operational efficiency by improving
the accuracy and timeliness of financial reporting.

The Sarbanes-Oxley Act of 2002, enacted in the wake of the accounting

scandals in the early 2000s, seeks to protect investors from fraudulent
accounting activities and improve the accuracy and reliability of corporate
disclosures.3

What Are the 2 Types of Internal Controls?

Internal controls are broadly divided into preventative and detective activities.
Preventative control activities aim to deter errors or fraud from happening in the first place and
include thorough documentation and authorization practices. Detective controls are backup
procedures that are designed to catch items or events that have been missed by the first line of
defense.

What Are Some Preventative Internal Controls?

Separation of duties, a key part of the preventative internal control process, ensures that no single
individual is in a position to authorize, record, and be in the custody of a financial transaction
and the resulting asset. Authorization of invoices, verification of expenses, limiting physical
access to equipment, inventory, cash, and other assets are examples of preventative internal
controls.

What Are Detective Internal Controls?

Detective internal controls attempt to find problems within a company's processes once they
have occurred. They may be employed in accordance with many different goals, such as quality
control, fraud prevention, and legal compliance. Here, the most important activity is
reconciliation, which compares data sets. Other detective controls include internal and external
audits.

The Bottom Line

Internal controls are vital to ensuring the integrity of companies' operations and the
trustworthiness of the financial information they report. The Sarbanes-Oxley Act of 2002 spurred
internal controls in the aftermath of such scandals as those involving Enron and WorldCom to
protect investors from corporate accounting fraud.

The success of internal controls can be limited by personnel who cut control activity corners for
the sake of operational efficiency and by those employees who work together to conceal fraud.

What Are the 4 Different Types of Controls?

When performing an audit, auditors will look to see that they can gain
assurance over a process by focusing on four main types of internal controls.
These types of controls consist of the following:

 Manual Controls
 IT Dependent Manual Controls
 Application Controls
 IT General Controls
The four types of internal controls mentioned above are key as they are
pervasive (or at least should be) in the processes that support the systems
and services provided by service organizations to their user organizations (i.e.
clients and customers).
What Are Internal Control Definitions & Examples?
What Are Manual Controls?
Manual controls are performed by individuals outside of a system.

What Are Some Examples of Manual Controls?

Examples of manual controls could be a supervisor review and sign-off of a
document, bank reconciliation, or having an employee sign a privacy policy
acknowledgment. Another example of a manual control could be the manual
application (or matching) of cash received in an organization’s lockbox bank
account against a client’s open accounts receivable (A/R) balance. In many
organizations, these controls are done manually, hence the term manual
controls.
Since the operation of these controls depends on a human, it is key that these
process points have owners. When manual controls are not owned by key
personnel within the organization, they often will not operate consistently. This
generally poses an issue because to properly test manual controls, a sample
of transactions is chosen to confirm that the control has operated for a defined
period of time. If the control did not operate consistently, a deviation or
exception will be noted within the audit report.
What Are IT-Dependent Manual Controls?
IT Dependent Manual Controls are similar to manual controls as they rely on a
manual process from personnel but differ as a portion of the control requires
some level of system involvement.

What Are Some Examples of IT-Dependent Manual Controls?

A system-generated report lists users that have not accessed (e.g., logged
into a system) a particular system within the past 90 days. The internal control
may require an administrator to review such reports and disable certain users
whose accounts have not been accessed within the defined 90 days, as a
result.
The IT-dependent portion of this control is the system-generated report. The
manual portion of this control is the administrator review of the report and
disabling certain users as a result.
Much like manual controls, IT-dependent manual controls should have a
process owner. This will facilitate the consistent operation of these controls
and avoid any exceptions being noted within an audit report.
What Are Application Controls?
There are many different forms of application controls. Virtually any
configuration setting in a system that can be used to prevent or detect
problems might be classified as a type of application control.

What Are Some Examples of Application Controls?

Google G-Suite and Microsoft’s Office 365 can be configured to require two-
factor authentication (e.g., 2FA, MFA) in order for users to log in and access
system resources and data. Enabling 2FA helps prevent unauthorized users
from logging in to the system.
Another example is if the system is configured to lock out a user that enters
an incorrect password after three attempts, it has an application control that
detects problems possibly associated with unauthorized access attempts.
A third example could be that the system is configured to automatically
download and apply security patches or updates to software (this would have
likely helped prevent the Equifax hack).
Application controls which are also known as automated controls have a few
benefits. One benefit is that because the control is the result of a
configuration, they generally do rely on an individual to operate consistently.
That being said, it is always a good idea to periodically check to confirm that
the configuration has not been disabled for any reason or the configuration
has not been modified.
In the event that a configuration has been modified or is no longer enabled,
this can result in an exception within the report. Another benefit of having
application or automated controls is that there is generally only a sample of
one versus many since it is based upon a system configuration. This creates
efficiency in the process and saves time during an audit.
What Are IT General Controls?
This type of control is usually the focal point of most (Systems and
Organization Controls (SOC) audits. IT general controls are comprised of
policy management, logical access, change management, and physical
security.

What Are Some Examples of IT General Controls?

User access administration controls are used so that the right people have the
right access to system resources (i.e., right people & right access). These
processes and the controls supporting these processes are IT general
controls.
Another example could be the organization’s change management
process tracks and documents that changes are authorized, tested, approved,
and implemented into production. Moreover, it helps an organization gain
assurance that changes happen in an environment where there is proper
segregation of duties.
IT General Controls can be a combination of manual and application controls.
As such, the type of sampling to test these controls varies by control type.

Preventative & Detective Controls

In addition to the types of controls named, internal controls are either
preventative or detective in nature (note: sometimes corrective is added;
however, it really should be considered part of detective, as in detective and
corrective).
All other things being equal, preventative controls are generally superior
to detective controls. The reason is this- it is usually easier and more cost-
effective to correct a situation before a problem occurs than to correct a
problem after detection. Those implementing internal controls into their
environment will be well served by implementing a combination of
preventative and detective controls with a greater focus on the former.

What Is the Purpose of Internal Controls?

The purpose of internal controls is to create touchpoints within a process that
can be evidenced and reviewed and ultimately create accountability while also
lowering the risk of fraud, waste, abuse, and simple mistakes.
Internal controls are generally set up by management or the Board of
Directors. They set up internal controls to gain assurance that the objectives
of an organization can be achieved. This can be to meet internal milestones or
even external requirements such as an audit or industry standards.
Finally, internal controls allow for a company to form metrics around the
efficiency and effectiveness of a process. During the review of internal
controls, it can become obvious that a process is working as expected or at
times the operating effectiveness of controls can prove to have failures. This
allows management to determine if a different process is required to better
meet company objectives.

What are Control Weaknesses?

A control weakness can fall into one of two categories. There is either a
weakness in the design of a control or in its operating effectiveness. When
there is a control weakness in the design of a control, that means that it was
not in place, and as a result, a control failure occurred. For example, if there is
a requirement for monthly patching but there is no control in place to validate
that it occurs, the risk that patching does not occur and that a vulnerability can
be exploited is increased. This is considered a control weakness specific to
the design of a control.
The other type of control weakness is a deficiency in the operating
effectiveness of a control. In this scenario, a process exists but due to a
system error or personnel failure, the control does not operate as expected.
Let’s go back to the server example. Let’s say that the organization has a
process in which the system administrator is supposed to manually apply
patches each month. However, due to turnover, patching does not occur for a
number of months. The months that the server was not patched is considered
a control weakness, specific to the operating effectiveness.

How Do You Strengthen Internal Controls?

The best way to strengthen internal controls is by completing a review of the
current controls in place and performing a limited amount of testing to
determine whether required controls operated as expected. If during the
review it is determined that controls are not always operating consistently,
then remediation steps should be documented and implemented.
Additional testing for controls that are deficient should be re-evaluated within a
few months to determine whether required implementation steps occurred.
A more formalized approach to strengthening internal controls can also be
done by having a third party come in to perform a review of controls and
provide input on whether a process could be updated to strengthen controls.