Internal Control: A Tool For The Audit Committee
Internal Control: A Tool For The Audit Committee
Internal Control: A Tool For The Audit Committee
PURPOSE OF THIS TOOL: Internal control over financial reporting has always been a major
area in the governance of an organization, and this importance has been magnified in recent
years. This tool is intended to give audit committees basic information about internal control to
understand what it is, what it is not, how it can be used most effectively in the organization, and
the requirements of management with respect to the system of internal control over financial
reporting. Note that the primary responsibility of the audit committee with respect to internal
control is the system of internal control over financial reporting.
Internal control can be judged as effective in each of these categories if the board of directors and
management have reasonable assurance that:
1. They understand the extent to which the entity’s operations objectives are being achieved.
2. Published financial statements are being prepared reliably.
3. Applicable laws and regulations are being complied with.
1. Control environment.
Sometimes referred to as the “tone at the top” of the organization,
meaning the integrity, ethical values, and competence of the entity’s people; management’s
philosophy and operating style; the way management assigns authority and responsibility and
1
2
organizes and develops its people; and the attention and direction provided by the board of
directors. It is the foundation for all other components of internal control, providing discipline
and structure.
2. Risk assessment.The identification and analysis of relevant risks to achieve the objectives that
form the basis to determine how risks should be managed. This component should address the
risks, both internal and external, that must be assessed. Before conducting a risk assessment,
objectives must be set and linked at different levels.
3. Control activities.Policies and procedures that help ensure that management directives are
carried out. Control activities occur throughout the organization at all levels in all functions. These
include activities such as approvals, authorizations, verifications, reconciliations, reviews of
operating performance, security of assets, and segregation of duties.
4. Information and communication.Addresses the need in the organization to identify, capture, and
communicate information to the right people to enable them to carry out their responsibilities.
Information systems within the organization are key to this element of internal control. Internal
information, as well as external events, activities, and conditions must be communicated to enable
management to make informed business decisions and for external reporting purposes.
5. Monitoring.The internal control system must be monitored by management and others in the
organization. This is the framework element that is associated with the internal audit function in
the organization, as well as other means of monitoring such as general management activities
and supervisory activities. It is important that internal control deficiencies be reported upstream,
and that serious deficiencies be reported to top management and the board of directors.
These five components are linked together, thus forming an integrated system that can react
dynamically to changing conditions. The internal control system is intertwined with the organization’s
operating activities, and is most effective when controls are built into the organization’s infrastructure,
becoming part of the very essence of the organization.
Key Terms in Internal Control
A few common internal control terms are described as follows:
Reportable condition. Has the same meaning as the term significant deficiency.
These two terms are
used to define a significant deficiency in the design or operation of internal control that could
adversely affect a company’s ability to record, process, summarize, and report financial data
consistent with the assertions of management in the company’s financial statements. An aggregation
of significant deficiencies could constitute a material weakness.
Material weakness. Defined in the auditing literature as a reportable condition in which the design or
operation of one or more of the internal control components does not reduce to a relatively low level
the risk that misstatements caused by errors or fraud in amounts that would be material in relation to
the financial statements being audited may occur and not be detected within a timely period by
employees in the normal course of performing their assigned duties.
Compensating controls.Some organizations, by virtue of their size, are not able to implement basic
controls such as segregation of duties. In these cases, it is important that management institute
compensating controls to cover for the lack of a basic control, or if a basic control is not able to
function for some period of time.
Internal control is not an absolute assurance to management and the board about the organization’s
achievement of its objectives. It can only provide reasonable assurance, due to limitations inherent in
all internal control systems. For example, breakdowns in the internal control structure can occur due
to simple error or mistake, as well as faulty judgments that could be made at any level of
management. In addition, controls can be circumvented by collusion or by management override.
Finally, the design of the internal control system is a function of the resources available, meaning that
there must be a cost-benefit analysis in the design of the system.
Roles and Responsibilities
Everyone in the organization has some role to play in the organization’s internal control system.
Chief financial officer (CFO).Much of the internal control structure flows through the accounting
and finance area of the organization under the leadership of the CFO. In particular, controls over
financial reporting fall within the domain of the chief financial officer. The audit committee should
use interactions with the CFO, and others, as a basis for their comfort level on the internal control
over financial reporting.
This is not intended to suggest that the CFO must provide the audit committee with a level of
assurance regarding the system of internal control over financial reporting. Rather, through
interactions with the CFO and others, the audit committee should get a “gut feeling” about the
completeness, accuracy, validity, and maintenance of the system of internal control over financial
reporting.
Internal audit.A main role for the internal audit team is to evaluate the effectiveness of the internal
control system and contribute to its ongoing effectiveness. With the internal audit team reporting
directly to the audit committee of the board of directors and/or the most senior levels of
management, it is often this function that plays a significant role in monitoring the internal control
system. It is important to note that many not-for-profits are not large enough to employ an internal
audit team. Each organization should assess the need for this team, and employ one as
necessary.
Compensating Controls
It is important to realize that both the design and compliance with the internal control system is
important. The audit committee should be “tuned-in” to the tone-at-the-top of the organization as a
first indicator of the functioning of the internal control system.
In addition, audit committees should realize that the system of internal control should be scaled to
the organization. Some organizations will be so small, for example, that they will not be able to
have appropriate segregation of duties. The message here is that the lack of segregation of duties
is not automatically a material weakness, or even a reportable condition, depending on the
compensating controls that are in place.
For example, suppose an organization’s accounting department is so small that it is not possible
to segregate duties between the person who does the accounts payable and the person who
reconciles the bank statements. In this case, it is one and the same person, so the implication is
that there are no checks and balances on the accounts payable person, who could be writing
checks to a personal account, then passing on them during the bank reconciliation process (that
is, there is no one to raise the red flag that personal checks are being written on the company
account).
Compensating controls could make up for this apparent breach in the internal control system.
Here are some examples of compensating controls in this situation:
1. All checks are hand signed by an officer of the company, rather than using a signature plate
that is in the control of the person that prepared the checks.
2. The bank reconciliation may be reviewed by the person’s manager.
3. A periodic report of all checks that are cleared at the bank could be prepared by the bank and
forwarded to an officer of the company for review.
Audit committees should be aware of situations like this and be prepared to ask questions and
evaluate the answers when an obvious breach in internal control is surfaced.
Management Override of Controls
Another area that an audit committee needs to focus on is the ability of management to override
internal controls over financial reporting to perpetrate a fraud. Examples of techniques used by
management in overriding internal controls over the financial reporting function include:
Some of these override techniques were used in some of the recent scandals and have gained
substantial notoriety.
An audit committee has the responsibility to help prevent or deter a management override of
controls. It is important for the audit committee to understand that there is a system to uncover an
override, as well as follow-up to determine its appropriateness. Questions about management
override, and the controls over management override, as well as audit steps to detect if a
management override has occurred, should be addressed to the CEO, CFO, and independent
auditor during the respective executive sessions with the audit committee as noted elsewhere in
this toolkit.
Conclusion
This tool was intended to provide a summary of what is meant internal
by control
. The concepts
are not complex, but sometimes the application of internal control can be a challenge in an
organization, depending on its size and culture. However, it is vitally important to design the
system of internal control to achieve the objectives of (1) effectiveness and efficiency of
operations, (2) reliability of financial reporting, and (3) compliance with applicable laws and
regulations.
Simply stated a strong system of internal control (both in its design and compliance) is good
business.