Now more than ever, every business needs internal controls for operational efficiency. Internal controls are checks and balances to ensure that financial reports reflect accurate transaction records, and policies and procedures that ensure proper oversight and segregation of duties.
There are five components of internal controls as defined in the Committee of Sponsoring Organizations of the Treadway’s (COSO) Internal Control – Integrated Framework: control environment, risk assessment, information and communication, monitoring and control activities. This framework guides entities in the design, implementation and evaluation of their system of internal controls. It demonstrates that the system of internal controls is not just the individual activities that are performed on a regular basis, but the overall environment in which those control activities take place, including management’s attitude, the risks applicable to the business, and the flow of information throughout the organization. All of these factors inform the appropriate design of internal control activities, mitigate the greatest risks, and ensure the proper reporting of financial information.
The most important controls are key controls because they are steps within the process that address the risks of what could go wrong during transaction processing and financial statement preparation. Improperly designing or implementing a key control could materially affect any relevant assertions, as errors could go undetected. Small businesses might only have one key control to address the control objective – for instance, management’s oversight of the financial reporting system. For larger companies, key controls are combined with an indirect or complementary control that works with the key control, to meet its objective.
Depending on its objective and design, supervisory personnel could periodically perform a key control such as requiring two signatures for checks over a certain amount, bank reconciliations or a monthly reporting review. Some key controls are performed by an IT program such as programmed restriction access for users, programmed detection of edit routines, or unusual inputs and/or generation of unusual activity or error reports.
A top-down approach can determine how well the entity-level controls are designed and if they are properly implemented. If they are not, then the activity-level key controls will not be able to meet their objectives.
Testing controls provides more assurance than performing substantive testing alone. There are many ways to test key controls: a client inquiry, fieldwork observation, or inspecting reports or documents.
Key and complementary controls are different from processes. Processes are necessary steps to execute the transaction. Examples include preparing batch deposit slips and depositing checks, coding an invoice, mailing out checks and preparing reports. These processes ensure that the transaction is executed; however, the review and monitoring activities surrounding these processes are the key controls.
Distinguishing between entity- and activity-level controls, and key, complementary and process controls, helps to ensure the system properly captures financial information and guides the efficient assessment and testing of audit assertions.
About the Authors
Laura M. Crowley, CPA, is a director, and Regina C. Balagtas, CPA, is a supervisor, with Citrin Cooperman. They can be reached, respectively, at firstname.lastname@example.org and email@example.com.Related Articles: