INTERNAL CONTROL QUESTIONS TO DETERMINE APPROPRIATE CONTROL: What could go wrong?
What steps have been taken to ensure that something
does not go wrong?
How can you verify that nothing went wrong?
PREVENTIVE CONTROLS Preventive controls aim to decrease the chance of errors and fraud before they occur, and often revolve around the concept of separation of duties. From a quality standpoint, preventive controls are essential because they are proactive and focused on quality. Examples of preventive controls include: Separation of duties Pre-approval of actions and transactions (such as a Travel Authorization) Access controls (such as passwords and Gatorlink authentication) Physical control over assets (i.e. locks on doors or a safe for cash/checks) Employee screening and training (such as the PRO3 Series to increase employee knowledge) DETECTIVE CONTROLS Detective controls are designed to find errors or problems after the transaction has occurred. Detective controls are essential because they provide evidence that preventive controls are operating as intended, as well as offer an after-the-fact chance to detect irregularities. Examples of detective controls include: Monthly reconciliations of departmental transactions Review organizational performance (such as a budget-to-actual comparison to look for any unexpected differences) Physical inventories (such as a cash or inventory count) DETECTIVE CONTROLS Questions usually asked; What caused the event to occur? What process failed that allowed the event to occur? Is there a policy that can be implemented to keep the event from happening again in the future? Some examples of detective controls are internal audits, reviews, reconciliations, financial reporting, financial statements, and physical inventories. CORRECTIVE INTERNAL CONTROLS Corrective internal controls are typically those controls put in place after the detective internal controls discover a problem. These controls could include disciplinary action, reports filed, software patches or modifications, and new policies prohibiting practices such as employee tailgating. They are usually put into place after discovering the reasons why they occurred in the first place. Examples: Penalty system Contingency planning Disciplinary action New policies INTERNAL CONTROL EXAMPLES IN AUDITING AND ACCOUNTANCY SEPARATION OF DUTIES ACCOUNTING SYSTEM ACCESS CONTROL PHYSICAL AUDITS OF ASSETS STANDARDISED FINANCIAL DUCUMENTATION DAILY OR WEEKLY TRIAL BALANCES PERIODIC RECONCILIATIONS IN ACCOUNTING SYSTEMS APPROVAL AUTHORITY REQUIREMENTS BASIC INTERNAL CONTROL: Asset security Authorizations and Approvals Cash and Check Collections Documentation Monthly Reconciliation Payroll Separation of Duties Telecommunications BENEFITS OF INTERNAL CONTROL Prevents Fraud -One benefit of internal controls is a reduction in fraud opportunities. Error Prevention -Some internal controls are intended to spot potential errors before they happen. Error Spotting -No matter how hard you try, you won’t spot every potential error at your company, and mistakes will happen. Internal controls can help you detect errors early and address them before they get out of hand. Reduced Lawsuits and Insurance Claims -Having a company policies and procedures manual that lays out staff behavior restrictions can help you reduce the risk of lawsuits or costly insurance claims. RISKS OF WEAK INTERNAL CONTROL Erroneous Management Decisions - based on erroneous, inadequate or misleading information Fraud, Embezzlement and Theft - by management, employees, customers, vendors or the public-at-large Sanctions - penalties arising from failure to comply with regulatory requirements, as well as overt violations of the law Excessive Costs/Deficient Revenues - expenses which could have been avoided, as well as loss of revenues to which the organization is entitled Loss, Misuse or Destruction of Assets - unintentional loss of physical assets such as cash, inventory and equipment WHO DOES INTERNAL CONTROL? Internal control is the general responsibility of all members in an organization. However, the following three groups have specific responsibilities regarding the internal control structure.
Management holds ultimate responsibility for establishing and maintaining an effective
internal control structure. Through leadership and example, management demonstrates ethical behavior and integrity within the company. The board of directors provides guidance to management. Because board members have a working knowledge of the functions of the company, they help shield the company from managers who try to override some control procedures for dishonest purposes. Often, an efficient board that has access to the company’s internal auditors can discover such fraud. Auditors within the organization evaluate the effectiveness of the internal control structure and determine whether company policies and procedures are being followed. All employees are part of a communications network that enables an internal control structure to work effectively.