|
Internal Controls and Audit
Services
A system of internal control consists of policies and
procedures designed to provide management with
reasonable assurance that the organization achieves its
objectives and goals. These policies and procedures are
often called controls, and collectively they comprise an
organization’s internal control. Traditionally referred
to as 'hard controls', these include segregation of
duties, limiting access to cash, management review and
approval, and reconciliations. Other types of internal
controls include 'soft controls' such as management 'tone at the top', performance evaluations, training
programs, and maintaining established policies,
procedures, and standards of conduct.
The auditing profession has widely accepted the
Committee of Sponsoring Organizations of the Treadway
Commission’s report titled The
Internal Control – Integrated Framework (COSO
Report) as a general definition of internal control.
The COSO Report defines internal control as a process,
affected by an entity’s board of directors, management,
and other personnel, designed to provide reasonable
assurance regarding the achievement of objectives in the
following three categories:
-
Effectiveness and efficiency
of operations
-
Reliability of
financial reporting
-
Compliance
with applicable laws and regulations
Internal control consists of five interrelated
components:
-
Control Environment.
The organization’s tone; the foundation for all
other components of internal control.
-
Risk Assessment.
Management establishes activity-level objectives and
mechanisms for identifying and analyzing risk
related to their achievement.
-
Control Activities.
Policies and procedures that ensure management’s
directives are carried out and help ensure that
necessary actions are taken to minimize risks to
achievement of the entity’s objectives.
-
Information and Communication.
Information must be identified, captured, and
communicated in a form and time frame that enable
people to carry out their responsibilities.
-
Monitoring.
Assessing the quality of the system’s performance
over time. This is accomplished through ongoing
monitoring activities, separate evaluations or a
combination of the two.
Effective internal control helps an organization achieve
its operations, financial reporting, and compliance
objectives.
Effective internal control is a built-in part of the
management process (i.e., plan, organize, direct, and
control). Internal control keeps an organization on
course toward its objectives and the achievement of its
mission, and minimizes surprises along the way.
Internal control promotes effectiveness and efficiency
of operations, reduces the risk of asset loss, and helps
to ensure the reliability of financial reporting and
compliance with laws and regulations.
Roles and Responsibilities of Internal Control
State entity heads are accountable for activities
carried our in their agencies. This means that
management is responsible for identifying the risks that
could prevent them from achieving their objectives, and
making sure that appropriate internal controls (policies
and procedures) are in place to mitigate those risks.
Management is also responsible for ongoing monitoring
of internal controls to make sure that controls are
still working and whether risks have changed requiring
new controls
.
Management need to understand that:
-
Internal control is a process.
It’s a means to an end, not an end in itself.
-
Internal control is affected by people at every
level of the Department.
While state agency heads are accountable for
activities carried out in their organizations,
internal control is, to some degree, everyone's
responsibility.
-
Internal control can provide only reasonable
assurance -- not absolute assurance -- regarding the
achievement of the organisation’s objectives.
Effective internal control helps an organization
achieve its objectives; it does not ensure success.
There are several reasons why internal control
cannot provide absolute assurance that objectives
will be achieved: cost/benefit realities, collusion
among employees, and external events beyond a
department’s control.
|