Internal Controls

What are Internal Controls?

A system of internal control consists of policies and procedures designed to provide management with reasonable assurance that the business entity achieves its objectives and goals. These policies and procedures are often called controls, and collectively they comprise entity's internal control. Traditionally referred to as "hard controls," these include segregation of duties, limiting access to cash, management review and approval, and reconciliations. Other types of internal controls include "soft" controls such as management "tone at the top," performance evaluations, training programs, and maintaining established policies, procedures, and standards of conduct.

Internal control is a process, effected by an entity's board, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations

Several key points should be made about this definition:

  1. Internal control is a process.
    It's a means to an end, not an end in itself.
  2. Internal control is effected by people at every level of a department / agency.
    Internal control is, to some degree, everyone's responsibility. Within the County, management is primarily responsible for, and will be held accountable for internal control in their departments/agencies.
  3. Internal control can provide only reasonable assurance -- not absolute assurance -- regarding the achievement of a department's/agency's objectives.
    Effective internal control helps a department/agency achieve its objectives; it does not ensure success. There are several reasons why internal control cannot provide absolute assurance that objectives will be achieved: cost/benefit realities, collusion among employees, and external events beyond a department's/agency's control.
  4. Effective internal control helps an organization achieve its operations, financial reporting, and compliance objectives.
    Effective internal control is a built-in part of the management process (i.e., plan, organize, direct, and control). Internal control keeps an organization on course toward its objectives and the achievement of its mission, and minimizes surprises along the way. Internal control promotes effectiveness and efficiency of operations, reduces the risk of asset loss, and helps to ensure the reliability of financial reporting and compliance with laws and regulations.

Core Audit Activities - Internal Controls

The County of Orange Internal Audit Department (IAD) devotes 20% of its annual Audit Plan to performing reviews of "hard" internal controls, referred to as Internal Control Reviews (ICRs). Financial processes covered in the DCRs include cash receipting and disbursements, accounts receivables/accounts payables, trust and revolving funds, revenue and fee recovery, procurement, payroll and budgeting. The ICRs (performed Countywide based on an annual Risk Assessment) assist management in enhancing internal control processes and financial accountability.

Other core audit activities include:

  • Internal Control Review Follow-Ups. The Follow-Up review process is necessary to ensure that the audit recommendations resulting from the ICRs are implemented satisfactorily.
  • Cash Loss Reviews. At the request of the Auditor-Controller, IAD performs reviews of cash losses to provide an opinion on the adequacy of corrective actions taken by departments/agencies where the cash losses occurred.

Understanding Internal Controls

Internal Audit Departments uses a document called Understanding Internal Controls as a tool to provide an overview and guidelines to assist departments/agencies in achieving the County's objectives, and provides an additional reference tool for all managers to identify and assess basic weaknesses in operating controls, financial reporting, and legal/regulatory compliance and to take action to strengthen controls where needed. Understanding Internal Controls is based upon the internal control guidelines as recommended by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.

Auditing County Internal Controls Using a Standard Framework

Our audit role and services have been developed with the objective of providing balanced, uniform, and consistent coverage under the nationally recognized Committee of Sponsoring Organizations (COSO) control framework. This standardized framework provides definitions and responsibilities for internal controls.

Roles and Responsibilities of Internal Control

Management is responsible for establishing internal controls in their departments / agencies. This means that management is responsible for identifying the risks that could prevent them from achieving their business objectives, and making sure that appropriate internal controls (policies and procedures) are in place to mitigate those risks. Management is also responsible for ongoing monitoring of internal controls to make sure that controls are still working and whether risks have changed requiring new controls.Management is responsible for establishing internal controls in their departments/agencies. This means that management is responsible for identifying the risks that could prevent them from achieving their business objectives, and making sure that appropriate internal controls (policies and procedures) are in place to mitigate those risks. Management is also responsible for ongoing monitoring of internal controls to make sure that controls are still working and whether risks have changed requiring new controls.

The internal control elements of the framework are depicted in the above diagram, and are described below:

  • Control Environment. The control environment sets the tone of the organization. The control environment includes the integrity, ethical values and competence of personnel; management's philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the Board of Supervisors and executive management. The control environment is the foundation for the control elements higher in the pyramid.
  • Risk Assessment Every County department faces a variety of risks from external and internal sources that must be assessed. Risk assessment is the identification and analysis of relevant risks to the achievement of business objectives, forming a basis for determining how the risks should be managed.
  • Control Activities Control Activities are the policies and procedures that help ensure that necessary actions are taken to address the identified risks. They include a range of activities such as requiring supervisory approvals, reconciling bank accounts, safeguarding assets, and establishing audit trails.
  • Information and Communication Pertinent information must be identified, captured, and communicated in a form and timeframe that enables people to carry out their responsibilities.
  • Monitoring Internal control systems need to be monitored to assess whether controls are still working and whether risks have changed requiring new controls. This is accomplished through ongoing management monitoring activities and can include external evaluations.

Related Document