There are many definitions of internal control, and I give below one of them retrieved from Business Dictionary website.
“Systematic measures (such as reviews, checks and balances, methods and procedures) instituted by an organization to (1) conduct its business in an orderly and efficient manner, (2) safeguard its assets and resources, (3) deter and detect errors, fraud, and theft, (4) ensure accuracy and completeness of its accounting data, (5) produce reliable and timely financial and management information, and (6) ensure adherence to its policies and plans.”
Very often people think that internal controls (or failure thereof) are relevant only for financial statement reporting. While the main focus is on accounting and auditing certifications about the achievement of an organization’s objective through reliable financial reporting and compliance with laws, regulations and policies, the other areas of business operations are equally important and to be addressed.
Whether you are a small business or a large organization or even a family-owned proprietorship concern, you cannot survive without basic internal controls over your operations. You need to have appropriate checks and balances in all your processes and clearly laid out procedures that can be monitored or are auditable.
Internal control is a key element in many statutes like the Sarbanes-Oxley Act, Foreign Corrupt Practices Act, Indian Companies Act, etc. and even in some stock exchange listing agreements as well.
In the Indian Companies Act, the meaning of the term ‘internal financial controls’ although given only in an explanation to section 134(5)(e) dealing with directors’ reporting responsibilities, the said explanation lays down very wide responsibilities regarding internal financial control, which includes both financial reporting controls and business controls. However as per the Amendment to the principal Act, limits Auditors’ responsibility for reporting on internal financial controls will be limited to financial statements. They will not be required to report on the business controls.
In today’s digital economy there is hardly any business that does not have financial processes that are automated through software solutions such as ERP, accounting software, etc. that have embedded internal controls.
However this does not mean that one can rest assured that all internal controls are addressed and working effectively. The risks related to changes in internal control settings / design going unnoticed may have far-reaching effects on the financial reporting accuracy or in information loss or damage to physical assets or other resources or fraudulent activities.
Key points to note about Internal controls
Internal controls are not a one time set up activity. Of course while setting up you need to have a robust design that addresses your business processes and compliance requirements.
The initial internal controls put in place needs to be monitored periodically for its adequacy because the dynamics of business may bring in new processes or even some changes in the way processes are handled.
Business transactions and operations should not suffer because of over-control, neither should it be impacted by deficiency of control that exposes you to risks. You should strive to achieve a balance checking the risk-control coverage.
Just because you have the best ERP or other software solution with pre-built controls does not mean that it is sacrosanct in design. Most software solutions offer many control configurations that are flexibly left to your option. You need to evaluate the control design to see whether it suits your unique business processes.
As businesses continue to evolve, the internal controls needs to be continuously assessed and monitored for its adequacy, effectiveness and efficient operation. Employees or persons who have authorizations to perform business transactions or set up of the software, may unknowingly change some controls without understanding the impact on your business.
You may have manual procedures or processes which are sometimes not supported by your system software – such as compliance with laws that require physical inspection, reporting and certification of documents, statutory filings, safety procedures in plants, storage locations, etc. These business controls are equally important and should form part of the overall list of controls.
Insiders / fraudsters or manipulators may take advantage of some weak internal controls to benefit themselves or their counterparts either through access to sensitive information or causing financial leakage that could go unnoticed for a long time.