Internal control, as defined by accounting and auditing, is a process for assuring of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies.
At the organizational level, internal control objectives relate to the reliability of financial reporting, timely feedback on the achievement of operational or strategic goals, and compliance with laws and regulations.
Under the COSO Internal Control-Integrated Framework, a widely used framework in not only the United States but around the world, internal control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
Controls have unique characteristics – for example, they can be: automated or manual; reconciliations; segregation of duties; review and approval authorizations; safeguarding and accountability of assets; preventing or detecting error or fraud.
It takes place with a combination of interrelated components – such as social environment effecting behavior of employees, information necessary in control, and policies and procedures.
In addition, there needs to be in place circumstances ensuring that the aforementioned procedures will be performed as intended: right attitudes, integrity and competence, and monitoring by managers.
Also, all personnel should be responsible for communicating upward problems in operations, non-compliance with the code of conduct, or other policy violations or illegal actions.
Each major entity in corporate governance has a particular role to play: The Chief Executive Officer (the top manager) of the organization has overall responsibility for designing and implementing effective internal control.
More than any other individual, the chief executive sets the "tone at the top" that affects integrity and ethics and other factors of a positive control environment.
In a large company, the chief executive fulfills this duty by providing leadership and direction to senior managers and reviewing the way they're controlling the business.
A strong, active board, particularly when coupled with effective upward communications channels and capable financial, legal and internal audit functions, is often best able to identify and correct such a problem.
The role and the responsibilities of the audit committee, in general terms, are to: (a) Discuss with management, internal and external auditors and major stakeholders the quality and adequacy of the organization's internal controls system and risk management process, and their effectiveness and outcomes, and meet regularly and privately with the Director of Internal Audit; (b) Review and discuss with management and the external auditors and approve the audited financial statements of the organization and make a recommendation regarding inclusion of those financial statements in any public filing.
Advances in technology and data analysis have led to the development of numerous tools which can automatically evaluate the effectiveness of internal controls.
Effective internal control implies the organization generates reliable financial reporting and substantially complies with the laws and regulations that apply to it.
There are five such assertions forming the acronym, "PERCV," (pronounced, "perceive"): For example, a validity control objective might be: "Payments are made only for authorized products and services received."
A typical control procedure would be: "The payable system compares the purchase order, receiving record, and vendor invoice prior to authorizing payment."
This typically involves identifying scenarios in which theft or loss could occur and determining if existing control procedures effectively manage the risk to an acceptable level.
[8] The AICPA, IIA, and ACFE also sponsored a guide published during 2008 that includes a framework for helping organizations manage their fraud risk.
If the internal control system is thought of by executives as only a means of preventing fraud and complying with laws and regulations, an important opportunity may be missed.