Internal Control System
The professional risk management, internal audit and GRC community has given rise to the conception and publication of several systems of internal control, sometimes called internal control frameworks. Such publications are written guidelines and best practices. Their implementation is done in a largely manual manner by staff or professional service providers. They do not however include or specify any particular software tools.
Internal Control Systems
Among the internal control systems that have been published are: The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Integrated Framework, Control Objectives for Information and Related Technology (COBIT), The Turnbull Guidance and Criteria of Control Board Guidance on Control (CoCo). These do not specify a qualitative or quantitative indication of how the organization’s internal performance affects its objectives and the organizations that choose to adopt them, adapt them to fit their own constraints and understanding.
A system of internal control is an important mechanism of correct and responsible management in all kinds of organization. In a small organization, it can lend itself to manual executive control alone but the more complex the organization and the more employees and processes it has, the more the system needs to contain functionality that can help the management ensure internal controls are in place and working as intended.
Importance of an Internal Control System
The result of such functionality will be increased chances that processes and procedures are operating as intended and risk is being kept at tolerable levels. Accountability and compliance with regulations follow this state of affairs, as do increased sustainability potential of the organization and a healthier working environment.
Key benefits of the internal control system include:
- Treatment of risk
- Achieving higher standards
- Compliance with laws and regulations
- Improved communication and procedures
To make internal control work as a system and to achieve the organization's objectives, we need a number of key components that interact in a way that advances those objectives.
Key Elements of an Internal Control System
Any internal control system will command a cost in resources and to justify this cost there is a need for a higher objective, the achievement of which is advanced by the system. Such control objectives are varied in nature and will invariably be specific to each organization. Example control objectives include compliance to regulations, adherence to standards and improving quality. In some systems, reduction of risk might comprise a control objective in itself while in others risks may exist as a separate layer.
Examples of control objectives
- Protect against financial loss following disaster
- Prevent fraudulent activity by employees
- Maintain high password security
- Ensure DR capability
Internal controls are distinctly different from internal control. Internal controls are the trees of the internal control system while internal control is the forest. The internal control system achieves internal control in the organization by putting in place internal controls.
Internal controls are mechanisms, rules, safeguards and processes whose purpose is to positively influence activity in the organization in such a way as to advance the control objectives and reduce risks to those objectives.
Internal controls are meant to help control various aspects of the organization's activity and provide reasonable assurance that this activity is in accordance with its control objectives. They add a degree of automatic management which otherwise would have to be done by mangers manually. Internal controls can dictate modes of operation, affect behavior, enforce best practices and more.
Examples of internal controls
- Buy sufficient insurance cover
- Check out references for new employees
- Restrict times of working on the financial systems
- Force password changes every 6 months
- Do backups every day
In order that the internal control system may be evaluated, it must be monitored in some way. This monitoring will need to address 2 primary questions:
- Are the internal controls that were put in place actually being implemented?
- Are they effective as mechanisms to achieve control objectives?
Are the internal controls being implemented?This can expose a familiar failing in many risk management and internal control management systems. Resources are invested in identifying risks and control objectives and in formulating controls to mitigate or treat the risks. However, after verifying that the appropriate controls have been put in place, all too frequently, a system of continuous control monitoring is not maintained and well-intended controls are not actively upheld. This state of affairs is dangerous to the organization because risks that are considered as having been mitigated as a result of the controls in place might remain with an intolerable high probability or severity.
What is required therefore is control monitoring activity, whereby spot checks are made of the controls that should be in place. The findings of the observations will indicate the 'state of health' of the organization's internal controls.
It follows that an effective means of executing these spot checks would require some form of scheduling so the monitoring tasks can be planned and reminders issued in good time to those who will carry them out.
Is the control effective?This is perhaps more difficult to answer but can be assisted by implementing a related monitoring task whose purpose is to evaluate either objectively or subjectively any change that has taken place due to the control being in place. This too needs a control plan or schedule.
Both types of monitoring task referred to in the above 2 questions must involve an observation and the recording of the resulting findings. The integrity of the internal control system could be compromised at this point due to the subjectiveness of the observation and the conclusions reached in assessing the findings. A structured approach is one way to address this and maintain high integrity and consistency across different control auditors.
One such structured approach might typically contain the following elements:
- A clear and understandable description of the required observation.
- A predefined set of possible findings.
- A predefined assessment of the effect each possible finding will have on the control objective.
A powerful additional benefit becomes possible when an effective and comprehensive system of internal control is put into place and that is procedure performance monitoring. This is a measure of how well various resources in the organization are following required policies and procedures.
The Internal Control System and Procedure Performance Monitoring
Resources can be human-based like departments and employees or object-based like buildings, forms and equipment.
Examples of monitoring performance
- How well safety procedures are being followed in a department.
- The degree by which data security mechanisms are being implemented in the organization.
- Worker participation in mandatory training activities.
- The conformity of purchase orders to company policy.
An internal control system of any kind is a tool that provides management with an enhanced level of management control and insight into how their organization is working. It gets the organization working according to the values and quality laid down by management. Furthermore, it is a way of implementing best working practices, responsibility and accountability and to make these values an integral part of the corporate culture.
Internal Control System Summary
However, as a manual process based on written procedure, documents and spreadsheets, it is time consuming and inefficient. In comparison, an internal control system implemented in software adds structure and automation to an otherwise theory-based concept. It adds the processes that faith and good intentions alone will be hard-pressed to meet and therefore a computerized internal control system is an important and even essential tool in getting the organization's system of internal control working in an optimal way. Objective Controls is such a system.
Objective Controls is an internal control system implemented in software. It brings together objectives, risks and internal controls into the context of a management tool that will implement internal control, manage and treat risks and help the organization achieve its objectives. For more information, see Internal Controls Software.