Internal controls are a set of policies and procedures that a company establishes and implements to ensure that its accounting procedures and financial reporting are accurate and ethical.
They help to maintain the reliability of accounting information, and they allow the business to comply with regulatory and reporting requirements.
Unlike financial controls which apply broadly to a business's financial operations, internal controls are more narrowly focused.
Financial controls broadly refer to the policies and procedures that a business puts in place to help it manage its finances. They encompass different activities, and they span multiple functional areas within the business.
In contrast, internal controls apply more specifically to the generation of accounting information. They focus primarily on auditing and reporting functions.
Internal controls can be very different depending on the company, its size, operations, and the nature of its business. However, most internal controls contain some common fundamental features.
The control environment reflects the culture and philosophy of the company as it relates to controls. An emphasis on ethics, accountability, and integrity will shape the nature of a business's internal controls, how they are implemented, and their effectiveness.
Internal controls will include some element of risk assessment. These controls will include mechanisms to identify and analyze the factors that could interfere with the business's ability to achieve its financial objectives. The business will also develop and implement steps to minimize these risks.
Control activities are the specific actions that a business implements to fulfill its objectives as they relate to controls. These can include the approvals, guidelines, responsibilities, limits, and review procedures that help the business carry out its internal controls.
Two important elements of internal controls are information and communication. Goals and objectives must be clearly communicated, and the relevant accounting information must be generated.
A business must have protocols and systems in place to convey data and communicate within the appropriate accounting and finance channels consistently and accurately.
Lastly, internal controls must undergo regular monitoring. The protocols and procedures that are put in place must be reviewed and evaluated on a consistent basis over time to identify shortcomings and make needed adjustments.
Internal audits provide the necessary assurances that controls are maintained and running effectively.
Internal controls can be placed into several different categories.
Preventive & Detective Controls
Preventive controls are those controls that are designed to identify and avoid issues before they happen. Detective controls help identify and correct irregularities that may have already occurred.
Hard & Soft Controls
Internal controls can also be differentiated between hard and soft. Hard controls are official and identifiable. They include policies, procedures, and protocols that are adopted and implemented by the company.
Soft controls are less identifiable or definable but just as important. They include philosophy, tone, and ethics practiced by the business.
Manual & Automated Controls
In the era of digital technology, internal controls can also be differentiated by how they are performed. Manual controls, like analysis and review, are performed by humans. In contrast, automated controls, like software-generated reports or reconciliations, are performed entirely by a computer.
Key & Secondary Controls
All controls are important, but not all are essential. Key controls are essential to the effectiveness of the business's internal controls. Secondary controls are less essential but still contribute to the overall functionality of internal controls.
Internal controls include a varied list of policies, procedures, and actions that help the business ensure the integrity of its accounting data.
Internal audits, training of staff, segregation of duties, and hierarchical review of data, communication protocols, management philosophy, and disciplinary actions, all are examples of internal controls.
In 2002, the U.S. Congress passed H.R.3763, also known as the Sarbanes-Oxley Act (SOX) to implement reforms in the aftermath of several corporate finance scandals.
Among other things, SOX requires management and auditors to establish internal controls and reporting methods to ensure the adequacy of those controls. Since the passage of this law, internal controls have become a mandatory accounting function of all publicly traded companies and even some private companies.
SOX imposes severe criminal penalties for managers of companies that do not comply.
SOX compliance is not the only motivation for a company to adopt internal controls. Companies can benefit in many other ways.
Having a well-developed and executed set of internal controls ensures accuracy and reliability in accounting reports. It increases accountability and minimizes the incidence of fraud.
Similarly, internal controls help a business manage risk. Internal controls also help a business improve operational efficiency since effective communications and sound accounting data contribute to the overall functionality and performance of a business.
Schedule a demo today and embed leading practices across your accounting processes to enhance controls, reduce risk, and keep up with a rapidly changing regulatory environment.