The following internal control activities can be found in the workplace. All employees fit into the organizational picture of internal control, whether or not their job responsibilities are directly related to these example activities. Duties are divided among different employees to reduce the risk of error or inappropriate actions. For example, responsibilities for receiving cash or checks,
preparing the deposit, and reconciling the deposit should be separated. Transactions should be authorized and approved to help ensure the activity is consistent with departmental or institutional goals and objectives. For example, a department may have a policy that all purchase requisitions and invoice vouchers must be approved by the director. It is important that the person who approves transactions have the authority to do so and the necessary
knowledge to make informed decisions. Performance reviews of specific functions or activities may focus on compliance, financial, or operational issues. Reconciliation involves cross-checking transactions or records of activity to ensure that the information reported is accurate. For example, revenue and expense activity recorded on accounting reports should be reconciled or compared to supporting documents to ensure that the transactions are recorded in
the correct account and for the right amount. Segregation of Duties
Authorization and Approval
Reconciliation and Review
Physical Security
Equipment, inventories, cash, checks, and other assets should be physically secured and periodically counted and compared with amounts shown on control records. For example, the periodic confirmation of equipment by individual departments is a physical security control.
In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a COSO Framework for evaluating internal controls. This model has been adopted as the generally accepted framework for internal control and is widely recognized as the definitive standard against which organizations measure the effectiveness of their systems of internal control.
WHAT IS THE COSO FRAMEWORK?
The COSOmodel defines internal control as “a process effected by an entity’s board of directors, management and other personnel designed to provide reasonable assurance of the achievement of objectives in the following categories:
- Operational Effectiveness and Efficiency
- Financial Reporting Reliability
- Applicable Laws and Regulations Compliance
In an effective internal control system, the following five components work to support the achievement of an entity’s mission, strategies and related business objectives:
- Control Environment
- Exercise integrity and ethical values.
- Make a commitment to competence.
- Use the board of directors and audit committee.
- Facilitate management’s philosophy and operating style.
- Create organizational structure.
- Issue assignment of authority and responsibility.
- Utilize human resources policies and procedures.
- Risk Assessment
- Create companywide objectives.
- Incorporate process-level objectives.
- Perform risk identification and analysis.
- Manage change.
- Control Activities
- Follow policies and procedures.
- Improve security (application and network).
- Conduct application change management.
- Plan business continuity/backups.
- Perform outsourcing.
- Information and Communication
- Measure quality of information.
- Measure effectiveness of communication.
- Monitoring
- Perform ongoing monitoring.
- Conduct separate evaluations.
- Report deficiencies.
These components work to establish the foundation for sound internal control within the company through directed leadership, shared values and a culture that emphasizes accountability for control. The various risks facing the company are identified and assessed routinely at all levels and within all functions in the organization. Control activities and other mechanisms are proactively designed to address and mitigate the significant risks. Information critical to identifying risks and meeting business objectives is communicated through established channels across the company. The entire system of internal control is monitored continuously, and problems are addressed timely.
KnowledgeLeader offers a number of resources on COSO, including the items listed below. Explore the website for additional knowledge on this topic.
Entity-Level Controls Risk Assessment Questionnaire
Entity-Level Controls Fraud Questionnaire
Entity-Level Controls Environment Questionnaire