© 2023 E.N. Picache, CPA and Associates I All Rights Reserved
© 2023 E.N. Picache, CPA and Associates I All Rights Reserved
As a Business Owner, CEO, COO, CFO, Senior Executive or Director and the rest, if you want comfort that there is no wastage being incurred in your business operations. If you want to be assured that when you look at the balances in your books, they are correct. If you want to be able to sleep at night, knowing in confidence that no letter would arrive in the mail alleging that your company violated laws and regulations; then you are yearning for internal control.
WHAT AND WHY INTERNAL CONTROL?
The Philippine Standards on Auditing (PSA) defines internal control as the process designed and effected by those charged with governance and management to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations.
This is also the definition provided by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), an organization involved, among others, in the development of frameworks and guidance on internal control and fraud deterrence. Let it be emphasized that the Philippines complies with global standards on internal control.
So, based on the definition, internal control: (i) is something that takes place on a continuing basis (i.e., a process); (ii) is from top down, with those in charge of governance (i.e., Owners, Board of Directors and elected officials) setting the tone; and (iii) provides comfort that everything is working properly as designed to further an entity’s endeavors.
WHO IS RESPONSIBLE FOR INTERNAL CONTROL?
Everyone in the organization has responsibility for internal controls: management, board of directors, internal auditors, and other personnel.
The Chief Executive Officer (CEO) is ultimately responsible and should assume ownership of the internal control system, providing leadership and direction to senior managers.
The board of directors provides governance, guidance, and oversight. A strong, active board is best able to identify and correct management attempts to override controls or ignore or stifle communications from subordinates.
Also of particular significance in internal control are financial officers and their staff. Internal control should be an explicit and implicit part of everyone’s job description.
Driven by new business regulations, standards, as well investor expectations, internal control at now in the forefront of each and every audit and ought to be the concern of regulators, accountants, and management.
Add to this, internal control is a key element of the Foreign Corrupt Practices Act (FCPA) of 1977 and the Sarbanes–Oxley Act of 2002 as well as that of the UK Bribery Act of 2010. Indeed, based on the foregoing, internal control is a big concern for government and businesses alike.
At present (year 2013), the world is still being shaped by regulations that can either make or break us. Observing good internal control in our businesses, our nations and even our personal lives is very much a critical matter.
THINGS TO CONSIDER ON INTERNAL CONTROL IN BUSINESS
There are five things to consider about internal control:
Control environment – This is the work atmosphere that an organization establishes for its employees, with the overall tone set from the top. This primarily pertains to a tone of honesty and integrity, with the most important element being the example set by the directors and officers of the corporation. For instance, if management overstates revenues, employees might be encouraged to do shady deals, overstate expenses on their travel reimbursement forms and other types of fraud.
Risk assessment – This component deals with possible threats from without and weaknesses within the business, and the development of controls, policies, and procedures to protect the business and manage risks. Management should be on the lookout for risks (e.g., competitive threats, insurable risks, new product lines, labor strife, etc.) that might develop at various levels so that these can be thwarted or avoided and defenses mounted.
Control activities – These are policies and procedures that help ensure the execution of management directives and promote actions that address risks faced by the organization. Examples of specific control activities include those relating to authorization, physical controls, performance reviews, information processing and segregation of duties.
Authorization control procedures take many forms: passwords authorize individuals to use computers, to access certain databases and to transact. Formal notice of authorized check signatories in the form of certified copies of the minutes of the Board meeting given to banks vest designated officers with check-signing authority and nothing can be withdrawn, no checks can be en-cashed nor safe deposit boxes can be accessed without such authorization.
Customers can only transact up to their authorized credit limits. Spending limits authorize individuals to spend only what is in their budget or approved level. For example when individuals are not authorized to approve purchases, they cannot order items for personal use and have their companies pay for the goods.
Physical controls such as vaults, safes, fences, locks and keys, among others, protect assets from theft. These preclude opportunities to commit fraud by making it difficult for people to access the assets. Money locked in a vault, for example, cannot be stolen unless someone gains access or unless someone who has the access violates the trust.
Performance reviews include surprise checks of procedures, periodic comparison of accounting records and physical assets and a review of functional or activity performance. An example of a surprise check would be a cash count on a cashier’s cash in custody.
Some examples of information processing controls in an entity include programming on an accounting software that rejects unreasonable data (e.g., interest rate of 500 percent on a loan), numerical sequence checks on invoices inputted and system lock in case of wrong log-on data.
Segregation of duties seeks to prevent persons with access to readily realizable assets from being able to adjust the records and thereby control those assets; for example the accounting for and the handling of cash are separated so that one person does not have access to both.
Information and communication – This component encompasses the flow of reports and communications within the entity. Are the reports and communications timely, accurate, and complete? It would be hard to do the financial reporting and monitoring that management does without reliance on the communication and reports generated by the financial accounting system.
Further, there can be nothing more frustrating than not having the data you need on a timely basis. The goal is the presentation of the right content to the right people in a timely manner.
Communicating what is and what is not appropriate or acceptable is crucial. Codes of conduct, orientation meetings, training, supervisor/employee discussions, and other types of communication that distinguish between acceptable and unacceptable behavior should be routine activities.
Monitoring – This is a process to assess the effectiveness of internal control performance over time. This may take the form of management reviewing the reasonableness of reports such as basic financial statements, actual-to-budget comparisons, and profitability by division or matters such as monitoring of customer complaints and even periodic audits by internal auditors. In most entities, this information is produced on a monthly basis.
INTERNAL CONTROL ON A PERSONAL LEVEL
On a personal level, we all practice internal control to a certain extent. We have our moral compass to set the tone of our daily conduct, which, ideally, should be founded on honesty and integrity.
We assess the threats around us and take inventory of our vulnerabilities. We take part in various control activities. Do you have locks for the doors of your house? That is internal control to safeguard the assets you own.
Do you keep spare keys for your room in case someone gets locked out? That is internal control – a fall back feature in the event of such a contingency. Do you have insurance for your car to cover repairs and third party liabilities in case of accidents?
Internal controls, though we may not realize it, are not just what “auditors” look into – they actually pervade our everyday lives. Indeed, good internal control is necessary for all types of endeavors. Even in the business of one’s own life.
Edgar Navarro Picache, CPA is a financial executive with 20+ years of practical experience in a variety of leadership positions in public accounting and private industry.