Audit internal control systems

You may have heard the term "internal control(s), " but what exactly is it? Evaluating internal controls is one of internal auditing's primary responsibilities. The Institute of Internal Auditors (IIA) defines control, the control environment, and control processes as follows:

A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.

The control environment is the attitude and actions of the board and management regarding the importance of control within the organization. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements:

• Integrity and ethical values.
• Management's philosophy and operating style.
• Organizational structure.
• Assignment of authority and responsibility.
• Human resource policies and procedures.
• Competence of personnel.

Control processes are the policies, procedures (both manual and automated), and activities that are part of a control framework, designed and operated to ensure that risks are contained within the level that an organization is willing to accept. Risk management is a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives.

A broadly accepted definition of internal control comes from a report released in 1992 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) entitled The Internal Control-Integrated Framework (COSO Report) as follows:

Internal control is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

This may sound technical, so what does it mean in plain terms? Let's think of how each of us has developed what we can call our own "personal internal control system." Consider the following:

When you came to work today, did you lock the doors to your house? If you did, that's your own "internal control" to safeguard the assets you own.

Do you keep the PIN number for your ATM card in a safe place? (i.e., away from the card itself.) If you do, that's an internal control the bank recommends to protect your funds from being stolen.

Do you balance your bank statements each month? (You really should, you know.) If you do, then you are ensuring the accuracy of the transactions entered on the account statement.

Do you plan the shortest possible route to complete errands? If you do, then you are promoting operational efficiency.

Do you file annual income tax returns? If you do, then you are in compliance with federal and state tax regulations.

Key points about internal control include:

• It is a process.
• It is achieved by people.
• It can only provide reasonable assurance.
• It is geared to the achievement of objectives.
• It is adaptable to the entity structure (the entire entity or a particular subsidiary, division, operating unit, or business process).

In the California State University (CSU) environment, internal controls serve the following purposes:

• Protect the University's Assets.
• Ensure Records Are Accurate.
• Promote Operational Effectiveness and Efficiency.
• Encourage Adherence to Policies.
• Ensure Compliance with Laws, Regulations, and Contracts.

Generally, controls are of two types:

Preventative Controls - Designed to discourage errors or prevent irregularities from occurring. They are proactive controls that help prevent a loss. Examples: Separation of duties, proper authorization, adequate documentation, and physical control over assets.

Detective Controls - Designed to find errors or irregularities after they have occurred. Examples: Reviews, analyses, variance analyses, reconciliations, physical inventories, and audits.

The COSO Report further defines five interrelated components of internal control that must be present and functioning and operating together in order to conclude that internal control relating to an operation’s objective is effective:

• Control Environment - This sets the tone of the organization and is the foundation for carrying out internal controls across the organization.
• Risk Assessment - Management establishes activity-level objectives and mechanisms for identifying and analyzing risks related to their achievement.
• Control Activities - Policies and procedures that help ensure that management's directives to mitigate risks to the achievement of objectives are carried out.
• Information and Communication - Information identified, captured, and communicated in a form and timeframe to enable people to carry out their responsibilities.
• Monitoring - Ongoing monitoring activities, separate evaluations or a combination of the two used to ascertain whether each of the five components of internal control is present and functioning.

In May 2013, COSO released an updated version of its Internal Control-Integrated Framework (Framework). The 1992 COSO Report conceptually introduced 17 relevant principles associated with the five components of internal control, which enable effective operation of the five components and the overall system of internal control. But these principles were implicit in the narrative. The 2013 Framework explicitly articulates the 17 principles as follows:

Control Environment

1. Demonstrates commitment to integrity and ethical values.
2. Exercises oversight responsibility.
3. Establishes structure, authority, and responsibility.
4. Demonstrates...