Objectives of internal control systems

There are five internal control standards issued by the Committee of Sponsoring Organizations (COSO). Your agency will address these standards when documenting internal controls for your agency. The purpose of this document is to guide agency management in carrying out their agency’s goals and objectives. This guidance is not intended to take the place of management’s judgment or to dictate how management chooses to carry out its responsibilities.

What are Internal Controls?

Internal control or an internal control system is the integration of the activities, plans, attitudes, policies, and efforts of the people of an organization working together to provide reasonable assurance that the organization will achieve its mission and objectives.

This definition establishes that:

o internal control impacts every aspect of an agency: all of its people, processes and physical structures;

o internal control is a basic element that permeates an agency - not a feature that is added on;

o internal control incorporates the qualities of good management;

o internal control is dependent upon people and will succeed or fail depending on the attention people give to it;

o internal control is effective when all of the people and the surrounding environment work together;

o internal control provides a level of comfort to an agency; controls do not guarantee success; and

o internal control helps an agency achieve its goals and objectives.

As stated in the above definition, internal control is a means for achieving the agency's goals and objectives. More specifically, there are four purposes of internal control:

o to promote orderly, economical, efficient and effective operations and to produce quality products and services consistent with the organization's mission;

o to safeguard resources against loss due to waste, abuse, mismanagement, errors and fraud;

o to ensure adherence to laws, regulations, contracts and management directives; and

o to develop and maintain reliable financial and management data, and to accurately present that data in timely report.

If an agency addresses each of these four purposes in developing its internal control system, the agency will most likely achieve its goals and objectives. Failure to adequately address any one of these purposes may put the organization at risk.

The first internal control standard is Control Environment.

Your Agency should establish and maintain a positive and supportive attitude towards the achievement of your agency objectives. While managers set the tone for the work environment, all employees have input into the control environment. Over the years, studies have found that there are two effective ways to reduce fraud. One way is to lock up everything in your workplace and the other way is to surround yourself with ethical people. Employees make internal controls work. The values in place at your agency determine your organization's ethical tone.

Control environment is the attitude toward internal control and control consciousness established and maintained by the management and the employees of an organization. It is a product of management's philosophy, style and supportive attitude, as well as the competence, ethical values, integrity, and morale of the organization's people. The organization structure and accountability relationships are key factors in the control environment.

The second internal control standard is Risk Assessment.

All State agencies should perform a risk assessment on an annual basis. This involves a review and analysis of program operations to determine where risk exists, and what those risks are. These risks are then measured towards the impact on your operations. A risk assessment also allows you to target high-risk areas or programs and focus on where the greatest exposure exists. Always reassess risk as a result of changing conditions, both internal and external, in your workplace.

Risk identification occurs as a result of findings from audits, evaluations and other testing or assessments. Risk analysis includes estimating the likelihood and frequency of occurrence of each risk and determining whether it falls into the low, medium, or high-risk category. Once risk is identified, the potential impact on programs should be measured and additional controls should be developed. What are your risks from downsizing your operations and personnel? What are your risks relating to new legislation and/or regulations? Risk is not another thing to manage, but a way of managing.

Risks are events that threaten the accomplishment of objectives. They ultimately impact an organization's ability to accomplish its mission. Risk assessment is the process of identifying, evaluating and determining how to manage these events. At every level within an organization there are both internal and external risks that could prevent the accomplishment of established objectives. Ideally, management should seek to prevent these risks. However, sometimes management cannot prevent the risk from occurring. In such cases, management should decide whether to accept the risk, reduce the risk to acceptable levels, or avoid the risk. To have reasonable assurance that the organization will achieve its objectives, management should ensure each risk is assessed and handled properly.