What are internal controls?

Financial controllers, auditors, and accountants have the most responsibility for internal controls. However, all employees must contribute to decreasing the company’s financial risk and increasing its security.

A short history of internal controls

The development of internal controls in Australia started in the 1920s and 30s. Influenced by policy in the USA and Europe, Australian companies recognised the importance of controls as a way to keep accurate financial records and in the process, prevent fraud.

Formalisation of internal controls started in the 1950s after the formation of the Australian Society of Accountants (now CPA Australia). Two decades later, the ASX introduced rules to establish a defined regulatory environment for publicly-listed companies.

The COSO framework

Perhaps the most significant impact on internal controls, however, was the release of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework in 1992.

First published in the United States, the COSO framework was initially developed in 1985 in response to numerous instances of fraudulent financial reporting.

The framework – which is used by finance, accounting and publicly traded companies – is the foremost framework in the world for the design, implementation and assessment of internal controls.

Various principles and guidelines have been adopted in Australia by state and federal governments as well as companies in the public, private, and non-profit sectors.

Internal control objectives

The objectives of an internal control system depend on the business and the industry in which it operates.

For a general definition, however, let’s return to COSO which describes internal control as “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”

From the above, the three primary objective categories include:

• Operations objectives – which concern the efficacy and efficiency of operational and financial performance. Cost control is particularly important in this context, with up to 80% of a company’s total spend characterised by expenses outside of its processes or policies (so-called “maverick” spend).
• Reporting objectives – which concern financial and non-financial reporting (both within the company and externally). Here, internal controls influence the reliability, transparency and timeliness of such reports, and
• Compliance objectives – which concern the company’s compliance with relevant legislation.

The five components of the COSO framework

The COSO framework was updated in 2017 to reflect the idea that risk management (and thus adherence to internal controls) was not a discrete function within the company but holistic, and part of its DNA.

To that end, the framework defines five components that clarify how internal controls can be devised, implemented, and most importantly, maintained.

1 – Control environment

The control environment strives to ensure that all business practices are industry-standard. Processes and structures collectively influence the organisation’s culture and the behaviour of its employees.

Upper management should model expected standards of behaviour for it to filter down to middle management and employees. The company should also seek to retain and recruit personnel who demonstrate integrity and appropriate ethical values.

2 – Risk assessment

Risk assessment is a dynamic process that identifies the risks that could impact a business or prevent it from achieving its objectives.

A finance lender, for example, may conduct a comprehensive risk assessment to determine the risks associated with lending. These include credit risk, market risk and operational risk.

3 – Information and communication

Information pertaining to risk appetite and mitigation should be shared across departments and also between managers, employees, and the board.

Rules should also be enacted to ensure that internal and external communication adheres to relevant laws, company values, and best practices. Adequate communication also ensures that control activities are understood and carried out effectively.

Ultimately, this component supports the establishment of a robust control environment.

4 – Monitoring activities

Monitoring activities focus on the continuous and period assessment of the control environment’s performance. Internally, such activities may take the form of internal audits, supervision and automated systems.

Externally, internal controls may be monitored by various third parties.

In Australia, banks, insurance companies, and other financial institutions are regulated by four key bodies:

1. Australian Prudential Regulation Authority (APRA) – which oversees Authorised Deposit-taking Institutions (ADIs) as well as insurers and superannuation companies.
2. Reserve Bank of Australia (RBA) – Australia’s central bank that is responsible for the stability of the country’s financial system and monetary policy.
3. Australian Securities and Investment Commission (ASIC) – the regulator of corporations, markets, and financial services. ASIC oversees consumer protection, continuous disclosure, supervision of market conduct, and licensing of financial products and services.
4. Australian Transaction Reports and Analysis Centre (AUSTRAC) – a financial intelligence unit that investigates fraud and other financial crimes.

5 – Control activities

While each of the five COSO framework components relates to internal controls, control activities describe how relevant measures are enacted within the organisation.

The myriad ways these controls promote compliance and reduce risk are explained below.

Types of internal controls

Three broad types of internal controls are categorised as either before the event (preventative) or after the event (detective and corrective). The most effective internal control systems will take advantage of all three types.

Let’s look at each in more detail below.

Preventive internal controls

The purpose of a preventive control is to prevent financial and accounting issues before they have a chance to occur.

Within this type there are various internal control activities:

1. Approval authority – leaders with the requisite authority must approve financial transactions before they are processed.
2. Separation of duties – the potential for fraud reduces when no one employee has too much control over the organisation’s financial assets. In accounting departments, responsibility is often split between multiple individuals.
3. Access controls – another way to protect financial assets is to limit access to them. Passwords, physical codes and locked access are common controls. A business may also utilise digital passcodes to track financial errors back to a user and correct them.
4. Document standardisation – an effective internal control that standardises processes and procedures. In finance, this may encompass invoices, inventory receipts and travel expense reports.

Detective internal controls

Detective controls are mechanisms that uncover errors or discrepancies that have already taken place. These controls pinpoint anomalies in financial data or deviations from standard procedure as a result of human error or fraud.

Here are some detective control activities:

1. Trial balances – this control adds an extra layer of financial security via double-entry accounting. The calculation of regular trial balances helps the business determine the efficiency of its systems and, if fraud or human error has occurred, identify them as soon as possible.
2. Account reconciliation – where data is compared and verified across internal accounts and third-party (external) accounts. Like trial balances, account reconciliation checks for fraud and human error.
3. Variance analysis – this is an internal control a business can use to explain fluctuations in financial data. It usually compares actual financial performance to a benchmark such as a forecast, budget or prior period. The objective here is to quantify change so that management can course correct if necessary.

Corrective internal controls

Corrective internal controls rectify issues identified by detective controls. Not only do they rectify issues, they also prevent them from reoccurring.

Corrective control activities include:

1. Physical audits – computerised systems are not infallible, and sometimes it may be necessary to hand-count physical assets. This includes any assets tracked in an accounting system, such as tools, materials, money and inventory.
2. Employee training – subsequent to any discrepancy or instance of fraud, companies can retrain employees to ensure they understand financial controls. For example, a refresher could be held on expense reporting procedures.
3. Policy or procedure enhancement – further to the point above, some policies may need to be updated in line with employee training. If the business found that expense reporting left it open to fraud, it could update the control procedure to require multiple levels of authorisation.

Internal control audits

Internal controls are evaluated by internal audits that review a company’s:

• Financial (and non-financial) control environment.
• Risk identification and monitoring processes, and
• Corporate governance processes.

According to the ASX Corporate Governance Principles and Recommendations, a publicly listed entity that does not have an internal control framework must explain why.

To that end, the entity needs to explain how it evaluates and improves the effectiveness of its relevant internal control processes.

Who conducts internal audits?

Internal audits may be performed by employees of the company, an external audit provider or a combination of the two.

With that said, the Australian Securities and Exchange Commission (ASIC) recommends that the external auditor does not provide internal audit services to the same company.

Internal audit bias

To ensure the internal audit process remains unbiased, internal audits conducted by employees must report to an audit committee (and not the organisation’s management).

This committee is expected to:

• Review and approve the internal audit charter.
• Observe the performance of the internal auditors, and
• Observe the independence of the internal auditors.

In general, management needs to be kept separate from the audit process. The CEO can set the budget for an internal audit, but this should also be reviewed by the committee before approval.

Factors that override internal controls

Despite a company’s best efforts, there will invariably be contexts where certain factors override internal controls.

To conclude, here are some of the more common.

Weak internal controls

Internal controls are easily overcome if the control is weak to start with. At the most basic level, weak internal controls lead to fraud. Invoices may be paid twice, or payments may be made for work that was never completed.

In finance companies, weak internal controls cause more serious problems such as material weakness. This is defined as a deficiency in financial reporting that causes a company to misstate its financial situation, which can lead to harsh penalties.

Errors in judgement

If we recall the COSO definition of an internal control from earlier, we see the words “reasonable assurance” mentioned. This pertains to the fact that internal controls rely on honesty (as well as processes) to be effective.

In certain situations, even honest staff may defraud the company if the opportunity is irresistible. The temptation may also increase if the employee is under financial duress or dissatisfied with their job.

Collusion

Related to errors in judgement is collusion, where two or more employees work together to defraud or deceive.

Collusion is often related to malicious insider attacks, where people with privileged access to a company’s resources exploit that access for financial gain.

Summary:

• Internal controls refer to the processes, policies and procedures an organisation implements to protect its assets, ensure the accuracy of financial reporting, promote operational efficiency and foster compliance with laws and regulations.
• Internal controls in Australia have mostly been shaped by the American COSO framework. Published in 1992, COSO was devised in response to a spate of financial reporting fraud in the 1980s.
• Internal controls may be preventative (before the event) or detective and corrective (after the event). The most effective internal control strategy will utilise a combination of all three.
• Internal controls are verified by internal or external audits as well as by various oversight bodies and committees. Companies may conduct their own internal audits under certain strict conditions.