Internal Control is defined as a process, effected by management and all other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Efficiency and effectiveness of operations
- Reliability of financial reporting
- Compliance with laws and regulations
Although this formal definition refers to internal control as a process, it should be viewed as a series of actions that permeate the entire state government of Arkansas. Internal controls exist in the basic management processes of planning, executing and monitoring. It should not be viewed as an add-on to these basic management processes, but should be viewed as an integral part of them and they should be placed at strategic points in these processes to ensure that objectives are achieved.
Internal control is at the core of state government fulfilling its mission and achieving its goals while providing safeguards to protect governmental resources. Management of each agency is responsible for implementing appropriate internal control activities that are appropriate to their agency's processes; while keeping in mind that effective internal controls benefit, rather than encumber management. It is vital that everyone understand the concept and importance of internal controls, especially since virtually every state employee has a role in how well the state of Arkansas executes the concept of internal control.
Components of Internal Control
The internal control process is comprised of five components:
- Control Environment,
- Risk Assessment,
- Control Activities,
- Information and Communication, and
The control environment can be best summarized as the attitude that management has about internal controls. If management believes that internal controls are important, is committed to implementing controls and communicates this view to employees, then internal controls are more likely to function effectively. However, if management views internal controls as not important or as an obstacle, then this attitude will likely be communicated to employees through management's actions. With this attitude, employees will likely view internal controls as "red tape" to be "cut-through" in order to get the job done. An effective internal control environment is an intangible factor that sets the foundation for all other components of internal control.
All agencies have certain risk involved in meeting their objectives and providing services to internal customers (other state agencies) and external customers (taxpayers of the state). This is based upon the premise that opportunity and risk are related; therefore, state government is exposed to risk by simply fulfilling the opportunity that it has to better serve the citizens of the state. By this definition, it can be seen that risk should not be viewed negatively, but simply inherent to the decision of doing business.
Risk assessment is the process used to identify, analyze, and manage the potential risks that could hinder or prevent an agency from achieving its objectives. Arkansas Financial Management Guide R1-19-4-505, requires executive branch agencies to complete a risk assessment every two years.
Internal Control Activities
Internal Control Activities are the policies, procedures, techniques, and mechanisms that enforce management's directives, such as the process of adhering to requirements for budget development and execution. They help ensure that actions are taken to address risks. Internal Control Activities are an integral part of an entity's planning, implementing, reviewing, and accountability for stewardship of government resources and achieving effective results.
Internal Control Activities occur at all levels and functions of the entity. They include a wide range of diverse activities such as approvals, authorizations, verifications, reconciliations, performance reviews, maintenance of security, and the creation and maintenance of related records which provide evidence of execution of these activities as well as appropriate documentation. Internal Control Activities may be applied in a computerized information system environment or through manual processes.
Examples of Internal Control Activities include:
- Top level reviews of actual performance - Management should track major agency achievements and compare these to the plans, goals, and established objectives.
- Controls over information processing - A variety of control activities are used in information processing. Examples include edit checks of data entered, accounting for transactions in numerical sequences, comparing file totals with control accounts, and controlling access to data, files and programs.
- Physical control over vulnerable assets - An agency must establish physical control to secure and safeguard vulnerable assets. Examples include security for and limited access to assets such as cash, securities, inventories, and equipment which might be vulnerable to risk of loss or unauthorized use. Such assets should be periodically counted and compared to control records.
- Segregation of duties - Key duties and responsibilities need to be divided or segregated among different people to reduce the risk of error or fraud. This should include separating the responsibilities for authorizing transactions, processing and recording them, reviewing and approving the transaction, and handling any related assets. No one individual should control all key aspects of a transaction or event.
- Proper execution of transactions - Transactions and other significant events should be authorized and executed only by persons acting within the scope of their authority. This is the principal means of assuring that only valid transactions to exchange, transfer, use, or commit resources and other events are initiated or entered into. Authorizations should be clearly communicated to managers and employees.
- Access restrictions to and accountability for resources and records - Access to resources and records should be limited to authorized individuals, and accountability for their custody and use should be assigned and maintained. Periodic comparison of resources with the recorded accountability should be made to help reduce the risk of errors, fraud, misuse, or unauthorized alteration.
Appropriate documentation of transactions - All transactions and other significant events need to be clearly documented, and the documentation should be readily available for examination. Also, documentation of internal controls should appear in management directives, administrative policies, and operating manuals and may be in paper or electronic form. All documentation should be properly managed and maintained.
Information and Communication
For an agency to run and control its operations and achieve its desired objectives, communications relating to both operational and financial data is needed at all levels of an agency in a relevant, reliable and timely fashion.
- In addition to internal communications, management should ensure that there are adequate means of communicating with, and obtaining information from, external stakeholders that may have a significant impact on the agency achieving its goals.
- Pertinent information should be identified, captured, and distributed in a form and time frame that permits people to perform their duties efficiently.
Additional points related to communication are made as follows:
- Personnel should know their job responsibilities and how their activities relate to the work of others
- A means should exist to permit upward communication within any agency
- Employees should be confident that reprisals will not result from communicating significant information.
Subsequent to implementing internal controls, agencies should periodically monitor and evaluate their effectiveness to ensure that the controls are functioning properly. Potential weaknesses in internal control structure may be identified by Legislative Audit, Internal Audit or by employees of agencies. When management is notified of these weaknesses, they should take corrective action to resolve the identified problems in their internal control structure. Although monitoring is a separate component of internal control, it is easy to see how it relates to the component of internal control environment previously discussed.
If your agency has identified a weakness in your internal control structure, please feel free to contact the Office of Internal Audit and we will be glad to assist you in your efforts to establish a good system of internal controls.
Included in this document are excerpts from the following publications:
Steven J. Root, Beyond COSO: Internal Controls to Enhance Corporate Governance (John Wiley & Sons, 1998) GAO, Internal Controls: Standards for Internal Control in the Federal Government(GAO/AIMD-00-21.3.1, 1999)