Internal Control is defined as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance.
- Operations Objectives – These pertain to effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss.
- Reporting Objectives – These pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, recognized standard setters, or the entity’s policies.
- Compliance Objectives – These pertain to adherence to laws and regulations to which the entity is subject.
Although this formal definition refers to internal control as a process, it should be viewed as a series of actions that permeate the entire state government of Arkansas. Internal controls exist in the basic management processes of planning, executing and monitoring. It should not be viewed as an add-on to these basic management processes, but should be viewed as an integral part of them and they should be placed at strategic points in these processes to ensure that objectives are achieved.
Internal control is at the core of state government fulfilling its mission and achieving its goals while providing safeguards to protect governmental resources. Management of each agency is responsible for implementing appropriate internal control activities that are appropriate to their agency's processes; while keeping in mind that effective internal controls benefit, rather than encumber management. It is vital that everyone understand the concept and importance of internal controls, especially since virtually every state employee has a role in how well the state of Arkansas executes the concept of internal control.
Components of Internal Control
The internal control process is comprised of five components:
- Internal Control Environment
- Risk Assessment
- Internal Control Activities
- Information and Communication
Internal Control Environment
The internal control environment can be best summarized as the attitude that management has about internal controls. If management believes that internal controls are important, is committed to implementing controls and communicates this view to employees, then internal controls are more likely to function effectively. However, if management views internal controls as not important or as an obstacle, then this attitude will likely be communicated to employees through management's actions. With this attitude, employees will likely view internal controls as "red tape" to be "cut-through" in order to get the job done. An effective internal control environment is an intangible factor that sets the foundation for all other components of internal control.
All agencies have certain risk involved in meeting their objectives and providing services to internal customers (other state agencies) and external customers (taxpayers of the state). This is based upon the premise that opportunity and risk are related; therefore, state government is exposed to risk by simply fulfilling the opportunity that it has to better serve the citizens of the state. By this definition, it can be seen that risk should not be viewed negatively, but simply inherent to the decision of doing business.
Risk assessment is the process used to identify, analyze, and manage the potential risks that could hinder or prevent an agency from achieving its objectives.
Control Self-Assessment (CSA) is a form of risk assessment. As defined by the Institute of Internal Auditors, CSA is a technique that allows managers and work teams directly involved in the business units, functions or processes to participate in assessing the organization's risk management and control processes. CSA is the most efficient form of risk assessment, because the assessment is performed by the business and process owners, who have the best knowledge of day-to-day operations, risks, and systems of internal control.
Internal Control Activities
Internal Control Activities are the policies, procedures, techniques, and mechanisms that enforce management's directives, such as the process of adhering to requirements for budget development and execution. They help ensure that actions are taken to address risks. Internal Control Activities are an integral part of an entity's planning, implementing, reviewing, and accountability for stewardship of government resources and achieving effective results.
Internal Control Activities occur at all levels and functions of the entity. They include a wide range of diverse activities such as approvals, authorizations, verifications, reconciliations, performance reviews, maintenance of security, and the creation and maintenance of related records which provide evidence of execution of these activities as well as appropriate documentation. Internal Control Activities may be applied in a computerized information system environment or through manual processes.
Examples of Internal Control Activities include:
- Top level reviews of actual performance - Management should track major agency achievements and compare these to the plans, goals, and established objectives.
- Controls over information processing - A variety of control activities are used in information processing. Examples include edit checks of data entered, accounting for transactions in numerical sequences, comparing file totals with control accounts, and controlling access to data, files and programs.
- Physical control over vulnerable assets - An agency must establish physical control to secure and safeguard vulnerable assets. Examples include security for and limited access to assets such as cash, securities, inventories, and equipment which might be vulnerable to risk of loss or unauthorized use. Such assets should be periodically counted and compared to control records.
- Segregation of duties - Key duties and responsibilities need to be divided or segregated among different people to reduce the risk of error or fraud. This should include separating the responsibilities for authorizing transactions, processing and recording them, reviewing and approving the transaction, and handling any related assets. No one individual should control all key aspects of a transaction or event.
- Proper execution of transactions - Transactions and other significant events should be authorized and executed only by persons acting within the scope of their authority. This is the principal means of assuring that only valid transactions to exchange, transfer, use, or commit resources and other events are initiated or entered into. Authorizations should be clearly communicated to managers and employees.
- Access restrictions to and accountability for resources and records - Access to resources and records should be limited to authorized individuals, and accountability for their custody and use should be assigned and maintained. Periodic comparison of resources with the recorded accountability should be made to help reduce the risk of errors, fraud, misuse, or unauthorized alteration.
- Appropriate documentation of transactions - All transactions and other significant events need to be clearly documented, and the documentation should be readily available for examination. Also, documentation of internal controls should appear in management directives, administrative policies, and operating manuals and may be in paper or electronic form. All documentation should be properly managed and maintained.
Information and Communication
For an agency to run and control its operations and achieve its desired objectives, communications relating to both operational and financial data is needed at all levels of an agency in a relevant, reliable and timely fashion.
- In addition to internal communications, management should ensure that there are adequate means of communicating with, and obtaining information from, external stakeholders that may have a significant impact on the agency achieving its goals.
- Pertinent information should be identified, captured, and distributed in a form and time frame that permits people to perform their duties efficiently.
Additional points related to communication are made as follows:
- Personnel should know their job responsibilities and how their activities relate to the work of others.
- A means should exist to permit upward communication within any agency.
- Employees should be confident that reprisals will not result from communicating significant information.
Subsequent to implementing internal controls, agencies should develop ongoing and/or periodical monitoring and evaluations to ensure that the controls are present and functioning properly. Potential weaknesses in internal control structure may be identified by Legislative Audit, Internal Audit or by employees of agencies. When management is notified of these weaknesses, they should take corrective action to resolve the identified problems in their internal control structure. Although monitoring is a separate component of internal control, it is easy to see how it relates to the component of internal control environment previously discussed.
If your agency has identified a weakness in your internal control structure, please feel free to contact the Office of Internal Audit and we will be glad to assist you in your efforts to establish a good system of internal controls.