Internal Controls

There are many definitions of internal control, as it affects the constituencies of an organization in various ways and at different levels of aggregation. Everyone in an organization has responsibility for internal control to some extent. Virtually all employees produce information used in the internal control system or take other actions needed to effect control. Also, all personnel should be responsible for communicating upward problems in operations, noncompliance with the code of conduct, or other policy violations or illegal actions.

In accounting and auditing, internal control is defined as a process effected by an organization's structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives. It is a means by which an organization's resources are directed, monitored, and measured. It plays an important role in preventing and detecting fraud and protecting the organization's resources, both physical (e.g., machinery and property) and intangible (e.g., reputation or intellectual property such as trademarks). At the organizational level, internal control objectives relate to the reliability of financial reporting, timely feedback on the achievement of operational or strategic goals, and compliance with laws and regulations. At the specific transaction level, internal control refers to the actions taken to achieve a specific objective (e.g., how to ensure the organization's payments to third parties are for valid services rendered). Internal control procedures reduce process variation, leading to more predictable outcomes. Internal control is a key element of the Foreign Corrupt Practices Act (FCPA) of 1977 and the Sarbanes-Oxley Act of 2002, which required improvements in internal control in United States public corporations. Internal controls within business entities are also referred to as operational controls.

Internal control concepts

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a voluntary private-sector organization, established in the United States, dedicated to providing guidance to executive management and governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting.  COSO has established a common internal control model against which companies and organizations may assess their control systems.

The COSO framework involves several key concepts:

  • Internal control is a process.  It is a means to an end, not an end in itself.
  • Internal control is affected by people.  It’s not merely policy, manuals, and forms, but people at every level of an organization.
  • Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board.
  • Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

The COSO framework defines internal control as a process, affected by an entity’s board of directors, management, and other personnel, designed to provide "reasonable assurance" regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations

Control Objectives for Information and related Technology (COBIT) is an increasingly internationally accepted set of guidance materials for IT governance designed to assist in the implementation of effective IT governance throughout an enterprise.

For an organization to be successful in delivering IT resources against business requirements, IT management should put an internal control system or control framework in place.

The COBIT control framework contributes to these needs by:

  • Making a link to business requirements
  • Providing a set of Business Processes for IT Management
  • Identifying the major IT resources to be leveraged - These are modelled in an Enterprise Architecture repository.
  • Defining the management control objectives to be considered for each process

Version 4.1 of COBIT is much more aligned to Enterprise Architecture than previous versions. In the COBIT Cube diagram below, the IT resources are the same as the (current state and future state) Enterprise Architecture model.

Oversight Policy

The university’s Segregation of Duties policy is critical to effective internal control; it reduces the risk of both erroneous and inappropriate actions.