Internal Control for Small Entities
Date: 01 Jan 2017
You might have heard that internal control for small entities is a nightmare. My experience made it clear that segregation of mismatched duties is a usual scenario among smaller entities, due to which internal control isn’t existing there. When you enquire any small entities on what they think of internal controls, they will say ensuring the work is properly checked, confirming that the employee in charge of reconciling the bank account receives mail, sign checks, and reconcile receivable and payable accounts, proper segregation of duties are typically some of the common things that come to their minds when I ask them regarding internal controls. As a CPA, I will say the COSO framework is the one that clicks my mind when I hear of Internal Control. You may now be thoughtful, COSO? Come again?
Let me explain it in the simplest way I can without getting much deeper. COSO stands for Committee of Sponsoring Organizations of the Treadway Commission – which basically is an organization that provides leadership, thought and guidance on internal controls, enterprise risk management and fraud prevention. This organization initially released the internal control framework in 1992 and in recent times it has been updated in 2013.
The 2013 and 1992 version of the COSO framework is alike as they both comprise the five main components of internal control as well as the same definition of internal control. The 1992 framework elusively stated core principles of internal control which are altered in the 2013 update by openly stating 17 principles of internal control that signify fundamental concepts associated with the 5 components (which I have explained later in my blog). Each of the 17 principles is now supported by focus points. These focus points are designed to aid in designing, executing, conducting, and assessing whether the 17 principles are not only present, but are also operating together within the organization.
What is this Internal Control all about?
Most concisely, I can explain it as a process planned for assuring achievement of an organization’ objectives relating to its operations, reporting, and compliance. It is an ongoing process affected by an entity’s board of directors, management, and other personnel.
Let me explain you all these five integrated components of internal control:
1. Control Environment
The control environment is the basis for carrying out internal control across the organization as it is the set of standards, processes, and structures. The board of directors and top management establish the relation at the top about the importance of internal control including expected standards of conduct. Management reinforces expectations at the various levels of the organization. The control environment combines the integrity and core values of the organization; the parameters enabling the board of directors to carry out its governance oversight responsibilities; the structure of the organization and assignment of authority and responsibility; the process for attracting, developing, and retaining qualified individuals; and the rigor around performance measures, incentives, and rewards to motivate for performance. The resulting control environment has impact on the overall system of internal control.
2. Risk Assessment
Every entity faces various types of risk from external and internal environment. Risk is defined as the possibility of occurrence of an event and adversely affects the achievement of objectives. Risk assessment comprises a dynamic and iterative process for identifying risks to the achievement of objectives. Risk assessment forms the basis for determining how risks will be managed. A precondition to risk assessment is the establishment of objectives, linked at different levels of the entity. Management specifies goals within categories relating to operations, reporting, and compliance with sufficient clarity to be able to identify and assess risks to those goals. Management also considers the suitability of the objectives for the entity. Assessment of risk also requires management to emphasize the impact of possible changes in the external environment and within its own business model that may cause internal control ineffective.
3. Control Activities
Control activities are conducted at all levels of the organization, at various stages within business processes, and over the technology environment. In nature they may be preventive or detective and may include a range of manual and automated activities like authorizations and approvals, verifications, reconciliations, and business performance reviews. Segregation of duties is typically built into the selection and development of control activities.
4. Information and Communication
Information is necessary for every organization to carry out their internal control responsibilities to help the achievement of its objectives. Management generates and uses required and quality information from both internal and external sources to help the functioning of other components of internal control. Communication is the continuous process of providing, sharing, and obtaining necessary information. Internal communication is the source by which required information is disseminated throughout the organization, flowing up, down, and across the entity. It enables personnel to receive a clear message from top management that control responsibilities must be taken seriously. External communication is twofold: it enables inbound communication of relevant external information, and it also provides information to outsiders in response to their requirements and expectations.
5. Monitoring Activities
Continuous evaluations, separate evaluations, or combination of the two are used to ascertain whether each of the five components of internal control, including controls to affect the principles within each component, is present and working. Continuous evaluations, built into business processes at various levels of the entity, provide timely information. Separate evaluations, conducted periodically, will different in scope and frequency depending on assessment of risks, effectiveness of ongoing evaluations, and other management considerations. Findings are evaluated against the criteria established by regulators, recognized standard-setting bodies or management and the board of directors, and deficiencies are communicated to the top level and the board of directors as appropriate.
If you are interested in digging deeper into this topic, you may wish to call me at (858) 784-1622 for an appointment or you may visit me at my office at 266 17th Street, Suite 200, Oakland to probe into this more...