Design Characteristics of an Effective Internal Controls System
The COSO internal control framework recognizes five essential components of any effective internal control system:
-
The control environment: Values and culture; tone at the top; policies, organizational structure.
-
Information and communication: Reliability, timeliness, clarity, usefulness.
-
Risk assessment: Identification, measurement, and responses to threats.
-
Control activities: Procedures followed for a control purpose.
-
Monitoring: Review of internal control arrangements.
A common failing in designing and evaluating a system of internal control is to focus almost exclusively on control activities, vitally important though they are, overlooking that the other components are also essential. The Securities and Exchange Commission’s rule for management’s implementation of s404 of the Sarbanes–Oxley Act requires that a recognized internal control framework is applied. Usually it is the COSO framework that is used, and the framework comprises all of these five as being essential components of an effective system of internal control.
General hallmarks of an effective system of internal control include that controls:
-
are designed to meet objectives which are clear;
-
have regard to competitive issues;
-
enable and ensure that performance is measured;
-
result in unsatisfactory performance being rectified;
-
ensure that activities are completed in a timely way;
-
are cost effective;
-
are placed as early in the process as is practical, so that thereafter there is control;3
-
are “preventative” rather than merely “permissive”;
-
have no more movements, or steps than are necessary.
Control activities can be categorized as follows:
Preventive controls: To limit the possibility of an undesirable outcome being realized. The more important it is that an undesirable outcome should not arise, the more important it becomes to implement appropriate preventive controls. Examples are when no one person has authority to act without the consent of another, or limitation of action to authorized persons (such as only those suitably trained and authorized being permitted to handle media enquiries).
Corrective controls: To correct undesirable outcomes that have been realized. Examples are the design of contract terms to allow recovery of overpayment, or contingency planning for business continuity/recovery after events which the business could not avoid.
Directive controls: To ensure that a particular outcome is achieved or an undesirable event is avoided. Examples are a requirement that protective clothing be worn, or that staff be trained with required skills before working unsupervised.
Detective controls: To identify undesirable outcomes “after the event.” Examples are stock or asset checks which detect unauthorized removals, or post-implementation reviews to learn lessons.
Performance controls: To orientate and motivate the organization’s people to focus on the achievement of targets that are appropriate for the achievement of objectives. Examples are despatching all orders on day of receipt of order, or allowing that less than 2% of production should fail quality control checks.
- Page 3 of 6
- Previous section What “Effective” Means
- Next section Assessing Internal Control Effectiveness
www.qfinance.com