Internal controls are the procedures and policies an organization puts in place to ensure the integrity and accuracy of its financial and operational activities. To design effective internal controls, follow these steps:
By following these steps, organizations can design and implement effective internal controls that help to ensure the integrity and reliability of their financial and operational activities.
But what types of controls would best help an organization?
Preventive controls are often used in various settings, including business, healthcare, and public safety, to prevent accidents, illnesses, and other negative outcomes. For example, in a manufacturing setting, preventive controls might include regular equipment maintenance, training employees, and implementing safety procedures to prevent accidents on the job. In a healthcare setting, preventive controls might include vaccination programs and regular health screenings to prevent the spread of disease. Preventive controls aim to anticipate and prevent problems before they occur rather than reacting to problems after they happen.
Detective controls are often used in conjunction with preventive controls to create a comprehensive risk management strategy. For example, in a manufacturing setting, detective controls might include regular inspections of equipment and processes to identify potential issues, as well as the implementation of systems to monitor for abnormalities or anomalies that could indicate a problem. In a healthcare setting, detective controls might include the use of diagnostic tests to identify illnesses or diseases in patients, as well as the use of surveillance systems to monitor for outbreaks of infectious diseases. Detective controls aim to identify and address problems quickly and effectively to minimize their impact.
Corrective controls are measures implemented to correct problems or issues after they have been identified. They are a reactive approach to managing risks and addressing problems that have already occurred. Corrective controls are often used in conjunction with preventive and detective controls to create a comprehensive risk management strategy. For example, in a manufacturing setting, corrective controls might include implementing procedures to address equipment malfunctions or process errors and implementing systems to track and correct any identified problems. In a healthcare setting, corrective controls might include the use of treatments to address illnesses or diseases in patients, as well as the implementation of policies and procedures to prevent the spread of infectious diseases. Corrective controls aim to address problems quickly and effectively to prevent further negative impacts.
Once a specific type or control is favored, choosing between manual, IT-dependent, automated, and/or ITGC control would be the next step in designing internal controls.
Manual controls are policies and procedures that people perform. Manual controls are often used for routine or simple activities that do not require a high degree of accuracy or speed. For example, manually checking the accuracy of a calculation or the completeness of a document can effectively prevent errors or omissions. Manual controls are also useful for activities that require a human touch, such as verifying a customer’s identity or assessing a product’s quality.
Automated controls, on the other hand, are used for activities that require a high degree of accuracy or speed or that are too complex or time-consuming to be performed manually. Automated controls can include computer programs that perform calculations, check for errors or inconsistencies, or monitor data for anomalies. Automated controls can also include systems that automatically flag transactions or activities that meet certain criteria, such as transactions above a certain dollar amount or activities that deviate from established patterns.
Information technology-dependent manual control refers to using manual processes and procedures to control and manage IT systems and services dependent on other IT systems or services. This might include the use of written policies and procedures and the use of manual processes to monitor and maintain the functioning of the dependent IT systems. These controls are often used in situations where automated controls, such as software programs and system monitors, are not sufficient to ensure the proper functioning of the dependent IT systems. Information technology-dependent manual controls aim to provide a layer of protection against potential problems or failures in the dependent IT systems and to ensure that any issues that arise are promptly identified and addressed.
ITGC stands for “information technology general controls.” ITGC refers to the policies, procedures, and other controls implemented to ensure the proper functioning of an organization’s IT systems and services. ITGCs are designed to provide a level of assurance that an organization’s IT systems are operating effectively and efficiently and that they are secure from potential threats or vulnerabilities. Examples of ITGCs include policies and procedures for user access and security, data backup and recovery, and change management. These controls are typically implemented to comply with regulatory requirements and industry standards and protect an organization’s data and assets from potential harm.
When deciding which type of internal controls, it is important to consider the potential costs and benefits carefully to determine whether the decision is worth the potential risks and rewards.
The cost of designing internal controls is the time and resources an organization must invest to develop and implement effective control procedures. This can include the cost of developing policies and procedures, training employees, and acquiring any necessary technology or equipment.
The benefits of designing internal controls are the potential savings and improvements the organization can achieve by implementing effective controls. For example, internal controls can help prevent errors and omissions, saving the organization time and money. Internal controls can also help to prevent fraud and other forms of financial or operational mismanagement, which can protect the organization’s assets and reputation. In addition, internal controls can help the organization comply with laws and regulations, which can avoid costly penalties or legal action.
Overall, the cost vs. benefit of designing internal controls will vary depending on the organization’s specific risks and objectives and the specific controls implemented. In general, however, the benefits of effective internal controls are likely to outweigh the costs, as they can help organizations to improve their financial and operational performance and to protect their assets and reputation.
Conclusion: Two key aspects that every control should address: What should be achieved and what should be avoided.
Efficient payments today; Efficient supply chains tomorrow(Opens in a new browser tab)
Endnotes:
ISACA, “CISA Review Manual, 27th Edition eBook”, 42
AuditNet, “Audit-Library: Auditnet-Internal-controls-primer” – https://www.auditnet.org/audit-library/auditnet-internal-controls-primer