How to Assess an Organizations’ Internal Control Using a Risk-Based Approach
Internal controls are processes designed to achieve an organization’s objectives. This is the whole system of controls, financial and non-financial put in place by Board of directors and management to provide reasonable assurance that;
- the organisation operates its business effectively and efficiently in achieving its objectives;
- financial data and reports are correct and reliable;
- the organization operates in compliance with the relevant laws and regulations;
- safeguard the organisations’s assets from loss or theft;
- protect investment of shareholders; and
- reduce business risk
In other words, management and top executives are responsible for establishing and maintaining an effective and efficient system of internal control, formulation of policies and procedures, and ensuring adherence and compliance.
Most organisations lack adequate management oversight and accountability, and the failure to develop a strong culture within their firms has further worsened situations. The importance of an effective Internal Control system in the Financial and Non-financial Reporting process of an organisation cannot be over-emphasized as the existence or non-existence of the process determines the quality of output produced in the Financial Statements.
Understanding the Internal Control Framework
Business In recent times, many organizations have failed because of the absence of sound internal control system. Also, many organizations that have suffered major losses, neglected the need to recognize and assess the risk of new products and activities or update their risk assessment when significant changes occurred in the environment or business condition.
The COSO (Community of Sponsoring Organizations) internal control framework helps businesses establish, assess, and enhance their internal control system by ensuring that the risks an organization takes are monitored and mitigated through sound business decisions. The COSO internal control framework has five components as follows:
- The control environment describes a set of standards, processes, and structures that provide the basis for carrying out internal control across the organisation. This is the control consciousness of an organization, where competent people carry out their responsibilities, it is the foundation for all other components of internal control, providing discipline and structure in ensuring that an organisation strives to achieve its business objectives, provide reliable financial reporting to both internal and external stakeholders, operate its business efficiently and effectively, comply with all applicable laws and regulations, and safeguard its assets.
- The risk assessment forms the basis for determining how risks will be identified, analyzed, and managed. The central theme of internal control is to identify risks that are threats to the achievement of an organisation’s objective and to do what is necessary to manage those risks. Risk assessment requires management to identify and analyse risks associated with the achievement of operations, financial reporting and compliance goals and objectives, this in turn forms the basis to assess the likelihood and impact if such event occurs.
- Control activities are actions (generally described in policies, procedures, and standards) that help management mitigate risks to ensure the achievement
- of objectives. Control can either be preventive, detective or corrective in nature and can be performed at all levels of the organisation.
- Information is obtained or generated by management from both internal and external sources to support internal control components. Information about an organisation’s plans, control environment, risk control activities and performance must be communicated up, down and across an organization. Reliable and relevant information from both internal and external sources must be identified, captured, processed, and communicated to the people who need it.
- Monitoring activities are periodic or ongoing evaluations to verify that each of the five components of internal control, including the controls that affects the principles within each component, are present and functioning around their products.
Importance of Risk Control and Assessments
Generally, Risk control is the procedure by which organisations identify potential risks and take action to reduce or eliminate such threats. This can be achieved by carrying out risk assessments, which involve identifying potential risk factors in a company's operations, such as financial and non-financial aspects of the business, policies and other issues that may affect the well-being of the firm.
Risk control also implements proactive measures to reduce risk to the minimum acceptable level, thereby helping organisations limit loss of revenue and assets. Risk control is a key component of an organisation’s enterprise risk management (ERM) system. Risk control measures include avoidance, loss prevention, loss reduction, separation, duplication, and diversification.
To instill consciousness for control, an organisation should ensure that:
- Parameters relating to risk control are part of employees and business units Key Performance Indicators (KPIs).
- The internal control department constantly monitors business units to ensure that they have reasonably applied appropriate controls in their operations and confirm the adequacy, effectiveness, and suitability of the control system.
- Establish policies and operational guidelines related to the development of the business units’ control system.
Risk Control should be part of an organisation’s corporate culture. In this regard, the board and management should not just ensure that the achievement of goals are in the short term alone, but also put into consideration important factors such as;
- Compliance with stipulated regulations, mitigation of risks and the financial implications on the organization in the long term
- Give rewards or incentives tied to only performance without consideration of risk
- Consider risk officers relevant and important in the organization
- Proper reprimands upon violation of the policies and procedures of the organization or undermine the intention of this policy
Assessment of the Internal Control System
Every organization is expected to have a sound internal control system which remains one of the main elements of an effective management system. Auditors and stakeholders of an organization can put greater reliance on the financial and non-financial report if a good internal control system exists in the accounting system. Internal control lapses exist when the design or operation of a control does not prevent or detect a material misstatement effectively.
Failure of management to put in place systems to identify or correct control lapses can have an adverse effect on the organisation, damaging the integrity of financial reports, impairing public and investor judgement, and destabilizing capital markets. Management and the board are responsible for setting the tone at the top to ensure that there is reasonable assurance in the effectiveness of internal control and risk management.
A deficiency exists in the design when the control is completely missing or when the control put in place is not properly designed, while a deficiency exists in operating activities when the control is properly designed but does not operate as designed, and the personnel responsible for performing the control does not possess the necessary skill and competency. If an auditor has identified a deficiency, the severity of the deficiency must be assessed according to two factors: likelihood and impact. How likely is it that the deficient control will not prevent or detect a material misstatement, and what is the impact of the potential misstatement resulting from the deficiency? It is crucial that auditors identify the complete population of transactions that a control is intended to address, with this information, the number and size of misstatements caused by the deficient control can be correctly assessed.
After the auditor has determined the risks of material misstatement due to deficient controls, they must design and perform further audit procedures that respond to the organisation’s specific control-related risks. Reducing an organisation’s risk level to an acceptable level may require carrying out further compliance and substantive testing even after reliance on controls.
Conclusion
Companies that invest in regular evaluation of their internal controls will be better positioned to identify and mitigate risks. This ensures business objectives are met, compliance with regulations, protecting not only their reputation but also building consumer and investor confidence.