When you hear the words “internal controls” does the early 2000s, Enron scandal, and SOX (Sarbanes-Oxley) come to mind? It probably does especially if you work in finance or accounting. Internal control as defined by COSO is “a process for assuring of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization.”
Many people will focus on the financial aspects when they think about internal controls, but as the COSO definition states, internal controls are for the entire organization. This includes operations and information technology (IT) and may not have realized that some things being done are internal control related. For example, if you work at a manufacturing plant, the equipment is critical, and you want to make sure that it’s working properly. So, you’ll have inspections and routine maintenance, which are considered internal controls.
Technology is at the center of most organizations, so you definitely want to make sure your IT assets are working and protected. If there is security breach or ransomware, the CEO will want to know how it happened. You might not think of internal controls, but it certainly could be related to an internal control weakness.
Types Of Internal Controls
Photo by Debra Shannon
Internal controls are typically divided into three categories:
- Preventative controls – policies and practices designed to “prevent” problems from occurring.
- Detective controls – procedures designed to “detect” if a problem occurs. It identifies that something has happened.
- Corrective controls – these are implemented after the fact to “correct” so that it doesn’t happen again. It could be offering training, applying a software patch, or rebooting a system.
There are two types of IT-related internal controls – general controls and application controls:
- General controls – are for the overall environment and include physical hardware, software, security, etc. For example, make sure you schedule (and test) routine backups. In the event of a disaster, you want to be confident that you can restore the system. Other general controls are antivirus, firewalls, and change management processes.
- Application controls – are specific for input, processing, and output for each application. Examples are required fields, correct date format, and data completeness checks.
How To Identify And Mitigate Internal Control Weaknesses
Bigstock
Some elements to help identify and mitigate control weaknesses are:
1. Defining and inventorying risks. While some risks may be common across an industry, some will be specific to an organization. It’s important to identify which risks are mission critical to your organization. There are some individuals who specialize in identifying ongoing risks.
- One of the top risks is cybersecurity! Many organizations have a dedicated CISO (chief information security officer). Also, individuals can obtain the CISSP (Certified Information Systems Security Professional) certification.
- Some organizations have a specific GRC (governance, risk, and compliance) group.
2. Frameworks and conducting risk assessments. There are numerous tools, processes, and templates available. You’ll want to determine and document the risks, the likelihood of the event happening, the impact including potential cost, if/how to mitigate the risk, etc. Some frameworks and considerations are:
- COSO Internal Control – Integrated Framework
- COBIT (Control Objectives for Information and Related Technologies)
- NIST Cybersecurity Framework
- If you work in healthcare, how do you ensure you are HIPAA compliant?
- How often do you perform penetration tests?
- If you have an ERP partner, have you reviewed their annual SOC2 (System and Organization Controls Type 2) report to review their internal controls, and any client considerations you may be responsible for?
3. Involvement by Internal Audit (internal controls is practically their middle name). They can be a valuable business partner and provide an independent perspective to make sure the internal controls are effective (including cost effective) and working properly.
4. Continuous monitoring. Both your organization and the threat landscape are constantly changing. You want to regularly conduct assessments and reviews to ensure the controls are effective. Don’t make controls so rigid that it’s impossible for the business to function.
- There are tools that can systematically monitor, identify, and remediate issues such as Norton identifying viruses and malware.
- Conduct phishing training and testing for all employees to increase security awareness.
You can’t make the organization 100% secure without shutting the business down, but you can create and maintain a framework of internal controls to safeguard the organization’s important assets.
There are great resources regarding internal controls provided by the American Institute of Certified Public Accountants (AICPA), Institute of Internal Auditors (IIA), and Information Systems Audit and Control Association (ISACA).
For more information on internal controls, follow me on LinkedIn!