Question

The Sarbanes - Oxley Act (SOX) requires all public companies to have an internal control system. Section 404 mandates that the company's annual report include an annual internal control report.  Who has the primary responsibility for internal control? What is/are the primary purpose/goals of internal controls? What are the limitations of internal controls? What are the main components of a system of internal controls?

Answer 1

Management is responsible for establishing and maintaining the control environment. Auditors play a role in a system of internal controls by performing evaluations and making recommendations for improved controls. Furthermore, every employee plays a role in either strengthening or weakening the Institution’s internal control system. Therefore, all employees need to be aware of the concept and purpose of internal controls.

Purpose / Goals of Internal Controls

A system of internal control is necessary to help employees and other partners understand the attitude and objectives of the organization as a whole. Internal controls provide reasonable assurance to customers and other parties that transactions are recorded properly and in a timely manner. For instance, many consumers have a favorite store because the business is known for providing quality service in a timely manner. In other words, consumers choose to patronize businesses that have good systems of internal control.

• Protect against financial loss following disaster
• Prevent fraudulent activity by employees
• Maintain high password security
• Ensure DR capability

Limitations of Internal control

A system of controls does not provide absolute assurance that the control objectives of an organization will be met, sometimes they differ. Instead, there are several inherent limitations in any system that reduce the level of assurance. These limitations are as follows:

• Collusion. Two or more people who are intended by a system of control to keep watch over each other could instead collude to circumvent the system.
• Missing segregation of duties. A control system might have been designed with an insufficient segregation of duties, so that one person can interfere with its proper operation.
• Human error. A person involved in a control system could simply make a mistake, perhaps forgetting to use a control step. Or, the person does not understand how a control system is to be used, or does not understand the instructions associated with the system.
• Management over-ride. Someone on the management team who has the authority to do so could override any aspect of a control system for his personal advantage.

Consequently, it must be accepted that no system of internal controls is perfect. There is always a way in which it can fail or be circumvented.

Main components of Internal control

When you are performing an audit, to judge the reliability of a client’s internal control procedures, you first have to be aware of the five components that make up internal controls. For each client, you need to understand each component to plan your audit. Your understanding of these components lets you grasp the design of internal controls relevant to the preparation of financial statements and lets you see whether each internal control is actually in operation.

Here are the five components of internal controls:

• Control environment: This term refers to the attitude of the company, management, and staff regarding internal controls. Do they take internal controls seriously, or do they ignore them? Your client’s environment isn’t very good if, during your interviews with management and staff, you see a lack of effective controls or notice that previous audits show many errors.

• Risk assessment: In a nutshell, you should evaluate whether management has identified its riskiest areas and implemented controls to prevent or detect errors or fraud that could result in material misstatements. For example, has management considered the risk of unrecorded revenue or expense transactions?

• Control activities: These are the policies and procedures that help ensure that management’s directives are carried out. One example is a policy that all company checks for amounts more than $5,000 require two signatures.

• Information and communication: You have to understand management’s information technology, accounting, and communication systems and processes. This includes internal controls to safeguard assets, maintain accounting records, and back up data.

For example, to safeguard assets, does the client tag all computers with identifying stickers and periodically take a count to make sure all computers are present? Regarding the accounting system, is it computerized or manual? If it’s computerized, are authorization levels set for employees so they can access only their piece of the accounting puzzle? For data, are backups done frequently and kept off-site in case of fire?

• Monitoring: This component involves understanding how management monitors its controls — and how effective the monitoring is. The best internal controls are worthless if the company doesn’t monitor them and make changes when they aren’t working. For example, if management discovers that tagged computers are missing, it has to set better controls in place. The client may need to establish a policy that no computer gear leaves the facility without managerial approval.

Provide Feedback...................