EFPR Group, LLP

For over 60 years, our knowledgeable and experienced team of CPAs and business consultants have been serving individuals and businesses in Western New York and around the nation.

  • EFPR Group, LLP was founded on the principle of improving the lives of our clients by providing superior guidance, extraordinary service and creative solutions.

    Visit EFPRgroup.com

Why Internal Controls – And Reviews – Are Needed

Home > Library > Fraud & Forensics > Why Internal Controls – And Reviews – Are Needed

by Jim Marasco , CPA, CFE, CIA Audit America, Winter 2007

Our fraud work has recovered millions of dollars for wronged parties.

Every day, during the normal course of our lives, we encounter numerous controls or safeguards. Whether your place of work requires an identification badge or a key fob, a password to log onto your computer or an access code to use a copier, controls are a way of life.

Defining ‘internal control’

Broadly defined – internal control is a process. It’s a series of actions that govern an organization’s activities.

COSO (Committee of Sponsoring Organizations of the Treadway Commission) defines internal control as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives.

The objectives are in the following categories:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations

Identifying the main internal controls

Internal controls are defined in five broad categories:

  • Control environment involves an organization’s attitude about control. It flows from the core beliefs or values of a company.
  • Risk assessment includes identifying and analyzing an organization’s risks or vulnerabilities.
  • Control activities represent the actual policies and procedures that help ensure that management’s directives are being carried out.
  • Information and communication involve identifying, capturing and exchanging information – including accounting information – that allows people to perform their duties.
  • Monitoring or self-assessment evaluates the effectiveness of controls over time.

Testing controls

A financial statement audit determines whether an organization’s financial statements are free of material misstatement.

Auditors may assess risk at the maximum and not rely on the internal control system while performing their audit. Therefore, internal controls may not be tested as thoroughly because the auditors rely more on substantive testing.

In contrast, an internal control review determines whether internal controls exist and are sufficient. And it may test whether the controls are working as designed. Evaluating internal control involves:

  • Identifying the internal control objectives relevant to the organization
  • Reviewing pertinent policies and procedures and the documentation standards for each
  • Discussing controls with the appropriate levels of personnel
  • Observing the control environment
  • Testing transactions as appropriate
  • Sharing findings, concerns and recommendations with senior management and/or the board of directors
  • Determining that the organization has taken timely corrective action on weaknesses that were identified

Taking responsibility for internal control

The board of directors is ultimately responsible for a company’s system of internal control. It should set appropriate policies on internal control and seek regular assurance that the system is functioning effectively.

It is the role of management to implement the board’s policies on risk and control.

Management should identify and evaluate the risks faced by the company for consideration by the board. And management should design, operate and monitor a suitable system of internal control to meet the board’s intent.

Additionally, all employees have some responsibility and accountability within the internal control environment. They should have the necessary skill, knowledge and authority to operate and monitor the system of internal control that is put in place.

Learn more about StoneBridge’s Fraud Detection and Reporting System, the most effective method to detect and prevent these issues from happening to you.

Reviewing internal controls

Internal controls go beyond safeguarding an organization from financial loss. They can also assist in maintaining reliable financial reporting and maximizing effective operations.

The best way to protect and ensure that your organization is operating efficiently is to have an internal control review performed on your operation. Whether you’re a for-profit, not-for-profit or governmental entity, your current practices should be compared against peers in your sector.

The goal is twofold:

  1. To protect and safeguard your company from being victimized
  2. To improve your processes to obtain greater efficiencies and become more effective at each level of the organization

An internal control review can highlight weaknesses in the internal control structure or expose processes that could be strengthened to maximize efficiency. Detailed recommendations to mitigate risk or strengthen areas of weakness should be included in a formal report issued to the board of the organization.

If you suspect payroll fraud within your organization or need help safeguarding against it, please call one of our professionals. James I. Marasco, CPA/CFF, CFE, CIA Jim is a partner at EFPR Group. He brings more than 18 years of public accounting and auditing experience. He is a full-time management consultant and travels extensively throughout the country while leading StoneBridge Business Partners (an EFPR Group affiliate company). Article republished with the permission of CPAmerica.

To inquire about StoneBridge’s Forensic Auditing Services or our Fraud Detection and Reporting System please fill out this form.

Call us today

585.295.0550

585.295.0550 Toll-Free 888-247-9764 100 South Clinton Avenue, Suite 1500 Rochester, NY 14604

Additional offices in New York and Florida.

©2024 EFPR Group. All rights reserved. Privacy Policy.