The key concepts used in the COSO model are relevant for a basic understanding of what ‘internal control’ is. They are:
Internal control is a process. It is a means to an end, not an end in itself.
Internal control is effected by people. It is not merely policy manuals and forms, but people at every level of the organization.
Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board.
Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.
“Success is nothing more than a few simple disciplines, practiced every day.” Jim Rohn
Directors can think of the mnemonic SPAM-SOAP to remember control activities and procedures that are required to strengthen internal controls and reduce opportunity to perpetrate frauds. SPAM-SOAP explains the following basic controls and procedures:
Segregation of duties
Authorization and approval procedures
Segregation Of Duties
One individual should not be given unrestricted ability to conclude an activity or transaction. The act of segregating duties separates the initiation of a transaction, record-keeping, authorization and review functions in any process. Even in a IT system segregation of control activities is important.
However, this control can be evaded by collusion between employees. Therefore, it should be reviewed for possibility of collusion between employees to commit fraud.
Have physical security to safeguard assets both tangible and intangible (copyright certificates, software etc.) against misuse, damage, theft etc. physical security will delay or prevent intruders causing losses including loss of data. Some examples are; guards, fences, locks, biometrics, passwords, back up, fire protection,etc.
Financial and non-financial information for internal and external reporting purpose should be accurate and complete.
This requires; reconciliations (eg: bank reconciliations, control accounts), re-performance and re-calculation of values for material balances to be done, periodically. Reconciliation with third parties including accounts receivables, payables balances should be tallied at regular intervals. This will help to keep a watch on inside practice of skimming money by taking cash payments and not reporting the same.
As management develops and implements control systems they should exercise control to ensure that all internal control systems are working in a proper manner and they are followed by employees. It includes establishing information systems (may be IT systems also) to gather relevant information for performance management and internal audit to enable them to evaluate the effectiveness of internal control system.
Appropriate information must be identified, captured and communicated in a form and time frame that enable people to carry out their responsibilities. Information systems produce reports, containing operational, financial and compliance related information, that make it possible to run and control the business.
It means directing people or monitoring and reviewing work of employees, functions and the organization as a whole. Segregating review functions in control processes fulfills supervisory activities and helps in ensuring the controls are operating as designed.
Communicating and coordinating activities across the whole organization.
To accomplish this, role and responsibilities, policies and procedures, reporting lines and organizational structure should be formally established and clearly communicated. For example, procedures for related party transactions, cash, sales, purchases, payroll, etc should be documented and approved by the board.
Authorization and Approval Procedures
This refers to controls established for permission or signature of person(s) at an appropriate level in the organization for different types of transactions.
It ensures that activities and expenditures that are necessary for the achievement of organizational objectives are made by the appropriate persons.
Clear policies should be in place for recruiting, developing, evaluating and rewarding staff. Key employees should be retained and underperforming employees should be motivated and trained to achieve standard level of performance. Punishment and disciplinary actions for inappropriate behaviours also should be documented to deter such activities.