Before discussing internal control environment let’s briefly review the definition of internal control.
COSO (The Committee of Sponsoring Organizations of the Treadway Commission) defines internal control as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives. More simply, internal control is:
- A process
- Effected by people
- Designed to achieve objectives
We perform internal controls in our daily lives. For example, you lock the door when leaving the house to ensure the house is safe; you keep the important documents in a locked drawer; and you review the bills before paying to ensure you are not overcharged.
Like your personal life, an organization performs internal controls routinely. For example, employees input their passwords before logging in the company system; employees submit day-off request to the supervisor for approval; and the Accounting Manager reviews bank account reconciliations.
The 5 Components of Internal Control
Based on the COSO framework, internal control consists of five integrated components:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring Activities
Of the five components, control environment provides the foundational basis for carrying out internal controls in an organization, because control environment sets the tone of an organization and it is the foundation for all other components of internal control, providing discipline and structure.
The board of directors and management establish the control environment through policies, procedures, processes, standards and structures providing the basis for carrying out internal controls in an organization.
It is important to understand an organization’s control environment. As an employee, you can understand the working environment and management philosophy through understanding of the control environment. Auditors can set out their responsibilities, identify the areas where special audit consideration may be necessary and assess the risks of misstatement in the financial statements. As an investor, understanding of control environment can help you to evaluate the risks of investing an organization.
How to Evaluate an Organization's Control Environment
But how do you evaluate an organization’s control environment? You first need to understand what factors are included in internal control environment.
The internal control environment includes five factors.
- Integrity and ethical value: Many organizations seek a high level of integrity and ethical value. But how do organizations obtain them? Usually, those organizations have a clear Code of Conduct and/or Conflict of Interests policies. They periodically communicate these polices to employees to promote honesty and integrity. In addition, some organizations adopt business best practices and emphasize internal controls, which is also clear evidence that the organizations are striving to integrate the integrity and ethical value into the daily business operations.
- Competence of the entity’s people: Competence is the knowledge and skills necessary for particular functions. So does an organization set up the tone of hiring only competent employees? First, management determines the knowledge and skills required for each position, then establishes the job descriptions for these positions. Furthermore, there is a well-designed hiring process and performance review process to ensure that new hires and employees are competent to perform their assigned tasks and assist the organization in achieving their objectives.
- Management’s philosophy and operating style: Management may not achieve its business objectives if it does not introduce and maintain a philosophy and operating style that supports the business objectives and strategies. Management’s philosophy and operating style include management’s attitudes towards the organization objectives, the approaches to minimize the business risks and attitude toward internal controls over financial reporting. For example, if management sets up an unrealistic financial goal and aggressively persuades employees to achieve the goal, what will happen? The chance of misstatement in financial statements becomes higher.
- Authority and responsibility: The control environment is greatly influenced by the extent to which individuals recognize that they will be held accountable. Accountability plays a critical role in carrying out internal controls in an organization. Sections 302 and 404 of the Sarbanes-Oxley Act (SOX) hold management in an organization accountable for financial reporting to ensure financial reporting is accurate and timely. In the organization, management holds employees accountable for all activities and business practices to ensure the organization is in compliance with SOX. To have an accurate, effective and timely financial reporting system, management must ensure that adequate reporting relationships and authorization hierarchies are in place.
- Direction provided by the board of directors: An effective Board of Directors and Audit Committee provide an important oversight function and, because of management's ability to override controls, they play an important role in the control environment, helping to set a positive tone at the top. For private companies, often there is no Audit Committee. However, to have the Board of Directors is very important for private companies as well. It oversees the organization’s plans and performance, provides management directions with experiences, and oversees the organization’s internal control function.
An organization’s control environment comprises the five factors above and each of them requires careful consideration and evaluation. To help readers to obtain a better understanding of the control environment evaluation, we have prepared a Tone at the Top Evaluation Checklist for download. The checklist is fairly comprehensive and should help any organization to evaluate the “Tone at the Top.”
Emma Zhang is an experienced audit professional, with more than six years of internal audit & Sarbanes Oxley (SOX) compliance focusing on operations, accounting, internal controls and process improvement. Competencies include operational auditing, accounting, management consulting, Sarbanes Oxley (SOX) compliance, audit planning and risk assessments, operational/financial planning and analysis, and data analysis. Emma is a resourceful, creative thinker and analytical problem solver with demonstrated ability to independently manage tasks from planning through execution in dynamic, fast-paced, and time-sensitive environments. Emma is a CPA with a CFE certificate. Emma is also a Blackline Certified Implementation Professional and helps clients to implement Blackline system.