These five key areas provide the framework from which an organization can develop a strong system of internal control over financial reporting:
- Establishing Policies and Procedures
- Tone at the Top
- Processing Transactions and Financial Data
- Monitoring and Communication
- Controls over Year-end Financial Reporting
Characteristics of Good Internal Controls
An organization with good internal controls over financial reporting has implemented the five key areas based on its size, structure and complexity. Once this framework is established, it is important to consider the characteristics of the specific internal controls to be implemented within the framework.
Good internal controls can be grouped into three different types based on their nature: detective, corrective or preventive. Detective controls aim to bring to light those errors or irregularities that may have occurred. Corrective controls exist to rectify errors or irregularities that have been found. Lastly, preventive control activities seek to inhibit an error or fraud from occurring. Because preventive controls are intended to prevent undesired outcomes from occurring, they require risk identification and assessment.
Common Weaknesses in Internal Controls
Weaknesses in internal controls are usually the result of the omission of one of the five key areas of the framework or the lack of a proper mix of types of controls within it.
Common examples of weaknesses in internal controls include:
- Lack of management oversight. An organization that lacks management oversight might omit the approval of non-routine transactions (a preventative control), which could result in the processing of transactions outside of established organizational guidelines.
- Lack of a risk-assessment process. An organization without a risk-assessment process cannot effectively design preventative controls to mitigate risks if those risks are unknown.
- Lack of, or failure to adhere to, organizational polices. Policies are the foundation from which an organization can develop good internal controls.
- Deficiencies in financial reporting for the year-end financial statements. This usually signifies a lack of expertise to prepare
year-end accruals and all of the required financial statement disclosures.
How to Correct Weaknesses in Internal Controls
The first step in addressing weaknesses in internal controls is to identify them. The assessment should begin with a comparison of the organization’s current structure against the five key areas for effective controls.
The next step is to identify those specific controls within the framework that are detective, corrective and preventive. Effective controls over financial reporting will have a mix of types of controls that adequately respond to identified risks. For example, an organization might implement a review and monitoring process for non-routine transactions if it lacks enough preventive controls. Likewise, an organization might implement additional reconciliation processes if it lacks detective controls.
Correcting weaknesses in controls over financial reporting related to the preparation of the year-end financial statements can be the most difficult area to address. An organization’s accounting personnel may just require some additional training to bring them up-to-speed on required accruals and disclosures. Alternatively, the organization could hire outside help to assist in accomplishing these tasks. In either case, it is important for the organization to do a cost-benefit analysis to determine its best option.
Internal controls over financial reporting should be a system of checks and balances designed to capture and report the financial activity of the organization in an accurate and complete manner. An organization’s system of internal controls should be specifically tailored to its size, structure and complexity. An organization with effective controls will often avoid management letter comments and, more importantly, will have the ability to detect errors or fraud in a timely manner.
Todd M. Stokes, CPA, is a manager in Lindquist LLP’s Seattle office with nine years of specialized experience auditing labor organizations and defined benefit, defined contribution, and health and welfare plans. In addition to supervising audit engagements, Todd trains staff and helps develop technical guidance for the firm. He is a member of the International Foundation of Employee Benefit Plans. Contact Todd at email@example.com or
Our firm provides the information in this e-newsletter for general guidance only. It does not constitute the provision of legal advice, tax advice, accounting services, investment advice or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal, or other competent advisers. Before making any decision or taking any action, you should consult a professional adviser who has been provided with all pertinent facts relevant to your particular situation. Tax articles in this e-newsletter are not intended to be used, and cannot be used by any taxpayer, for the purpose of avoiding accuracy-related penalties that may be imposed on the taxpayer. The information is provided "as is," with no assurance or guarantee of completeness, accuracy or timeliness of the information, and without warranty of any kind, express or implied, including but not limited to warranties of performance, merchantability and fitness for a particular purpose.