With the growing concern stemming from unethical corporate behavior and accounting scandals, the implementation of effective internal controls has come to the forefront.  The industry standard for internal control guidelines is a process called Internal Control-Integrated Framework (ICIF).

The origin of ICIF was 1987 when the National Committee of Fraudulent Financial Reporting formed a task force to research the best standards to assure adequate internal controls.  The task force was called The Committee of Sponsoring Organizations of the Treadway Commission, which was shortened to COSO in most conversations.  Five years after the committee was formed and countless hours researching, the committee published Internal Control – Integrated Framework.   In this report the committee defined internal control as “the process that is carried out by an entity’s board of directors, management and other personnel for the purpose of gaining reasonable assurance of achieving objectives in three broad areas; (i) effectiveness and efficiency in operations, (ii) financial reporting, and (iii) compliance with laws and regulations. (Tanki, 1993)

The committee also laid out the framework to be used in establishing effective internal controls. The first step is creating an effective control environment, which is the corporate culture that emphasizes integrity, ethical values and competence.   Management is critical in this process as employees typically take the lead from management, and as such if management acts unethically, this will trickle down and corrupt the business. The environment should provide clear directioin so that all parties involved understand the objectives of management and all functions work towards the same goal.

The second step is risk assessment, which not only the process of identifying the risks that the business faces, but also understanding the financial exposure related to the risk and the likelihood of the event taking place.  Employees who are closely involved in the process will be our best resource in identifying related risks and deriving controls to address these risks. As such our internal control team will work hand-in-hand with our employees to be sure that all of the business risks are indentified and the exposures understood.  It should be noted that it is not practical to try to eliminate all risk, in fact this could very well be detrimental to the business becase of the significant time and costs involved in internal controls.  To this end, only risks that outweigh the cost of controlling the risk should be actively controlled.  Every company has a different appetite for risk, indentifying and understandng the risk exposure allows the company to effectively “manage” the risk.

The next step is instiling control actictivities to monitor our risk.  The control activities are the procedures that are put in place to be sure that management’s goals are carried out.  The controls should address three somewhat overlapping functions in the business which are (i) operations, (ii) financial reporting, and (iii) compliance.  (Tanki, 1993) Beyond that, control activities can be broken down into three sub categories, (i) preventative controls, (ii) detective controls, and (iii) corrective controls.  Of the three, preventative controls is the most important because, if effective, will not only eliminate the damage caused by the event, but also the cost involved in detecting and correcting the issue.

The fourth step is information and communication.  This step emphasizes the importance that information is not only entered correctly but flows quickly up and down stream so that mangement can make timely decisions based on quality information.  This step also emphasizes that everyone know their roll in the control environment and understand how his/her actions effect the process.

The final step is monitoring.  Monitoring risk needs to be a constant practice as it is always changing and comes from all angles such as (i) economic, (ii) enterprise, (iii) industry, (iv) business process, and (v) information process. 

Written By:  The Company Pulse (analyst@thecompanypulse.com)

Works Cited

Cheryl L. Dunn, J. O. (2005). Enterprise Information Systems: A Pattern Based Approach - 3rd Edition. McGraw Hill/Irwin.

Tanki, R. M. (1993, June). Internal Control-Integrated Framework: a landmark study. The CPA Journal .