The Securities and Exchange Commission (SEC) requires public companies to evaluate and report on internal controls over financial reporting using a recognized control framework. Private companies generally aren’t required to use a framework for the oversight of internal controls, unless they’re audited, but a strong system of checks and balances is essential for them as well.
A critical process
Reporting on internal controls is an ongoing process, not a one-time assessment, that’s affected by an entity’s board of directors or owners, management, and other personnel. It’s designed to provide reasonable assurance regarding the effectiveness and efficiency of operations, the reliability of financial reporting, compliance with applicable laws and regulations, and safeguarding of assets.
A strong system of internal controls helps a company achieve its strategic and financial goals, in addition to minimizing the risk of fraud. At the most basic level, auditors routinely monitor the following three control features. These serve as a system of checks and balances that help ensure management directives are carried out:
1. Physical restrictions. Employees should have access to only those assets necessary to perform their jobs. Locks and alarms are examples of ways to protect valuable tangible assets, including petty cash, inventory and equipment. But intangible assets — such as customer lists, lease agreements, patents and financial data — also require protection using passwords, access logs and appropriate legal paperwork.
2. Account reconciliation. Management should confirm and analyze account balances on a regular basis. For example, management should reconcile bank statements and count inventory regularly.
Interim financial reports, such as weekly operating scorecards and quarterly financial statements, also keep management informed. But reports are useful only if management finds time to analyze them and investigate anomalies. Supervisory review takes on many forms, including observation, test counts, inquiry and task replication.
3. Job descriptions. Another basic control is detailed job descriptions. Company policies also should call for job segregation, job duplication and mandatory vacations. For example, the person who receives customer payments should not also approve write-offs (job segregation). And two signatures should be required for checks above a prescribed dollar amount (job duplication).
Is your company’s internal control system strong enough? Even if you’re not required to follow the SEC’s rules on assessing internal controls, a thorough system of checks and balances will help your company achieve its goals. Company insiders sometimes lack the experience or objectivity to assess internal controls. But our auditors have seen the best — and worst — internal control systems and can help evaluate whether your controls are effective.