Essential Points of Internal Controls
As revealed in the Government Finance Officers Association (GFOA) published pamphlet, Internal Control – An Elected Official’s Guide by Stephen J. Guthier, there are fifteen important points to remember about internal controls.
Point One: What is Internal Control?
Internal control is the combination of people, policies, and procedures that governing bodies and managers rely upon to obtain reasonable assurance that their government is meeting its objectives in regard to effectiveness, efficiency, the safeguarding of assets, the reliability of reporting, and compliance.
Point Two: Who is Responsible for Internal Control?
The primary responsibility for internal control rests with management. The governing body is ultimately responsible for ensuring that management fulfills that responsibility. Independent auditors, on the other hand, while they rely on controls to support their opinion on the fair presentation of financial statements, are not responsible for internal control.
Point Three: Who Assists Management with Internal Control?
Internal auditors and the audit committee assist management and the governing body, respectively, to fulfill their responsibility for internal control.
Point Four: Is Internal Control an absolute assurance?
The goal of internal control is reasonable, rather than absolute assurance that a government’s objectives are being achieved.
Point Five: What are the Five Components of the Internal Control Framework?
Reasonable assurance can result only from a comprehensive framework of internal control that provides for:
- a favorable control environment,
- ongoing risk assessment,
- the design, implementation, and maintenance of effective control activities,
- effective information and communication, and
- ongoing monitoring of the effectiveness of controls.
Point Six: How Important is the Control Environment?
Even the best designed system of internal control is likely to fail in an unfavorable control environment.
Point Seven: When is the Risk Assessment Performed?
Risk assessment is not a one-time event, but rather an active and ongoing process.
Point Eight: Should Fraud be Considered Separately?
The intentional nature of fraud demands that it be considered separately as a risk in its own right.
Point Nine: Where Should Control Activities be Derived From?
Control activities should derive from and be integrally connected with risk assessment.
Point Ten: What About Technology?
A comprehensive framework of internal control specifically requires general controls over technology.
Point Eleven: What About Information and Communication?
Information and communication are an integral part of the functioning of the other four basic elements of a comprehensive framework of internal control.
Point Twelve: What is Needed in the Event of a Deliberate Circumvention of Internal Controls?
There must be a credible way for those inside and outside the government to communicate “around management” any information they may have concerning the circumvention of internal control, fraud, abuse, or illegal acts.
Point Thirteen: What Should be Determined During Evaluation and Assessment?
Internal control needs to be evaluated and assessed to determine whether:
- each of the five essential elements of a comprehensive framework of internal control is present;
- whether each element embodies all of the associated principles; and
- whether all five elements function together effectively (i.e., the whole cannot be reduced to the sum of its parts).
Point Fourteen: What Does the Evaluation of Controls Presuppose?
The evaluation of controls presupposes a “baseline” of effectiveness, which itself must be initially established and subsequently reevaluated with the passing of time, and whenever significant changes in internal or external circumstances occur.
Point Fifteen: To Whom Should Deficiencies in Internal Control be Communicated?
Identified deficiencies in internal control need to be communicated:
- to those responsible for the deficiency;
- to those responsible for ensuring that the deficiency is corrected; and
- to others who have a right to be informed (e.g., grantor).