What is an audit of internal control over financial reporting?

​In response to increased regulatory focus, our ICFR series explores the benefits of a proactive versus reactive system for internal controls to help your organization improve its ICFR program—and save costs along the way.

Internal controls are accounting and auditing processes used in a company's finance department that ensure the integrity of financial reporting and regulatory compliance.

Internal controls help companies to comply with laws and regulations, and prevent fraud. They also can help improve operational efficiency by ensuring that budgets are adhered to, policies are followed, capital shortages are identified, and accurate reports are generated for leadership.

Key Takeaways

• Internal controls are the mechanisms, rules, and procedures implemented by a company to ensure the integrity of financial and accounting information, promote accountability and prevent fraud.
• Internal controls aid companies in complying with laws and regulations, and preventing employees from stealing assets or committing fraud.
• They also can help improve operational efficiency by improving the accuracy and timeliness of financial reporting.
• Internal audits play a critical role in a company’s internal controls and corporate governance.
• The Sarbanes-Oxley Act of 2002 made managers legally responsible for the accuracy of their companies' financial statements.

1:19

Internal Controls

Understanding Internal Controls

Internal controls have become a key business function for every U.S. company since the accounting scandals of the early 2000s. In the wake of such corporate misconduct, the Sarbanes-Oxley Act of 2002 was enacted to protect investors from fraudulent accounting activities and to improve the accuracy and reliability of corporate disclosures.

This had a profound effect on corporate governance. The legislation made managers responsible for financial reporting and creating an audit trail. Managers found guilty of not properly establishing and managing internal controls face serious criminal penalties.

The auditor’s opinion that accompanies financial statements is based on an audit of the procedures and records used to produce them. As part of an audit, external auditors will test a company’s accounting processes and internal controls and provide an opinion as to their effectiveness.

Importance of Internal Controls

Internal audits evaluate a company’s internal controls, including its corporate governance and accounting processes. These internal controls can ensure compliance with laws and regulations as well as accurate and timely financial reporting and data collection. They help to maintain operational efficiency by identifying problems and correcting lapses before they are discovered in an external audit.

Internal audits play a critical role in a company’s operations and corporate governance, now that the Sarbanes-Oxley Act of 2002 has made managers legally responsible for the accuracy of its financial statements.

No two systems of internal controls are identical, but many core philosophies regarding financial integrity and accounting practices have become standard management practices. While they can be expensive, properly implemented internal controls can help streamline operations and increase operational efficiency, in addition to preventing fraud.

The U.S. Congress passed the Sarbanes-Oxley Act of 2002 to protect investors from the possibility of fraudulent accounting activities by corporations. The Act mandated strict reforms to improve financial disclosures from corporations and prevent accounting fraud.

Components of Internal Controls

A company's internal controls system should include the following components:

• Control environment: A control environment establishes for all employees the importance of integrity and a commitment to revealing and rooting out improprieties, including fraud. A board of directors and management create this environment and lead by example. Management must put into place the internal systems and personnel to facilitate the goals of internal controls.
• Risk Assessment: A company must regularly assess and identify the potential for, or existence of, risk or loss. Based on the findings of such assessments, added focus and levels of control might be implemented to ensure the containment of risk or to watch for risk in related areas.
• Monitor: A company must monitor its system of internal controls for ongoing viability. By doing so, it can ensure, whether through system updates, adding employees, or necessary employee training, the continued ability of internal controls to function as needed.
• Information/Communication: Solid information and consistent communication are important on two fronts. First, clarity of purpose and roles can set the stage for successful internal controls. Second, facilitating the understanding of and commitment to steps to take can help employees do their job most effectively.
• Control Activities: These pertain to the processes, policies, and other courses of action that maintain the integrity of internal controls and regulatory compliance. They involve preventative and detective activities.

Preventative vs. Detective Controls

Internal controls are typically comprised of control activities such as authorization, documentation, reconciliation, security, and the separation of duties. They are broadly divided into preventative and detective activities.

Preventative control activities aim to deter errors or fraud from happening in the first place and include thorough documentation and authorization practices. Separation of duties, a key part of this process, ensures that no single individual is in a position to authorize, record, and be in the custody of a financial transaction and the resulting asset. Authorization of invoices and verification of expenses are internal controls.

In addition, preventative internal controls include limiting physical access to equipment, inventory, cash, and other assets.

Detective controls are backup procedures that are designed to catch items or events that have been missed by the first line of defense. Here, the most important activity is reconciliation, which is used to compare data sets. Corrective action is taken upon finding material differences. Other detective controls include external audits from accounting firms and internal audits of assets such as inventory.

Limitations of Internal Controls

Regardless of the policies and procedures established by an organization, internal controls can only provide reasonable assurance that a company's financial information is correct.

The effectiveness of internal controls can be limited by human judgment. For example, a business may give high-level personnel the ability to override internal controls for operational efficiency reasons.

What's more, internal controls can be circumvented through collusion, where employees whose work activities are normally separated by internal controls, work together in secret to conceal fraud or other misconduct.

Auditing techniques and control methods from England migrated to the United States during the Industrial Revolution. In the 20th century, auditors' reporting practices and testing methods were standardized.

Why Are Internal Controls Important?

Internal controls are the mechanisms, rules, and procedures implemented by a company to ensure the integrity of financial and accounting information, promote accountability, and prevent fraud. Besides complying with laws and regulations and preventing employees from stealing assets or committing fraud, internal controls can help improve operational efficiency by improving the accuracy and timeliness of financial reporting.

The Sarbanes-Oxley Act of 2002, enacted in the wake of the accounting scandals in the early 2000s, seeks to protect investors from fraudulent accounting activities and improve the accuracy and reliability of corporate disclosures.

What Are the 2 Types of Internal Controls?

Internal controls are broadly divided into preventative and detective activities. Preventative control activities aim to deter errors or fraud from happening in the first place and include thorough documentation and authorization practices. Detective controls are backup procedures that are designed to catch items or events that have been missed by the first line of defense. 

What Are Some Preventative Internal Controls?

Separation of duties, a key part of the preventative internal control process, ensures that no single individual is in a position to authorize, record, and be in the custody of a financial transaction and the resulting asset. Authorization of invoices, verification of expenses, limiting physical access to equipment, inventory, cash, and other assets are examples of preventative internal controls.

What Are Detective Internal Controls?

Detective internal controls attempt to find problems within a company's processes once they have occurred. They may be employed in accordance with many different goals, such as quality control, fraud prevention, and legal compliance. Here, the most important activity is reconciliation, which compares data sets. Other detective controls include internal and external audits.

The Bottom Line

Internal controls are vital to ensuring the integrity of companies' operations and the trustworthiness of the financial information they report. The Sarbanes-Oxley Act of 2002 spurred internal controls in the aftermath of such scandals as those involving Enron and WorldCom to protect investors from corporate accounting fraud.

What is internal controls over financial reporting?

Who is responsible for internal control over financial reporting?

What is an internal financial audit?

What is the difference between IFC and ICFR?