A basic system of internal control begins with simple processes, records and reports that are easy to implement and maintain. However, as emerging companies grow and add employees, and involve outside stakeholders such as investors and banks in their activities, they will need to take a more sophisticated approach to internal control. Before deciding on an overall system of internal control the management team must understand that the essential elements of internal control, which are interrelated, are the control environment; risk assessment; control activities; accounting, information and communication systems; and self-assessment or monitoring. In this post we provide an introduction to each of these elements.
The control environment sets the tone within the company, influences the control consciousness of its managers and employees, and establishes the foundation for all of the other elements of internal control. The control environment includes integrity and ethical values of the executives, managers and employees; an organizational commitment to competence and fair and honest business practices; active involvement and participation by the board of directors and/or audit committee; the overall influence of management’s philosophy and operating style; an appropriate and effective organizational structure that incorporates clear assignment of authority and responsibility; and effective human resource policies and practices.
Risk assessment is the company’s ability to identify and analyze the relevant risks to achievement of its objectives and forms the basis for determining how the risks should be managed and what controls are actually needed. Risks can arise from a number of events including changes in the operating environment of the company; new technology; rapid growth, or new or expanding lines of business.
Control activities are the policies, procedures and that help ensure that the directives issued by the board of directors and management of the company are carried out. Examples of control activities include operational performance reviews (e.g., risk assessments and budget performance reviews); information systems controls to verify the accuracy and completeness of transactions; physical controls and security measures; and segregation of duties.
Every business needs accounting, information and communications systems to support the identification, capture, and exchange of information in a form and time frame that allow personnel within the company to complete their responsibilities and update the organizational database to reflect the outcome of their activities. Accounting systems include methods and records that identify, assemble, analyze, classify, record, and report the transactions of the company. Information systems produce reports on operations, finance, risk management, and compliance that allow the board of directors and senior managers to manage the company. Communication systems impart information throughout the company and to external parties such as regulators, auditors, shareholders, and customers.
Monitoring refers to the processes implemented and maintained to continuously assess the quality of internal control performance by the company over time and, if necessary, make appropriate modifications to internal controls as dictated by changes in the environmental conditions in which the company operates. A focused internal audit program is one way that companies can fulfill their monitoring and self-assessment duties.
It is recognized and accepted that the methods and tools used to achieve the objectives of internal control will vary depending on the size and complexity of the company and its business activities and small and mid-sized companies will typically use less formal means to ensure that these objectives are achieved. For example, since it is more likely that the founders of a fledgling emerging company will be actively involved in all operational aspects of the business and in the financial reporting process such a company will usually dispense with, or defer creation and use of, detailed descriptions of accounting procedures, sophisticated information systems, or written policies. However, if a small company is involved in complex transactions or subject to the same legal and regulatory requirements imposed on larger companies engaged in similar activities (e.g., pharmaceuticals), one may find that the small company has been forced from the very beginning of its existence to implement the same types of formal methods and tools for internal controls as might be found in the larger company. Smaller companies may also be able to implement and manage formal and comprehensive reporting systems with the assistance of sophisticated software embedded in its information systems.
The size of the company may also impact the way in which it aspires to achieve the essential elements of internal control. For example, smaller companies, particularly those that have just been launched, generally do not have written codes of conduct and that may rely on the development and maintenance of a culture that emphasizes the importance of integrity and ethical behavior. This is more often achieved through oral communication and by the examples set by the founders and other senior managers in the day-to-day actions. In the same vein, smaller companies may not have independent members on their board of directors.