RSM Resources

How your internal control system can achieve its objectives

What does internal control mean to you? Definitions and reactions vary. Some banks feel it implies “we don’t trust you,” while others see it as bureaucratic.

It’s neither.

The purpose of internal control is to ensure reasonable assurance operations are effective and efficient, that financial reporting is reliable and that your organization
is compliant with laws and regulations.

Want a well-organized internal control system that achieves its objectives? Make sure the following five components are in place within your organization:

1. Establish a control environment
An integral part of the processes used within any business, internal control doesn’t operate in isolation. In fact, strategic, operational, reporting and compliance objectives are directly related to enterprise risk management components. 

Even the smallest organizations have some amount of internal controls. For example, an owner of a push-cart selling hot dogs knows the costs and selling prices of his products; can easily determine if inventory has been lost or stolen; can monitor sales so he maintains adequate inventory; and can manage product mix based on sales. Some additional level of independent examination may be achieved if accounting functions are performed by an individual other than the push-cart vendor. As companies grow in size, the proprietor’s need for updates doesn’t change, but the owner has to rely on reports to get the information needed.

2. Institute regular risk assessment

The institution of superior controls involves planning and risk assessment, competent design, operational achievement and ongoing monitoring. 

Planning and risk assessment are essential in supplying a basis for control design. Spending $100 to protect a $10 investment seems illogical. Similarly, founding elaborate controls over an area that has little operational or financial impact would not be cost effective. Preparation identifies operational areas and key control points. Risk assessment detects the threats associated with an operational area, including the potential effects of an error on your bank.

3. Ensure effective controls

Controls that aren’t designed appropriately are either inefficient (which may be valuable because it’s over-controlling) or ineffective (which simply isn’t designed to accomplish the intended result).Obviously, neither option is good.

Even controls that have been calculated appropriately can become ineffective if they aren’t properly implemented. Improper execution maybe intentional (someone didn’t follow instructions) or unintentional (someone didn’t understand instructions). Either way, an ineffective control increases the probability of error or fraud. 

4. Provide accurate information and two-way communication

Banks work in a complex environment that includes a myriad of laws and regulations. Directors and managers can’t possibly supervise the handling of every transaction, but they require details related to the bank’s business in order to make ongoing operating and investing decisions. If they receive data that isn’t reliable, they will be more likely to make inappropriate choices.

Some controls may be as simple as answering a question like,“Does this make sense?” For instance, if your bank’s outstanding loans are increasing and interest rates are rising, but interest income as a percent of outstanding loans is down, something isn’t right. Other controls are more intricate and involve coordination of effort in order to provide greater assurance of accuracy. 

5. Ensure ongoing monitoring

Ongoing monitoring of controls is necessary to make sure the existing ones remain enforced.  Products,services and processing systems change periodically. It’s important to understand how those modifications impact present controls and know when they occur, so you can make fitting adjustments. Monitoring is also necessary to make certain controls continue to operate as intended.

Financial institutions subject to the FDIC Improvement Act (FDICIA) or the Sarbanes-Oxley Act are exposed to additional internal control requirements. Neither FDICIA nor SOX require additional controls. Banks and bank holding companies subject to these acts must document internal controls in writing and test controls periodically. In addition, the CEO and CFO must certify the efficiency of the controls and an independent certified public accountant must attest to the certification.