What are Internal Controls?

Internal controls are the methods and processes through which a company ensures that the organization is adhering to important policies and obligations. A company's board of directors, management and other executives are responsible for maintaining internal controls.

How Do Internal Controls Work?

Internal control has five primary elements, which were developed in 1992 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO):

  1. Control environment. This activity involves ensuring that the company encourages ethical behavior and creates appropriate policies and procedures. It also involves ensuring that the financial statements are prepared according to generally accepted accounting principles (GAAP). Frequently, the management sets the tone for a company's control environment.
  2. Risk assessment. This activity involves detecting threats and weaknesses that could jeopardize the company's ability to detect and prevent fraud, abuse or misdeeds. More specifically, this activity involves considering the consequences of things such as failing to capture or record all transactions, altering transactions retroactively, making math errors in formulas or key calculations, or failing to make reliable estimates.
  3. Control activities. Control activities are activities that ensure a company is protected before a key activity or decision occurs. This might involve requiring authorization from several managers before proceeding with a purchase, action, or decision, for example, or running documentation to in-house attorneys before publication.
  4. Information and communication. This activity involves providing a way for whistle-blowers and outsiders to report, respond to and deal with reports of impropriety, corruption or suspicious activity. It also covers the broader aspects of simply providing a way for employees to access and hear from executives and communicate efficiently.
  5. Monitoring. This activity involves ensuring that everyone is following proper procedures. This may involve implementing approval, authorization, reconciliations, and verification procedures that double-check transactions and decisions.

Auditors are required to report any deficiencies in a company's internal controls. Accordingly, there is a considerable amount of controversy regarding what constitutes an appropriate or deficient control.

Why Do Internal Controls Matter?

Internal controls exist to prevent and detect fraud, abuse, or unethical activity, especially with regard to the collection and presentation of financial information. The goal is to ensure that a company's financial reports are reliable and accurate. For this reason, the CEO and chief financial officer (CFO) of any company subject to the Sarbanes-Oxley Act must certify in writing that the company's financial disclosures comply with the law and fairly represent the company's condition. The CEO and CFO must also certify that they have inspected the company's internal financial controls.

To prevent directors and officers from issuing misleading financial statements for personal gain, the Sarbanes-Oxley Act makes it a federal crime for a company officer to pressure or manipulate an auditor into rendering a company's financial statements misleading. Further, if a company is forced to restate its financials, in most cases the CEO and CFO of the company must give back any bonuses, compensation or profits made on personal trades of the company's securities during the year after the faulty documents were initially disclosed.