Organizations flourish when they establish environments that foster the efficient execution of operations. Internal controls should help organizations deliver value to their stakeholders and achieve their strategic objectives while aligning with industry best practices, laws, and regulations to manage risks facing them.
What Is the Control Environment of a Company?
The Institute of Internal Auditors control environment definition states that the control environment is the “foundation on which an effective system of internal control is built and operated in an organization that strives to (1) achieve its strategic objectives, (2) provide reliable financial reporting to internal and external stakeholders, (3) operate its business efficiently and effectively, (4) comply with all applicable laws and regulations, and (5) safeguard its assets.”
So, what is an internal control environment in business? It is the combination of a business’s structure, policies, standards, and processes working together to ensure that people are doing the right things, in the right way to achieve its goals or fulfill its mission.
Why Is the Internal Control Environment Important?
A failure to have internal controls in place results in front-page news stories that no company wants to be a part of. Enron, Worldcom, and Equifax are a few examples of organizations that made news headlines due to a lack of internal control. Similarly, there are dozens of cases each year of companies that privately lose millions of dollars due to control failures, fraud, and misconduct.
All of these outcomes are the result of a weak internal control system and highlight the importance of internal control to the success of an organization. Having a strong internal control environment can provide management and stakeholders reasonable assurance that the organization is operating in accordance with company policies, industry standards, and regulatory requirements.
What Are the Five (5) Components of Internal Control?
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines internal control as “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives.”
There are five key internal control components (sometimes referred to as the principles of internal control) that include the following:
- Control Environment—is a set of standards, structures, and processes that provide the foundation for performing internal control within the entity
- Risk Assessment—is a process used to identify (on an iterative basis), assess, and manage risks to the achievement of the entity’s objectives
- Control Activities—are actions performed under the direction of management, as directed by an entity’s policies and procedures, to mitigate the risks to the achievement of the entity’s objectives
- Information and Communication—is the distribution of information needed to perform control activities and to understand internal control responsibilities to personnel internal and external to the entity
- Monitoring Activities—are ongoing evaluations of the implementation and operation of the five (5) components of internal audit
Each of these components can be broken down further into principles or elements that clarify each component of internal control. For example, you may wonder “What are the five elements of the internal control environment?” They include:
- Demonstrating a commitment to Integrity and Ethical Values.
- Maintaining the independence of the board of directors from management and their oversight of the entity’s internal control.
- Establishing organizational structure, reporting lines, authority, and responsibilities to pursue business objectives.
- Demonstrating a commitment to attract, develop, and maintain competent people.
- Maintaining accountability for the execution of internal control responsibilities.
How Can You Implement Your Internal Control Environment?
Like any process, the order of actions taken matters when implementing an internal control environment. Just as you cannot construct the roof or top floor of an office building without completing the foundation and lower levels, an organization cannot skip steps in designing, implementing, operating, and monitoring its internal control framework.
Internal Control Environment
Each organization must start by establishing its internal control environment. It has been said that five things are needed to successfully effect change—vision, skills, incentives, resources, and a plan. Efforts to change without a vision create confusion. Experience has shown that a lack of skills, incentives, resources, or a plan will result in anxiety, resistance, frustration, and failure.
Interestingly, when it comes to implementing or improving internal control within an organization, the control environment is a pervasive factor that impacts all of the other aspects of internal control. Consequently, a poor “tone at the top” by the board of directors or executive management will likely hinder or damage the other components of internal control.
Internal Control Risk Assessment
The next step in the design and implementation of internal control for an organization is to identify and analyze threats or risks to the achievement of the entity’s objectives. If you have ever wondered what factors influence the internal control environment factors, the answer is risk. Our blog post on Risk Management describes the risk assessment component of internal control in greater detail. Internal control and risk management work hand-in-hand with each other.
Control Activities
Risks that management determines that the entity must mitigate in order to achieve its objectives are addressed by control activities. This is a critical element of internal control. Through policies and procedures, control activities or actions are put into place to address those risks.
Control activities can be any number of actions within an organization and are categorized by type and nature. They should be specific actions that can be observed and documented for future inspection or re-performance by a third party. Please see our blog post on the different types of controls for additional details. This will give you examples of internal controls that you might consider implementing in your organization.
It is important that an organization use a risk-based approach in designing its internal control activities or internal control framework. This means that controls are designed to address the risk factors identified in its internal risk assessments rather than using a pre-defined control list. While some frameworks are widely accepted (such as COSO’s internal control framework), each organization is different and faces different challenges. This requires that an organization customize even the best framework to align with its needs.
Information and Communication
It is critical that personnel within the organization understand their responsibilities for internal control. This is best achieved when individuals can relate the impact that their activities have on the achievement of the business’s goals and objectives. This communication should be an ongoing process. Organizations with truly effective internal control provide training (such as compliance training or security awareness training) to personnel on a regular basis, keep current policies and procedures available to personnel, and communicate other critical information in a timely manner via company meetings or emails as needed.
Monitoring Activities
Monitoring activities consist of continual evaluations of the implementation and operation of the five (5) components of internal control. Internal controls monitoring may include automated monitoring tools, internal audits, and assessments performed by third parties. Findings should be evaluated against criteria established by the board of directors, management policies, industry standards, and regulators. Deficiencies should be communicated to management and the board of directors, as needed. Management should follow up on these items through resolution.
Monitoring activities may extend beyond the borders of an organization. Such as with service providers whose services may impact their clients’ internal controls over financial reporting. For example, the American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements (SSAE) No. 18, which replaced SSAE 16 as the standard for SOC 1 reporting on May 1, 2017, emphasizes the importance of service providers monitoring controls at subservice organizations.
How Can You Assess Your Control Environment?
I am a firm believer in the adage “You get what you measure.” I have met with some organizations that consider their annual audit to be that measuring stick. If you find yourself in that boat, it is time to change course.
A strong internal audit and/or compliance function is critical to assessing and maintaining your control environment. Personnel with the experience and skill sets specific to your organization should be secured. If that is not possible, external entities should be engaged periodically to assess the environment to provide management with an accurate picture of the organization’s control environment. Please see our blog discussing the value of internal auditors.
The types and means for assessing a control environment are many and vary from one organization to another and from one industry to another. Many organizations are assessed due to regulatory requirements. Such as public companies subject to the Sarbanes-Oxley Act which requires them to have an integrated audit performed each year. Some service organizations’ clients require them to obtain a SOC 1 report or SOC 2 report annually to provide assurance to their clients regarding their control environment as it pertains to internal controls over financial reporting or the service providers’ overall security. Similarly, some healthcare providers are required to receive HIPAA assessments or a HITRUST certification annually.
How Can Your Control Environment Be Improved?
The purpose of assessing an organization’s control environment is to identify weaknesses within their environment so that they can be strengthened.
What is a strong control environment?
The answer to this question is a moving target. A control environment that may be considered strong for a startup may be inadequate for a Fortune 500 company. As an organization grows and its environment changes, it must adjust to address new risks or threats. I guess you could say that obtaining and maintaining a strong control environment is a journey and not a destination.
A strong and effective internal control environment can be enhanced by following the iterative process within the internal control framework or process.
- Assess the risks threatening the company’s ability to achieve its business objectives or service commitments. These may be identities through a formal risk assessment or from monitoring control activities performed by the organization.
- Identify new controls or how to modify existing control activities to mitigate the risks.
- Design and communicate control changes to personnel responsible for implementing, performing, or reviewing the related activities.
- Implement the control changes.
- Monitor control activities throughout the organization to determine the effectiveness of their operation and the outcomes of their execution.
Once the process cycle has been performed, it is repeated beginning with the assessment. Ideally each time through the process the control environment improved and strengthened.
Conclusion
Organizations that establish effective control environments can improve their efficiency in delivering value and achieving their strategic objectives. I hope this has helped you understand what a control environment is, the important role internal control plays within the control environment, and how to design, implement, and assess your own internal control framework.
For more information regarding how Linford & Company may assist your organization with its compliance needs, check our related organizational auditing services:
This article was originally published on 3/24/2020 and was updated on 11/8/2023.
Isaac Clarke is a partner at Linford & Co., LLP. He began his career with Ernst & Young in 2003 where he developed his audit expertise over a number of years. Isaac specializes in and has conducted numerous SOC 1 and SOC 2 examinations for a variety of companies—from startups to Fortune 100 companies. Isaac enjoys helping his clients understand and simplify their compliance activities. He is attentive to his clients’ needs and works meticulously to ensure that each examination and report meets professional standards.