Organizations flourish when they establish control environments that foster the efficient execution of operations to deliver value to its stakeholders and achieve its strategic objectives while aligning with industry best practices, laws, and regulations to manage risks facing them. This blog will help you understand 1) what a control environment is, 2) the important role internal control plays within the control environment, 3) how to design and implement internal control within your organization, and 4) how to assess the effectiveness of your control environment.
What is a Control Environment?
The Institute of Internal Auditors control environment definition states that the control environment is the “foundation on which an effective system of internal control is built and operated in an organization that strives to (1) achieve its strategic objectives, (2) provide reliable financial reporting to internal and external stakeholders, (3) operate its business efficiently and effectively, (4) comply with all applicable laws and regulations, and (5) safeguard its assets.”
A control environment is made up of a compilation of an entity’s organizational structure, processes, policies, and standards that are utilized to maintain control across the organization. The board of directors and executive management of a business establish the company culture and attitude regarding the importance of maintaining controls and set the expectations of standards of conduct within the organization—often referred to as “the tone at the top.”
There are five (5) principles related to a control environment. They include:
- Demonstrating a commitment to Integrity and Ethical Values
- Maintaining the independence of the board of directors from management and their oversight of the entity’s internal control
- Establishing organizational structure, reporting lines, authority, and responsibilities to pursue business objectives
- Demonstrating a commitment to attract, develop, and maintain competent people
- Maintaining accountability for the execution of internal control responsibilities
Why is it Important to have Strong Internal Control?
A failure to have internal controls in place results in front-page news stories that no company wants to be a part of. Enron, Worldcom, and Equifax are few examples of organizations that made news headlines due to a lack of internal control. Similarly, there are dozens of cases each year of companies who privately lose millions of dollars due to control failures, fraud, and misconduct. Having a strong internal control environment can provide management and stakeholders reasonable assurance that the organization is operating in accordance with company policies, industry standards, and regulatory requirements.
What are the Key Components of Internal Control?
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines internal control as “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives.”
There are five key components of internal control that include the following:
- Control Environment—is a set of standards, structures, and processes that provide the foundation for performing internal control within the entity
- Risk Assessment—is a process used to identify (on an iterative basis), assess, and manage risks to the achievement of the entity’s objectives
- Control Activities—are actions performed under the direction of management, as directed by an entity’s policies and procedures, to mitigate the risks to the achievement of the entity’s objectives
- Information and Communication—is the distribution of information needed to perform control activities and to understand internal control responsibilities to personnel internal and external to the entity
- Monitoring Activities—are ongoing evaluations of the implementation and operation of the five (5) components of internal audit
How can You implement Internal Control?
Like any process, the order of actions taken matters when implementing an internal control environment. Just as you cannot construct the roof or top floor of an office building without completing the foundation and lower levels, an organization cannot skip steps in designing, implementing, operating, and monitoring its internal control framework.
Internal Control Environment
Each organization must start by establishing its internal control environment. It has been said that five things are needed to successfully effect change—vision, skills, incentives, resources, and a plan. Efforts to change without a vision create confusion. Experience has shown that a lack of skills, incentives, resources, or a plan will result in anxiety, resistance, frustration, and failure. Interestingly, when it comes to implementing or improving internal control within an organization, the control environment is a pervasive factor that impacts all of the other aspects of internal control. Consequently, a poor “tone at the top” by the board of directors or executive management will likely hinder or damage the other components of internal control.
Internal Control Risk Assessment
The next step in the design and implementation of internal control for an organization is to identify and analyze threats or risks to the achievement of the entity’s objectives. This is an important step that we discussed in detail in a separate blog post on Risk Management. This is an iterative process that should be performed at least annually if not sooner when significant changes occur to the organization, its industry, or regulatory environment.
Risks that management determines that the entity must mitigate in order to achieve its objectives are addressed by control activities. Through policies and procedures, control activities or actions are put into place to address those risks. Control activities can be any number of actions within an organization and are categorized by type and nature. They should be specific actions that can be observed and documented for future inspection or re-performance by a third-party. Please see our blog post on the different types of controls for additional detail.
It is important that an organization use a risk based approach in designing its control activities or internal control framework. This means that controls are designed to address the risk factors identified in its internal risk assessments rather than using a pre-defined control list. While some frameworks are widely accepted (such as COSO’s internal control framework), each organization is different and faces different challenges. This requires that an organization customize even the best framework to align with its needs.
Information and Communication
It is critical that personnel within the organization understand their responsibilities for internal control. This is best achieved when individuals can relate the impact that their activities have on the achievement of the business’ goals and objectives. This communication should be an ongoing process. Organizations with truly effective internal control provide training to personnel on a regular basis, keep current policies and procedures available to personnel, and communicate other critical information in a timely manner via company meetings or emails as needed.
Monitoring activities consist of continual evaluations of the implementation and operation of the five (5) components of internal audit. Findings should be evaluated against criteria established by the board of directors, management policies, industry standards, and regulators. Deficiencies should be communicated to management and board of directors, as needed. Management should follow-up on these items through resolution.
Monitoring activities may extend beyond the borders of an organization. Such as with service providers whose services may impact their clients’ internal controls over financial reporting. For example, the American Institute of Certified Public Accounts’ (AICPA) Statement on Standards for Attestation Engagements (SSAE) No. 18, which replaced SSAE 16 as the standard for SOC 1 reporting on May 1, 2017, emphasizes the importance of service providers monitoring controls at subservice organizations. Click here for a summary of the changes caused by the implementation of SSAE 18.
How can You Assess your Control Environment?
I am firm believer in the adage that “you get what you measure.” I have met with some organizations that consider their annual audit to be that measuring stick. If you find yourself in that boat, it is time to change course.
A strong internal audit and/or compliance function is critical to assessing and maintaining your control environment. Personnel with the experience and skill-sets specific to your organization should be secured. If that is not possible, external entities should be engaged periodically to assess the environment to provide management with an accurate picture of the organization’s control environment. Please see our blog discussing the value of internal auditors.
The types and means for assessing a control environment are many and vary from one organization to another and from one industry to another. Many organizations are assessed due to regulatory requirements. Such as public companies subject to the Sarbanes-Oxley Act that requires them to have an integrated audit performed each year. Some service organizations’ clients are require them to obtain a SOC 1 or SOC 2 report annually to provide assurance to their clients regarding their control environment as it pertains internal controls over financial reporting or the service providers overall security. Similarly, some health care providers are required to receive HIPAA assessments or a HITRUST certification annually.
Organizations that establish effective control environments can improve their efficiency in delivering value and achieving its strategic objectives. I hope this has helped you understand what a control environment is, the important role internal control plays within the control environment, and how to design, implement, and assess your own internal control framework.
For more information regarding how Linford & Company may assist your organization with its compliance needs, check our related organizational auditing services:
Isaac Clarke is a partner at Linford & Co., LLP. He began his career with Ernst & Young in 2003 where he developed his audit expertise over a number of years. Isaac specializes in and has conducted numerous SOC 1 and SOC 2 examinations for a variety of companies—from startups to Fortune 100 companies. Isaac enjoys helping his clients understand and simplify their compliance activities. He is attentive to his clients’ needs and works meticulously to ensure that each examination and report meets professional standards.