Internal control is defined as a process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations, including operational and financial performance goals, and the safeguarding of assets against loss;
- Reliability, timeliness, and transparency of internal and external financial and non-financial reporting; and
- Compliance with applicable laws and regulations.
Internal control consists of the following five components:
- Control Environment - The control environment is a set of standards, processes, and structures that provide the basis for carrying out internal controls across the organization.
- Risk Assessment - Risk assessment involves a dynamic and iterative process for identifying and analyzing risks to achieving the entity’s objectives, forming a basis for determining how risks should be managed.
- Control Activities - Control activities are the actions established by policies and procedures to help ensure that management directives to mitigate risks to the achievement of objectives are carried out.
- Information and Communication - Information is necessary for the entity to carry out internal control responsibilities in support of the achievement of its objectives. Communication enables personnel to understand internal control responsibilities and their importance to the achievement of objectives.
- Monitoring Activities – Evaluations are used to ascertain whether each of the five components of internal control is present and functioning.
Limitations of Internal Control
While an effective system of internal control provides reasonable assurance of achieving the entity’s objectives, inherent limitations do exist. Limitations may result from the:
- Suitability of objectives established as a precondition to internal control;
- Reality that human judgement in decision making can be faulty and subject to bias;
- Breakdown that can occur because of human failures such as errors;
- Ability of management to override internal control;
- Ability of management, other personnel, and/or third parties to circumvent controls through collusion; and
- External events beyond the organization’s control.
The above definition of internal control and related concepts are taken from Internal Control -- Integrated Framework by the Committee of Sponsoring Organizations of the Treadway Commission.
For more information about segregation of duties, see the chart here.