Internal Control is defined as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance.
Although this formal definition refers to internal control as a process, it should be viewed as a series of actions that permeate the entire state government of Arkansas. Internal controls exist in the basic management processes of planning, executing and monitoring. It should not be viewed as an add-on to these basic management processes, but should be viewed as an integral part of them and they should be placed at strategic points in these processes to ensure that objectives are achieved.
Internal control is at the core of state government fulfilling its mission and achieving its goals while providing safeguards to protect governmental resources. Management of each agency is responsible for implementing appropriate internal control activities that are appropriate to their agency’s processes; while keeping in mind that effective internal controls benefit, rather than encumber management. It is vital that everyone understand the concept and importance of internal controls, especially since virtually every state employee has a role in how well the state of Arkansas executes the concept of internal control.
The internal control process is comprised of five components:
The internal control environment can be best summarized as the attitude that management has about internal controls. If management believes that internal controls are important, is committed to implementing controls and communicates this view to employees, then internal controls are more likely to function effectively. However, if management views internal controls as not important or as an obstacle, then this attitude will likely be communicated to employees through management’s actions. With this attitude, employees will likely view internal controls as “red tape” to be “cut-through” in order to get the job done. An effective internal control environment is an intangible factor that sets the foundation for all other components of internal control.
All agencies have certain risk involved in meeting their objectives and providing services to internal customers (other state agencies) and external customers (taxpayers of the state). This is based upon the premise that opportunity and risk are related; therefore, state government is exposed to risk by simply fulfilling the opportunity that it has to better serve the citizens of the state. By this definition, it can be seen that risk should not be viewed negatively, but simply inherent to the decision of doing business.
Risk assessment is the process used to identify, analyze, and manage the potential risks that could hinder or prevent an agency from achieving its objectives.
Control Self-Assessment (CSA) is a form of risk assessment. As defined by the Institute of Internal Auditors, CSA is a technique that allows managers and work teams directly involved in the business units, functions or processes to participate in assessing the organization’s risk management and control processes. CSA is the most efficient form of risk assessment, because the assessment is performed by the business and process owners, who have the best knowledge of day-to-day operations, risks, and systems of internal control.
Internal Control Activities are the policies, procedures, techniques, and mechanisms that enforce management’s directives, such as the process of adhering to requirements for budget development and execution. They help ensure that actions are taken to address risks. Internal Control Activities are an integral part of an entity’s planning, implementing, reviewing, and accountability for stewardship of government resources and achieving effective results.
Internal Control Activities occur at all levels and functions of the entity. They include a wide range of diverse activities such as approvals, authorizations, verifications, reconciliations, performance reviews, maintenance of security, and the creation and maintenance of related records which provide evidence of execution of these activities as well as appropriate documentation. Internal Control Activities may be applied in a computerized information system environment or through manual processes.
Examples of Internal Control Activities include:
For an agency to run and control its operations and achieve its desired objectives, communications relating to both operational and financial data is needed at all levels of an agency in a relevant, reliable and timely fashion.
Additional points related to communication are made as follows:
Subsequent to implementing internal controls, agencies should develop ongoing and/or periodical monitoring and evaluations to ensure that the controls are present and functioning properly. Potential weaknesses in internal control structure may be identified by Legislative Audit, Internal Audit or by employees of agencies. When management is notified of these weaknesses, they should take corrective action to resolve the identified problems in their internal control structure. Although monitoring is a separate component of internal control, it is easy to see how it relates to the component of internal control environment previously discussed.
If your agency has identified a weakness in your internal control structure, please feel free to contact the Office of Internal Audit and we will be glad to assist you in your efforts to establish a good system of internal controls.