We discussed earlier why there is need for risk management in an organization. The risks identified minus the residual risks need to be controlled, minimized, mitigated or prevented. And this is where the role of internal controls comes.
What are internal controls
Before learning about types of internal controls, we should have a basic idea of what are internal control.
Internal controls are different policies, procedures, automated tools, practices and organizational structures which an entity devises to manage risks. These are developed with the idea that the management has tried to ensure reasonably that the risks that may jeopardize the achievement of the business objectives have been properly addressed.
Devising an effective internal control structure is the responsibility of the board of directors and the senior management. But when it comes to implementation of internal controls, everyone in the organization has a role to play.
Internal controls can be either manual or automated, based on the internal control objectives. In case of automated internal controls, these are built into the software e.g access authorizations like usernames and passwords.
The main purpose of internal controls is to ensure the achievement of objectives and decreasing the chances of any risks that might affect these objectives. Every control comes with a control objective which states the purpose of having that control.
Internal Control Components
A good internal control system has the following parts:
- The control environment. It is the overall environment and tone of the organization regarding controls. Attitude of the senior management and their awareness about internal controls matters a lot.
- Risk assessment. Good internal controls can only be designed after the entity has performed risk assessment and identified risk areas that require controls.
- Information system. With the ever increasing dependence on information technology, it is logical that IS systems form critical components of internal controls.
- Control Activities. These are the actual controls that are introduced to manage risks.
- Monitoring of controls. Designing of controls is not enough. How effectively the organization monitors the implantation and effectiveness of controls determine the success of an internal control environment.
Types of Internal Controls
There are mainly three types of internal controls:
Preventive Controls: are those internal controls which are deployed to prevent happening of an event that might affect achievement of organizational objectives.
You can understand better if you look at some preventive control examples. Access control in software is an example which ensures that only authorized persons have access to the data. Similarly, a very effective preventive control is segregation of duties. For example, there should be clear distinction in roles of application developers and system administrators.
Detective Controls: These are the controls which are used to detect if something wrong has happened. One of the best detective controls examples is regular review of power users logs is one way of deploying a detective controls.
Hash totals is another form of detective control. Exception reporting is also a detective control where the application system highlights exceptional transactions which are significantly different from the normal trend of transactions.
Corrective Controls: This type of internal control is related to correction of something undesired that has already happened. Corrective controls examples include restoring backups in case of a database failure is one type of corrective control. Contingency and disaster recovery planning are also types of corrective controls.
An auditor’s main job is to compare the controls against high risk assets and evaluate if the controls are sufficient and working.
In the next article, we will discuss more about IS controls.