3.1 Accounting Principles and Internal Control
3.1.3 Internal Control
Purpose and Definition of Internal Controls
18.104.22.168 Internal control is defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), in standards adopted by the American Institute of Certified Public Accountants and by the Federal Office of Management and Budget as follows:
22.214.171.124 Internal control is a process – affected by those charged with governance, management and other personnel designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations
- Compliance with applicable laws and regulations
- Reliability of financial reporting
126.96.36.199 Management and the governing body are responsible for the government’s performance, compliance and financial reporting. Therefore, the adequacy of internal control to provide reasonable assurance of achieving these objectives is also the responsibility of management and the governing body. The governing body has ultimate responsibility for ensuring adequate controls to achieve objectives, even though primary responsibility has been delegated to management. Since management and the governing body are assumed to work in harmony, both parties are collectively referred to as “management” throughout the rest of this section.
188.8.131.52 COSO and professional auditing standards define five interrelated components of effective internal control, as follows:
- Control environment – The tone set by management that influences the control consciousness of staff. Control environment includes communication of integrity and ethical values, commitment to ensure that staff are competent, management’s philosophy and operating style, extent of participation by the governing board in scrutinizing activities and holding management accountable, and human resource practices (hiring, organization, development, evaluation, promotion and remedial action).
- Risk assessment – Management's identification and analysis of relevant risks to achievement of its objectives, forming a basis for determining how the risks should be addressed or controlled. Risk assessment includes identification of internal and external risks to the achievement of objectives, such as new contracts or grants, changing regulations and accounting standards, new technology, new personnel, new or discontinued activities and programs, new or discontinued organizational policies and procedures, obsolescence of facilities, and so on. Risk assessment also includes evaluation of risks and determining how to best address them.
- Information and communication – Systems to support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities. This encompasses the organization’s methods of capturing and sharing information as well as its software, including its accounting information systems.
- Control activities – Specific policies or procedures that directly address risks related to the achievement of objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities such as approvals, reviews, reconciliations, segregation of duties, performance measurement, tracking events or assets, etc.
- Monitoring – Management’s review of the operation of internal controls over time. Monitoring is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Ongoing monitoring occurs during the course of operations when management observes controls and can discern whether they were effective. Separate evaluations occur when management reviews and assesses a particular control to determine if it has been effective.
184.108.40.206 Internal control should be viewed as an integral or inherent part of the policies, systems and procedures management uses to operate and oversee the organization. This is not to say effective control will never require additional or incremental effort. Rather, controls exist to provide reasonable assurance about the achievement of objectives and so should be integrated into all the organization’s fundamental business processes. Controls are normally most effective when built into the government’s infrastructure rather than being treated as supplemental or separate processes. In the same way, implementation and monitoring of internal controls should not be viewed as a singular event, but rather a continuous or iterative process.
220.127.116.11 Since internal control is as fundamental as the objectives the controls relate to, the need for effective control is applicable to all organizations, regardless of size. While small entities may implement internal controls differently than larger ones, effective internal control is still both necessary and possible.
Determining what specific controls to implement
18.104.22.168 It is a management decision as to what specific controls to implement and how such controls are designed and operated.
22.214.171.124 There are many ways to attain effective internal control. Governments and their control needs vary considerably by statutory purpose, regulations, activities and programs, size, organizational structure, contractual and program structures, technology and information systems, expertise of staff and the policies of the governing body. In addition, there are often many different methods or combinations of methods that would result in effective internal control for any given situation. Thus, while all entities should have effective internal control, the specific controls in place may look very different from one government to another.
126.96.36.199 When choosing among different methods of achieving effective control, management often considers the costs of different control options. Certain controls may be less costly or require less staff resources or may help meet other objectives. Options may be limited by organizational or program policy or structure, expertise of staff, software limitations and other decisions made by management. If such factors limit options for effective control to only those that management believes are infeasible or not cost effective, management should consider how it might change the limiting factors rather than ignore the need for effective control.
188.8.131.52 The Washington State Auditor’s Office does not require specific controls to be implemented by entities. The State Auditor only requires that whatever controls entities choose to implement be adequate to provide reasonable assurance regarding compliance and financial reporting risks. The burden of demonstrating the adequacy of internal controls rests on management, since management is responsible both for the achievement of objectives and the determination of the design and operation of controls.
Controls over Compliance
184.108.40.206 This objective refers to compliance with laws, regulations, contracts, grant agreements and government policies, including the requirement to safeguard public resources against misappropriation and misuse.
220.127.116.11 In meeting this objective, the government should have controls that accomplish the following key functions:
- Identification of requirements – Controls should ensure that requirements are identified and that employees whose actions may affect compliance are aware of applicable requirements. When statutory, regulatory or contractual provisions are unclear, the government should seek clarification through legal counsel, research or communication with regulatory agencies or contracting parties.
- Compliance – Controls should prevent non-compliance or detect non-compliance in a timely enough manner for the government to remedy the situation. Such controls vary greatly, depending on the nature of the compliance requirement.
- Safeguarding of public resources – Controls should prevent misappropriation or misuse of public resources or detect misappropriation or misuse in a timely manner and assign responsibility to individuals charged with custody of assets. Such controls should cover all receipts and receivables, expenditures and commitments, provisions of goods or services and the safekeeping of all public assets at risk of misappropriation, misuse or loss.
18.104.22.168 Controls and processes should generate adequate documentation to demonstrate achievement of objectives. This is not only important for audit, oversight and public records purposes, but also to enable effective monitoring of controls over compliance by management.
Controls over Financial Reporting
22.214.171.124 This objective refers to fair presentation of financial statements and required schedules in all material respects in accordance with the stated basis of accounting.
126.96.36.199 In meeting this objective, the government should have controls that accomplish the following key functions:
1. Identification of financial events – Controls should ensure financial events and transactions are properly identified and recorded.
2. Properly applying accounting standards – Controls should ensure correct criteria and methodology is applied when accounting for financial events. When the correct method of accounting for or reporting a transaction is unclear, the government should seek clarification by performing research, contracting for accounting assistance, or communicating with the State Auditor’s Office or standard setting bodies.
3. Correctly accounting for all financial events – Controls should ensure that:
- Only valid transactions are recorded and reported.
- All transactions occurred during the period are recorded and reported.
- Transactions are recorded and reported at properly valued and calculated amounts.
- Recorded and reported transactions accurately reflect legal rights and obligations.
- Transactions are recorded and reported in the account and fund to which they apply.
4. Preparation of the annual report – Controls should ensure that financial statements and required schedules are properly compiled and prepared from source accounting records. Controls should also ensure correct presentation of statements and schedules.
188.8.131.52 Controls and processes should generate adequate documentation to demonstrate achievement of objectives. This is not only important for audit, oversight and public records purposes, but also to enable effective monitoring of controls over financial reporting by management.
Limitations of Internal Control
184.108.40.206 No matter how well designed and operated, internal controls cannot provide absolute assurance that the government will achieve its objectives due to inherent limitations. These limitations include the following:
- Judgment – If controls depend on human judgment, the effectiveness of controls may be limited by the experience and qualifications, time available, information available, motivations, and pressures on the person applying the control. Moreover, differences in these factors over time and in different people applying the control may result in inconsistencies in the operation of the control. This limitation, when applicable, can be mitigated through a good control environment, clear policies or instructions, redundant controls, supporting controls such as check figures or exception reports and adequate monitoring of controls.
- Breakdowns – Breakdowns could occur due to changes, failure or obsolesce of data, technology, assumptions, procedures, programming or other dependencies that controls may rely upon for effective functioning. This limitation, when applicable, can be mitigated by thorough risk assessment, redundant controls and adequate monitoring of controls.
- Collusion – Many controls assume that employees (or certain employees) will not collude. When individuals act together, they may be able to overcome controls. This is typically only a risk when employees have a motivation to overcome controls, such as misappropriation or misuse of public resources. This limitation, when applicable, can be mitigated by a good control environment, redundant controls and adequate monitoring of controls.Control override – Personnel with responsibility to resolve issues identified by controls may decide to ignore or override prescribed policies or procedures. This limitation, when applicable, can be mitigated by a good control environment and adequate monitoring of controls.
- Mistakes – Although internal controls may be designed in such a way as to reduce the likelihood of mistakes, is it always possible that a mistake may be made. This limitation can be mitigated by a good control environment, redundant controls, automated controls, supporting controls such as check-figures or exception reports, and adequate monitoring of controls.
- Unforeseen circumstances – Controls may operate incorrectly when faced with unforeseen situations or permutations. This limitation can be mitigated by thorough risk assessment and adequate monitoring of controls.
- External factors – Achievement of operational performance objectives (efficiency and effectiveness) may depend on factors outside of the government’s control, such as regulation, resource limitations, environmental changes, decisions made by service recipients or stakeholders, actions of key suppliers, customers or program partners, etc. This limitation can be mitigated by thorough risk assessment.
220.127.116.11 Although controls are not an absolute guarantee of success, effective internal controls are expected to consistently and reliably achieve objectives, year after year. However, even well-designed controls have a remote possibility of failure. This possibility increases with the number and primacy of uncontrollable factors, as may be the case for operational performance objectives.
18.104.22.168 Ultimately, providing reasonable assurance of achieving compliance and financial reporting objectives is within the government’s control and depends primarily on how well controls are designed and operated. Achievement of operational performance objectives also depends in large part on effective internal controls. By implementing effective controls a government can have reasonable assurance that it is doing all it can to meet its objectives.
This section was last edited by SAO on 08/27/19