The Worldcom, Enron and HealthSouth accounting scandals, among others, have heightened the importance of internal controls for companies everywhere. The Sarbanes-Oxley Act mandates that companies develop and maintain adequate internal control systems. In the U.S., internal controls are evaluated in the context of the Committee of Sponsoring Organizations (COSO) framework.
There are three types of internal controls: Preventive, Detective and Corrective. In order to gain an understanding of the internal control concept, it is necessary to have a basic understanding of the COSO framework.
The COSO framework consists of five primary components: the control environment, risk assessment, control activities, communication and information, and monitoring. If any one of these primary components is not functioning properly or is weak, the entire internal control system may be compromised. For example, if the monitoring of accounts does not occur on a regular basis, errors will go undetected and uncorrected. There will also be opportunities for fraud by employees that would not exist if monitoring were occurring on a regular basis.
Each of the primary components has sub-components that are essential to the proper functioning of the primary component. If the sub-components are faulty, the primary components will not function properly or be weak, and the entire internal control system will be negatively affected. For example, analytics should be built into accounting systems to ensure that data is processed correctly or is kicked out if it does not meet established criteria.
Preventive controls are the most effective types of internal controls because they are put in place before errors or irregularities occur and are designed to keep these flaws from happening. Examples of preventive controls are: adequate separation of duties (not having the same person both authorize and process transactions), proper authorization of transactions (a supervisor authorizes a purchase by reviewing and approving the purchase request) and adequate documentation and control of assets (when purchases are made, there should be an approved purchase request and an invoice and receiving documents to show delivery of the items).
Detective controls are designed to note errors and irregularities after they occur. Examples of these types of controls are: exception reports (computer reports of occurrences outside the norm), reconciliations (bank reconciliations and general ledger reconciliations) and periodic audits (both independent external audits and internal audits which help to uncover errors, irregularities and noncompliance with laws and regulations).
Corrective controls are designed to prevent errors and irregularities from reoccurring once they are discovered. Examples of these types of controls are: policies and procedures for reporting errors and irregularities so they can be corrected, training employees on new policies and procedures developed as part of the corrective actions, positive discipline to prevent employees from making future errors and continuous improvement processes to adopt the latest operational techniques.
Internal controls only provide reasonable assurance that an entity's goals and objectives will be accomplished, no matter how elaborate the internal control system. This is because human involvement always has the potential for errors which may not be discovered in a timely manner.