The Sarbanes-Oxley Act of 2002 increased the amount of internal control systems that a company needs to use. Internal control systems help relieve ethical dilemmas, increase accountability, deter fraud and improve the quality of financial information used by creditors and investors; however, an internal control system is only as good as its design. Since every company must create a unique system, some controls may be either cumbersome or insufficient.
Directive controls relate to company communications and the control policy. The intent is to create a controlled environment in which employees understand, respect boundaries of their positions and adhere to the company principles. Poor communication is a problem with directive controls. When staff lacks a clear understanding in the segmentation of duties, they do not follow the control in place or they may exceed the control’s intent. This limits flexibility and lowers productivity.
Management uses preventative controls to prevent noncompliance with internal controls. Generally, this pertains to monitoring how certain activities are performed. This includes records like signed authorizations, but can also relate to limiting those who are authorized to perform a function. By enacting these forms of checks, the company aims to prevent breakdowns in the control system; however, these controls need to be carefully considered. Over-compliance can hinder your staff’s ability perform job functions.
Detective controls create processes that evaluate whether controls are in place and being followed. An example is the auditing of different departments at regular intervals. Auditors then review preventative documentation to determine if staff is following control procedures. Detective controls are difficult to support in a company of any size. Smaller companies struggle to muster the resources and time needed to use these controls; in larger companies, auditors sometimes lack the authority to make necessary changes if they determine that controls are inadequate.
Since employees use computers and software to perform everyday work, companies can control work programs with passwords, restricted access and predetermined work flow, to name a few. Software is unbiased, which makes it a reliable potential control; however, software is neither intelligent nor easily changed. In the case of exceptions, it is difficult to override the controls even if doing so is necessary.