Question

1. How and why should firms assess risks as part of their internal controls?

2. What are control activities and what is their purpose?

Answer 1

How firms assess risks:  

Like any process, the order of actions taken matters when implementing an internal control environment. Just as you cannot construct the roof or top floor of an office building without completing the foundation and lower levels, an organization cannot skip steps in designing, implementing, operating, and monitoring its internal control framework.

Internal Control Environment

Each organization must start by establishing its internal control environment. It has been said that five things are needed to successfully effect change—vision, skills, incentives, resources, and a plan. Efforts to change without a vision create confusion. Experience has shown that a lack of skills, incentives, resources, or a plan will result in anxiety, resistance, frustration, and failure. Interestingly, when it comes to implementing or improving internal control within an organization, the control environment is a pervasive factor that impacts all of the other aspects of internal control. Consequently, a poor “tone at the top” by the board of directors or executive management will likely hinder or damage the other components of internal control.

Internal Control Risk Assessment

The next step in the design and implementation of internal control for an organization is to identify and analyze threats or risks to the achievement of the entity’s objectives. This is an important step that we discussed in detail in a separate blog post on Risk Management. This is an iterative process that should be performed at least annually if not sooner when significant changes occur to the organization, its industry, or regulatory environment.

Why should firms assess risks:

Internal Control objectives are desired goals or conditions for a specific event cycle which, if achieved, minimize the potential that waste, loss, unauthorized use or misappropriation will occur. They are conditions which we want the system of internal control to satisfy. For a control objective to be effective, compliance with it must be measurable and observable.

Internal Audit evaluates Mercer's system of internal control by accessing the ability of individual process controls to achieve seven pre-defined control objectives. The control objectives include authorization, completeness, accuracy, validity, physical safeguards and security, error handling and segregation of duties.

• Authorization - The objective is to ensure that all transactions are approved by responsible personnel in accordance with specific or general authority before the transaction is recorded.
• Completeness - The objective is to ensure that no valid transactions have been omitted from the accounting records.
• Accuracy - The objective is to ensure that all valid transactions are accurate, consistent with the originating transaction data and information is recorded in a timely manner.
• Validity - The objective is to ensure that all recorded transactions fairly represent the economic events that actually occurred, are lawful in nature, and have been executed in accordance with management's general authorization.
• Physical Safeguards & Security - The objective is to ensure that access to physical assets and information systems are controlled and properly restricted to authorized personnel.
• Error handling - The objective is to ensure that errors detected at any stage of processing receive prompt corrective action and are reported to the appropriate level of management.
• Segregation of Duties - The objective is to ensure that duties are assigned to individuals in a manner that ensures that no one individual can control both the recording function and the procedures relative to processing the transaction.

A well designed process with appropriate internal controls should meet most, if not all of these control objectives

Control Activities: Various policies and procedures that help ensure those necessary actions are taken to address risks affecting achievement of entity's objectives (PIPS):

• P - Performance reviews (review of actual against budgets, forecasts)
• I - Information processing (checks for accuracy, completeness, authorization)
• P - Physical controls (physical security)
• S - Segregation of duties