Definition
Internal control is a process, executed by the Board of Directors or Board of Directors of an entity, by its steering group (management) and by the rest of the staff, specifically designed to provide them with reasonable security of achieving the following three categories of objectives:
• Effectiveness and efficiency of operations.
• Sufficiency and reliability of financial information.
• Compliance with applicable laws and regulations.
This definition emphasizes certain concepts or fundamental characteristics of Internal Control, such as:
• It is a process that starts from the other systems and processes of the company incorporating in the administration and management function, not adjacent to these.
• Goal-oriented is a means, not an end in itself.
• It is conceived and executed by people at all levels of the organization through their actions and words.
• Provides reasonable, rather than absolute, assurance that your goals will be achieved.
Components
Internal control consists of five interrelated components, which are derived from the way the administration manages the entity, and are integrated into the administrative processes, which are classified as:
a) Control Environment.
b) Risk Assessment.
c) Control Activities.
d) Information and Communication.
e) Supervision and Follow-up.
Internal control consists of a repetitive and permanent multidirectional process, in which more than one component influences the others and forms an integrated system that reacts dynamically to changing conditions.
Effectiveness levels
Internal control systems operate with different levels of effectiveness; may be deemed effective in each of the three groups, respectively, if the board of directors or board and management have reasonable assurance that:
• They understand the degree to which the objectives of the operations of the entities are achieved.
• Financial reports are prepared reliably.
• The applicable laws and regulations are observed.
a) Control Environment
You are involved in establishing an environment that stimulates and influences staff activity with respect to control of your activities.
It is the basis of the other control components to provide discipline and structure for control and influence how:
• Business activities are structured.
• Authority and responsibility are assigned.
• People organize and develop.
• Values and beliefs are shared and communicated.
• Staff become aware of the importance of control.
Control Environment Factors:
• Integrity and ethical values.
• Commitment to be competent.
• The activities of the board of directors and the audit committee.
• The mentality and style of operation of the management.
• The structure of the organization.
• Assignment of authority and responsibilities.
• Human resources policies and practices.
The control environment has a great influence on the way operations are carried out, objectives are established and risks are minimized. It also has to do with the behavior of information systems and supervision in general. In turn it is influenced.
b) Risk Assessment
It is the identification and analysis of risks relevant to the achievement of objectives and the basis for determining how such risks should be improved. Likewise, it refers to the mechanisms necessary to identify and manage specific risks associated with changes, both those that influence the environment of the organization and its interior.
In any entity, the establishment of global objectives of the organization and of relevant activities is essential, thereby obtaining a basis on which the risk factors that threaten its timely compliance are identified and analyzed.
The evolution of risks must be an unavoidable responsibility for all levels that are involved in achieving the objectives. This self-assessment activity should be reviewed by the internal auditors to ensure that both the objective, focus, scope and procedure have been properly carried out.
Every entity faces a variety of risks from external and internal sources that must be evaluated by management, who, in turn, establishes general and specific objectives and identifies and analyzes the risks that said objectives are not achieved or affect their ability to safeguard your assets and resources, maintain an advantage over the competition. Build and preserve its image, increase and maintain its financial strength, grow, etc.
Objectives: Its importance is evident in any organization, since it represents the basic orientation of all resources and efforts and provides a solid base for effective internal control. Goal setting is the right way to identify critical success factors.
The categories of objectives are as follows:
• Compliance Objectives. They are aimed at adherence to laws and regulations, as well as to policies issued by the administration.
• Operation Objectives. They are those related to the effectiveness and efficiency of the organization's operations.
• Objectives of Financial Information. They refer to obtaining reliable financial information.
The achievement of the aforementioned objectives is subject to the following events:
1. Effective internal controls provide a reasonable guarantee that the financial reporting and compliance objectives will be achieved, because they are within the scope of management.
2. In relation to the objectives of operation, the situation differs from the previous one because there are events outside the entity's control or external controls. However, the purpose of the controls in this category is aimed at evaluating the consistency and interrelation between the objectives and goals at the different levels, the identification of critical success factors and the way in which the progress of the results is reported and implement the indispensable actions to correct deviations.
Activity risks should also be identified, thereby helping to manage risks in the most important areas or functions; the causes at this level belong to a wide range that goes from the obvious to the complex and with different degrees of significance, they must include, among other aspects, the following:
• The estimation of the importance of the risk and its effects.
• The evaluation of the probability of occurrence.
• The establishment of necessary actions and controls.
• The periodic evaluation of the previous process.
c) Control Activities
They are those carried out by the management and other personnel of the organization to comply daily with the assigned activities. These activities are expressed in the policies, systems and procedures.
Control activities have different characteristics. They can be manual or computerized, administrative or operational, general or specific, preventive or detective. However, what is important is that regardless of their category or type, all of them are targeting risks (real or potential) for the benefit of the organization, its mission and objectives, as well as the protection of its own resources or those of third parties in its power.
Control activities are important not only because in themselves they imply the correct way of doing things, but also because they are the ideal means of ensuring greater achievement of objectives.
d) Information and Communication
They are scattered throughout the entity and they all serve one or more control objectives. Broadly, it is considered that there are general controls and application controls over information systems.
1. General Controls: They are intended to ensure proper operation and continuity, and include control over the data processing center and its physical security, contracting and maintenance of hardware and software, as well as the operation itself. They also relate to systems development and maintenance, technical support, and database administration functions.
2. Application Controls: They are directed inside each system and work to achieve processing, integrity and reliability, through the corresponding authorization and validation. Of course, these controls cover applications intended for interfaces with other systems from which information is received or delivered.
Information and technology systems are and will undoubtedly be a means of increasing productivity and competitiveness. Certain findings suggest that the integration of strategy, organizational structure, and information technology is a key concept for the new century.
It is often the intention to assess the current situation and predict the future situation only on the basis of accounting information. This approach is simplistic, because of its bias, it can only lead to wrong judgments.
For all intents and purposes, you need to be aware that accounting tells us, in part, what happened but not what will happen in the future. The systems produce reports that contain operational, financial and compliance information that makes it possible to conduct and control the organization.
The information generated internally, as well as that which refers to events that occur abroad, is an essential part of decision-making as well as monitoring operations. Information serves different purposes at different levels.
e) Supervision and Follow-up
In general, control systems are designed to operate in certain circumstances. Of course, the objectives, risks and limitations inherent in control were taken into account for this purpose; however, conditions evolve due to both external and internal factors, thereby causing controls to lose their efficiency.
As a result of all this, management must carry out the systematic review and evaluation of the components and elements that are part of the control systems. This does not mean that all the components and elements have to be reviewed, nor does it have to be done at the same time.
The evaluation should lead to the identification of weak, insufficient or unnecessary controls, to promote, with the determined support of management, their strengthening and implementation. This evaluation can be carried out in three ways: during the performance of daily activities at the different levels of the organization; separately by personnel who are not directly responsible for the execution of activities (including control activities) and by combining the two previous forms. For proper follow-up (monitoring) the following rules must be taken into account:
• Staff must obtain evidence that internal control is working.
• Yes, external communications corroborate the information generated internally.
• Periodic comparisons of the amounts recorded in the accounting information system with the physical of the assets must be made.
• Review if controls recommended by internal and external auditors have been implemented; or on the contrary, nothing or little has been done.
• The activities of the internal audit department are adequate, effective and reliable.
Report of deficiencies
The process of communicating the weaknesses and opportunities for improvement of the control systems should be directed towards those who are the owners and responsible for operating them, in order to implement the necessary actions. Depending on the importance of the identified weaknesses, the magnitude of the existing risk and the probability of occurrence, the administrative level at which the deficiencies should be reported will be determined.
Control participants and their responsibilities.
Within an economic entity, responsibilities for control correspond to:
