In Cuba, the Economic Resolution of the V Congress of the Communist Party of Cuba states: “…
In the new conditions in which the economy operates, with a higher degree of decentralization and more linked to the demands of international competition, the timely and effective control of economic activity is essential for management at any level… ”and later it will be explained precise “…
An indispensable condition in all this process of transformation of the business system will be the implementation of strong financial restrictions that make the control of the efficient use of resources internal to the management mechanism and not depend solely on external checks… "
Internal Control has been the concern of entities, to a greater or lesser degree, with different approaches and terminologies, which has allowed that over time different conceptions have been raised about it, its principles and elements that must be known and implemented in the current Cuban entity that is in the process of applying Resolution No. 297 - 2003 of the Ministry of Finance and Prices.
Objective:
Explain the importance of the five components and their relationship with the achievement of organizational objectives, within the new approach to Internal Control (IC).
Development
What is meant by Internal Control?
Senior executives have long sought ways to better control the companies they run. Internal controls are implemented in order to detect, within the desired period, any deviation from the profitability objectives established by the company and to limit surprises.
These controls enable management to cope with the rapidly changing economic and competitive environment, as well as changing customer demands and priorities, and adapt its structure to ensure future growth.
The internal control system is intertwined with the entity's operating activities and exists for fundamental business reasons. It is most effective when controls are incorporated into the infrastructure of the society and are part of the essence of the company.
Through “built-in” controls, quality and empowerment initiatives are promoted. Unnecessary expenses are avoided and a quick response to changing circumstances is allowed.
Internal controls promote efficiency, reduce the risk of loss of asset value, and help ensure the reliability of financial statements and compliance with applicable laws and regulations.
Internal control is defined as a process, carried out by the staff of an entity, designed to achieve specific objectives.
The definition is broad and covers all aspects of the control of a business, but at the same time allows to focus on specific objectives.
"Internal control is a process carried out by the board of directors, management and the rest of the personnel of an entity, designed with the aim of providing a reasonable degree of security regarding the achievement of the objectives within the following categories":
- Effectiveness and efficiency of operations Reliability of financial information Compliance with applicable laws and regulations
The first key aspect of the proposed definition is that it is a process.
Consequently, internal controls should not be isolated acts or mechanisms, or executive orders, but a series of actions, changes or functions that, taken together, lead to a certain end or result.
This alone extends the concept of internal control beyond the traditional notion of financial controls, to convert internal control into an integrated system of materials, equipment, procedures, and people.
The next sentence of the definition, performed by the personnel of an entity, indicates that internal control is a matter of people. No organization can know all the current and potential risks to which it is exposed at any given time and develop controls to deal with each and every one of them.
Consequently, the people who make up the organization must be aware of the need to assess risks and apply controls, and must be in a position to respond appropriately to it.
Arguably the most important part of the definition is that the objectives will be achieved. Internal controls are not restrictive elements but they make processes possible, allowing and promoting the achievement of objectives because they refer to the risks to be overcome in order to achieve them.
It is not only about the objectives related to financial information and compliance with regulations, but also about business management operations.
This way of seeing controls gives value to the tasks of evaluation and improvement of internal controls and they become everyone's responsibility.
The new approach to internal control provides elements that should be the domain of all workers in business organizations and are framed within the five elements that we will analyze below.
The five components of internal control
Within the integrated framework, five elements of internal control are identified that are interrelated and inherent to the management style of the company. They are:
Control Environment.
Risks evaluation.
Control Activities.
Information and communication.
Supervision or Monitoring.
Importance of the components:
Are the five components of internal control important?
Well, if they were not important, they would not exist and the multidisciplinary team that prepared the COSO report would not have analyzed and exposed them as exquisitely in said report as the components of internal control. Nor will they appear in Resolution No. 297-2003 of the MFP as aspects to be developed within the Internal Control System (ICS).
We are going to make an analysis of the importance of the five components looking at them from the point of view of the organizational objectives and the interrelationship that exists between them. The definition, establishment and application of the organizational objectives is the primary requirement to be able to introduce an ICS in the organization.
There is a very illustrative proverb from the Koran that we are going to take into account in our analysis, which we quote: "If you don't know where to go, there is no way that will take you."
We will start from the previous proverb to illustrate the relationship between organizational objectives and internal control components.
"If you don't know where to go,…"
Organizational objectives indicate the direction, they locate you, they tell you where to go.
They must be stated in writing defining the results to be achieved in a given period. The objectives are the WHAT: What results do we want or need to achieve?
What is the importance of the objectives?
Goals provide a sense of direction, without them individuals as well as organizations tend to be confused, react to changes in the environment without a clear sense of what they really want to achieve.
They tell us how our system should work, it gives us the structure, the organization.
They help us evaluate our progress as a clearly stated, measurable, date-specific goal easily becomes a performance standard that allows individuals to evaluate their progress. Therefore, objectives are an essential part of control.
From the foregoing it follows that a company must be directed by objective, which means that both the managers and subordinates of an organization jointly identify their common goals, define the main areas of responsibility of each person in terms of the results that they provide. He will expect and use these measures as guides for managing the unit and for evaluating the contribution of each of its members.
"…, there is no way that will take you"
If the organizational objectives indicate the direction, where to go, the result to be achieved, the five components of internal control constitute paths for the achievement of the objectives of the organization, the planned results and the proper functioning of the same, coinciding with the essential objectives of any change process that are focused on business performance and results.
The components of internal control are the body of the system and exist because of the functions that each of them perform. They provide a reasonable degree of assurance regarding the achievement of objectives within the following categories ”:
- Effectiveness and efficiency of operations Reliability of financial information Compliance with applicable laws and regulations
What are the fundamental functions of the components that lead to the fulfillment of the objectives?
To analyze each component, we will start from the concept given in the COSO Report on internal control: “internal control is defined as a process, carried out by the personnel of an entity, designed to achieve specific objectives.
The definition is broad and covers all aspects of the control of a business, but at the same time allows to focus on specific objectives.
Internal control consists of five interrelated components that are inherent to the company's management style.
These interrelated components serve as criteria to determine if the system is effective ”, thus helping the company to better direct its objectives and help to integrate all the personnel in the process.
We will graphically illustrate the five elements that must act together so that effective internal control can be generated in companies.
Although all five criteria must be met, this does not mean that each component has to function identically, or even at the same level, in different entities. There may be some trade-off between the various components, because controls can serve multiple purposes, controls on one component may serve the purpose of controls that are normally present on other components.
On the other hand, there may be differences in the extent to which the various controls cover a specific risk, so that complementary controls, each with a limited effect, may be overall satisfactory.
There is a direct interrelation between the three categories of objectives, which are what an entity strives to achieve, and the components, which represent what is needed to achieve those objectives. All components are relevant to each objective category. When examining any category, for example the effectiveness and efficiency of operations, all five components must be present and functioning properly in order to conclude that internal control over operations is effective.
If you examine the category related to controls over financial reporting, for example, all five criteria must be met in order to conclude that internal control over financial reporting is effective.
What does each component contribute?
Control environment:
The control environment sets the tone for the operation of a company and influences the awareness of its employees regarding control.
It is the basis of all the other components of internal control, providing discipline and structure.
Control environment factors include the integrity, ethical values, and capabilities of company employees, management philosophy and management style, how management assigns authority and responsibilities, and professionally organizes and develops its employees and the attention and guidance it provides to the board of directors.
"The core of a business is its staff (its individual attributes, including integrity, ethical values and professionalism) and the environment in which it works, employees are the engine that drives the entity and the foundation on which everything rests".
The Control Environment fosters the structure in which the objectives must be met and the preparation of the man who will make them meet.
Risk assessment:
Organizations, whatever their size, face various external and internal risks that have to be assessed. A precondition to risk assessment is the identification of objectives at different levels, linked to each other and internally consistent. Risk assessment consists of identifying and analyzing the risks relevant to achieving the objectives, and serves as the basis for determining how risks are to be managed.
As economic, industrial, legislative, and operational conditions will continually change, mechanisms are needed to identify and address the risks associated with change.
"The entity must know and address the risks it faces, establishing mechanisms to identify, analyze and treat the corresponding risks in the different areas."
Although it is necessary to assume prudent risks to grow, management must identify and analyze risks, quantify them, and foresee the probability of their occurrence and the possible consequences.
Risk assessment is not a task to be accomplished once and for all. It must be a continuous process, a basic activity of the organization, such as the continuous evaluation of the use of information systems or the continuous improvement of processes.
Risk assessment processes must be future-oriented, allowing management to anticipate new risks and adopt appropriate measures to minimize and / or eliminate their impact on the achievement of expected results.
Risk assessment is preventive in nature and should become a natural part of the company's planning process.
Control activities:
Control activities are the policies and procedures that help to ensure that the instructions of the company management are carried out. They help to ensure that the necessary measures are taken to control the risks related to the achievement of the company's objectives.
There are control activities throughout the organization, at all levels and in all functions.
"Policies and procedures must be established and adjusted to help achieve reasonable assurance that the actions considered necessary to face the risks that exist with respect to the achievement of the unit's objectives are being carried out effectively."
Control activities exist throughout the organization and occur throughout the organization, at all levels and in all functions, and include such things as; approvals, authorizations, verifications, reconciliations, analysis of operational efficiency, security of assets, and segregation of duties.
In some settings, control activities are classified into; preventive controls, detection controls, corrective controls, manual or user controls, computer or information technology controls, and management controls. Regardless of the classification adopted, control activities must be appropriate for the risks.
There are many different possibilities when it comes to specific control activities, the important thing is that they combine to form a coherent overall control structure.
Companies can suffer from excessive controls to the point that control activities prevent them from operating efficiently, which reduces the quality of the control system. For example, an approval process that requires different signatures may not be as efficient as a process that requires one or two authorized signatures from component officials actually verifying what they are approving before stamping their signature. A large number of control activities or the people who participate in them do not necessarily ensure the quality of the control system.
Information and communication:
Relevant information must be identified, collected, and communicated in a manner and timeframe that enables each employee to fulfill their responsibilities. Computer systems produce reports that contain operational, financial, and compliance information that enables the business to be run and controlled appropriately.
These systems not only handle internally generated data, but also information on internal events, activities and conditions relevant to management decision-making as well as to the presentation of information to third parties.
There must also be effective communication in a broader sense, flowing in all directions through all areas of the organization, from top to bottom and vice versa.
The message from senior management to all staff must be clear; control responsibilities have to be taken seriously. Employees have to understand what the role is in the internal control system and how individual activities are related to the work of others. On the other hand, they must have the means to communicate significant information to higher levels. Likewise, there must be effective communication with third parties, such as customers, suppliers, control bodies and shareholders.
At present, no one conceives of running a company without information systems. Information technology has become so commonplace that it is taken for granted. In many organizations, managers complain that the voluminous reports they receive require them to review too much data to extract relevant information.
In such cases there may be communication but the information is presented in such a way that the individual cannot use it or does not use it really and effectively. To be truly effective, IT must be integrated into operations in a way that supports proactive rather than reactive strategies.
All personnel, especially those performing important operational or financial functions, must receive and understand the message from senior management that control obligations must be taken seriously.
You also need to know your own role in the internal control system, as well as how your individual activities relate to the work of others.
If the control system, specific tasks and obligations in the system are not known, problems are likely to arise. Employees must also know how their activities relate to the work of others.
There must be effective communication throughout the organization.
The free flow of ideas and the exchange of information are vital. Upstream communication is often the most difficult, especially in large organizations. However, the importance of it is evident.
Employees working on the front lines in sensitive operational roles and interacting directly with the public and authorities are often best placed to recognize and communicate problems as they arise.
Fostering a suitable environment to promote open and effective communication is beyond the scope of the policy and procedure manuals. It depends on the atmosphere that reigns in the organization and on the tone given by senior management.
Employees need to know that their superiors want to know about the problems, and that they will not just support the idea and then take action against employees who bring negative things to light.
In poorly managed companies or departments, the corresponding information is sought but no action is taken and the person providing the information may suffer the consequences.
In addition to internal communication, there must be effective communication with external entities such as shareholders, authorities, suppliers and customers.
This helps the corresponding entities understand what is happening within the organization and stay well informed. On the other hand, the information communicated by external entities often contains important data about the internal control system.
Supervision or monitoring:
Internal control systems require supervision, that is, a process that checks that the proper functioning of the system is maintained over time.
This is accomplished through ongoing monitoring activities, periodic evaluations, or a combination of both. Continued supervision occurs in the course of operations. It includes both normal management and supervisory activities and other activities carried out by staff in the performance of their duties.
The scope and frequency of periodic evaluations will depend essentially on a risk assessment and on the effectiveness of ongoing monitoring processes. The deficiencies detected in the internal control must be notified at higher levels, while the senior management and the board of directors must be informed of the significant aspects observed.
“The entire process must be supervised, making the pertinent modifications when deemed necessary. In this way, the system can react quickly and change according to the circumstances ”.
Internal controls need to be continuously monitored to ensure that the process works as intended. This is very important because as internal and external factors change, controls that were once adequate and effective may no longer be adequate and give management the reasonable assurance that they once offered.
The scope and frequency of supervisory activities depend on the risks to be controlled and the degree of trust that management inspires in the control process.
Supervision of internal controls can be done through ongoing activities embedded in business processes and through separate evaluations by management, the internal audit function, or independent individuals.
Ongoing oversight activities designed to test the effectiveness of internal controls include periodic management and oversight activities, comparisons, reconciliations, and other routine actions.
After analyzing each of the components, we can synthesize that these, linked together:
They generate a synergy and form an integrated system that responds in a dynamic way to the changing circumstances of the environment.
They are influenced and influence the management methods and styles applicable in companies and directly affect the management system, taking as a premise that man is the most important asset of any organization and needs to have a more active participation in the management process and feel like an integral part of the Internal Control System that is applied.
They are intertwined with the operating activities of the entity, contributing to their efficiency and effectiveness.
They allow you to maintain control over all activities.
Their effective operation provides a reasonable degree of assurance that one or more of the stated categories of objectives will be met. Therefore, these components are also criteria for determining whether internal control is effective.
They make a difference with the traditional approach to internal control directed to the financial area.
They contribute to the fulfillment of the organizational objectives in a general sense.
Conclusions
The new internal control approach may look a bit rigorous, but due to its current status, it can be assimilated, profitably by the economy of the entities. Its five components are new elements that are added to the system, are integrated with each other and implemented in an interrelated way, influenced by the management style. They are used to determine if the system is effective.
They make a difference with the traditional approach to internal control directed to the financial area. These components are framed in the management system. They make it possible to foresee risks and take the appropriate measures to minimize or eliminate their impact on the fulfillment of organizational objectives.
Bibliography
Books:
Cooper & Librand SA (1992), COSO Report, Institute of Internal Auditors of Spain.
Notes:
Notes taken from: Student Notes of “Audit”. Ricardo Vilches Troncoso. General Accountant major in Computing. CFT; Diego Portales. Accountant Auditor. Cardinal Raúl Silva Henríquez Catholic University
Resolutions:
Resolution No. 297 - 2003 of the Ministry of Finance and Prices.
Websites:
www.monografias.com
www.yahoo.com
Recommendations:
This work on the Five Components of Internal Control was prepared to provide students with a better understanding of them, both to develop independent studies guided by the teacher, as well as when analyzing and applying the knowledge acquired in their respective companies. Its use in classes was very useful.
