What is internal control? This episode provides a definition highlighting the importance of an organization's people to its control system and internal controls' connection to positive risk-taking and meeting objectives.
Origins of Internal Control
The Committee of Sponsoring Organizations (COSO) of the Treadway Commission (a joint initiative of five professional finance, accounting, and auditing organizations) formally defined internal control in 1992.1
But the concept of internal control has been around for millennia. Researchers have found evidence of internal control systems that date back to 3600 to 3200 B.C. Here's an example of internal control implemented within the Treasury of the Egyptian Pharaohs:
"Nothing was given out of the treasury without a written order. Peculation (embezzlement) on the part of the workmen was provided against by the records of one official checking those of another. When the corn was brought to the storehouses, each sack was filled in the sight of an overseer and noted down, and when the sacks were carried to the roof of the storehouse and emptied through the receiving opening, the scribe stationed there recorded the number received." 2
In the following video, our host recaps the opening dramatization and defines internal control.
The dramatization you have just seen (in the previous episode) was intended to emphasize the seriousness of such problems and to demonstrate their wide-ranging impact.
Definition of Internal Control
A process effected by an organization's people, designed to provide reasonable assurance in the following categories:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with laws and regulations
Internal Control is People-Dependent
- It's developed by an organization's people.
- It guides its people.
- It provides accountability to its people.
- Its people carry it out.
- People like you!
WSU's policy manual is an excellent example of controls developed by an organization's people. When reviewing the What's New section of the manual, you can see the many varied constituencies involved in policy development. The president or executive team doesn't simply hand down policies and procedures.
Internal Control Provides Reasonable Assurance
An effective control system provides reasonable rather than absolute assurance.
- Excessive control is costly and counterproductive.
- Too little control is reckless and presents an undue risk.
- Excessive control and risk avoidance can result in stagnation or "good enough" rather than progress toward meeting objectives.
- Accepting risk means monitoring the situation and being alert to changing circumstances.
Positive risk-taking is one of WSU's distinctive values! An effective control system allows for accepting some risks when mechanisms are in place to monitor those risks.
We understand that taking risks is sometimes necessary to achieve our goals, but we also recognize the importance of having effective control systems in place to monitor those risks.
To ensure that we are making informed decisions, we have established mechanisms to vet risks up the chain of command whenever they impact the university's strategic objectives, enrollment, and funding sources.
By doing so, we can balance the potential benefits of taking risks with the need to protect the long-term success of the university.
Three Control Categories
- Effectiveness and efficiency of operations - Processes run smoothly to help us meet our objectives.
- Reliability of financial reporting - Numbers are timely and accurate and aid decision-making. Reliability applies to non-financial information systems as well.
- Compliance with laws and regulations - Work within the rules to stay out of trouble and avoid adding obstacles to meeting our objectives.
Internal Control: A Manager's Journey
H. K. Spenser Pickett's novelization of a manager's journey to understanding internal control provides an apt summation of internal controls' definition and purpose:
(Pexels/Valentin Antonucci)
Control simply means making sure you get where you need to be without too many problems. Or, to put it another way, by recognizing potential problems and ensuring there are procedures to deal with them.
H.K. Spencer Pickett
In our context, "where you need to be" refers to meeting the university's objectives or those of your college or department. Recognizing potential problems entails risk assessment, a key component of internal control.
1 COSO's five sponsoring organizations include the Institute of Internal Auditors (IIA), American Accounting Association (AAA), American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), and Institute of Management Accountants (IMA).
2 T.A. Lee. "The Historical Development of Internal Control from the Earliest Times to the End of the Seventeenth Century." The Journal of Accounting Research (Spring, 1971), pp. 150-157.
3 K.H. Spenser Pickett. Internal Control: A Manager's Journey. John Wiley & Sons, 2001.