Internal control is an interlocking set of activities that are layered onto the normal operating procedures of an organization, with the intent of safeguarding assets, minimizing errors, and ensuring that operations are conducted in an approved manner. Another way of looking at internal controls is that these activities are needed to mitigate the amount and types of risk to which a firm is subjected.
Internal control comes at a price, which is that control activities frequently slow down the natural process flow of a business, which can reduce its overall efficiency. Consequently, the development of a system of internal control requires management to balance risk reduction with efficiency. This process can sometimes result in management accepting a certain amount of risk in order to create a strategic profile that allows a company to compete more effectively, even if it suffers occasional losses because controls have been deliberately reduced.
A system of internal controls tends to increase in comprehensiveness as a firm increases in size. This is needed, because the original founders do not have the time to maintain complete oversight when there are many employees and/or locations. Further, when a company goes public, there are additional financial control requirements that must be implemented, especially if the firm's shares are to be listed for sale on a public exchange. Thus, the cost of controls tends to increase with size.
Internal control comes in many forms, which include the following:
- A board of directors oversees the entire organization, providing governance over the management team.
- Internal auditors routinely examine all processes, looking for failings that can be corrected with either new controls or tweaks of existing controls.
- Processes are altered so that more than one person is involved in each one; this is done so that people can cross-check each other, reducing fraud incidents and the likelihood of errors.
- Access to computer records is restricted, so that information is only made available to those people who need it to conduct specific tasks. Doing so reduces the risk of information theft and the risk of asset theft through the modification of ownership records.
- Assets are locked up when not in use, making it more difficult to steal them.
A key concept is that even the most comprehensive system of internal control will not entirely eliminate the risk of fraud or error. There will always be a few incidents, typically due to unforeseen circumstances or an exceedingly determined effort by someone who wants to commit fraud.