Is your internal control environment up to date?

Internal controls get to the heart of a company’s financial integrity. They are designed to ensure that financial statements reflect materially accurate numbers. If you have a poor internal control structure, your financial statements will carry a higher level of risk of material misstatement. A well-designed internal control framework means more reliable, trustworthy financial statements.

What are the risks?

One of the riskiest parts of the current high turnover in the workforce is the loss of segregation of duties. If an employee with access to expenditures is also the person in charge of overseeing transactions, there may be conflicting duties. There is the potential for errors or fraud because that employee will have too much access to post transactions. This situation can easily happen when key staff members leave and the remaining employees absorb their work.

To prevent this, ensure different job duties have different access levels in the control framework. Employees in charge of expenditures, for example, should be on a separate level from the staff who review transactions.

Problems occur when an employee has access to multiple levels and the ability to do something without it being detected. For example, if a staffer has access to the checking account as well as the reconciliation system, they could create their own invoice, pay themselves, and hide the transaction. Similarly, someone with the ability to create journal entries in the general ledger should not be the person who reviews those entries.

This is partly to protect employees. If they have inappropriate access or abilities, there’s a high risk of inadvertent errors, such as paying the same bill twice, even when there is no fraud.

How do you know if your framework is in good shape?

It starts with a design evaluation of the current framework to understand the gaps in the internal control framework. A walkthrough of the design confirms the processes or reveals gaps and issues.

Once you have a design that fits the current state of the organization, the next step is testing, which can be required for some public companies and is a good practice for private entities. Check to make sure there are enough controls per financial statement assertion so that there are no gaps in the framework. This establishes the reliability of the financial statements.

If there are several deficiencies surrounding one financial statement transaction cycle, determine the severity of the problem. If there are compensating controls, it could just be a deficiency, which can be kept internal. Judgment is needed in this gray area to determine if these deficiencies could lead to a material misstatement in the financials.

Perfection is typically unrealistic. A success rate above 90% is usually sufficient because a given control often compensates for others. Anything lower could attract greater scrutiny from investors or creditors, even if it doesn’t rise to the level of a material weakness.

Once you’ve assessed the state of your current framework, build change into the process. Ensure that controls are remote-work ready and prescribe how duties shift if personnel changes. There’s a lot you can’t control in today’s rapidly changing business and employment climate, but your internal controls are one thing you can.


Adapted from: “Is Your Internal Control Environment Up to Date?”, by Mary Wisenski, partner in the assurance and advisory services practice at Connecticut accounting and advisory firm Fiondella, Milone & LaSaracina, LLP, published on CFO News on 28 June 2022.

Leave a Reply