Internal controls are important and necessary, never more so than in the Government contracting environment. Internal controls provide reasonable (not absolute) assurance that financial reporting is reliable, that operations are running effectively and efficiently, and that applicable laws and regulations are being complied with.
Internal controls consist of five interrelated components:
- Control environment - this is the foundation to all other components. The board or senior management establish the "tone from the top" regarding the importance of internal control and expected standards of conduct. It provides discipline, process, and structure.
- Risk assessment - this involves a dynamic and iterative process for identifying and analyzing risks to achieving the entity's objectives, forming a basis for determining how risks should be managed.
- Control activities - these are the actions established by policies and procedures to help ensure that management's directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity and at various stages within business processes.
- Information and communication - necessary for the entity to carry out internal control responsibilities in support of achievement of its objectives. Communication occurs both internally and externally and provides the organization with the information needed to carry out day-to-day internal control activities.. Communication enables all personnel to understand internal control responsibilities and their importance to the achievement of objectives.
- Monitoring - used to ascertain whether each of the five components of internal control are present and functioning. Findings are evaluated and deficiencies are communicated in a timely manner, with serious matters reported to senior management and to the board.
When it comes to establishing effective internal control systems, one size does not fit all. Internal controls must be considered in the context of company size, organizational characteristics, the nature of the business (e.g. type of contracts), complexity of operations, applicable regulatory requirements, and more. Sometimes it seems that contract auditors want more controls than what contractors deem necessary. Sometimes they're right, sometimes not. Tomorrow we will look at the guidance that auditors follow in assessing whether select internal control systems are adequate.