Internal control reviews are often regarded as the domain of large entities such as publicly listed companies or government departments. While the control environment of a small or medium-sized entity (SME) may differ from that of a large organisation, it is equally important that it is reviewed regularly in order to ensure the effective management of risks which may change with the business.
In the context of SMEs, the effectiveness of the management of risks in the control environment is determined by the attitude, actions and awareness of business owners and management towards the internal control system and their perceived importance of it to the SME’s overall objectives. The control environment sets the tone and culture of an organisation.
An effective control environment ensures the following:
- Effectiveness and efficiency of operations;
- Reliability of financial reporting;
- Compliance with applicable laws and regulations; and
- Safeguarding of assets
Internal control reviews typically begin by performing a risk assessment. Risk assessment is the identification and analysis of relevant risks which prevent an organisation from achieving its objectives. Risks should be considered in terms of their likelihood of occurrence and their impact on the organisation if they occur.
One approach to performing a risk assessment is to consider risks within the following five categories:
1. Strategic risks – Governance, succession planning, business plans
2. Operational risks – staffing, health and safety, maintenance of machinery, reliance on a supplier
3. Financial risks – budgeting, cash flow, fraud
4. IT risks – security, system application controls, disaster recovery plans
5. Compliance risks – code of conduct, monitoring legislative changes, regulatory environment
Once the key risks have been identified, the next step is to consider implementing controls which mitigate the risks identified. Controls commonly take the following forms:
Preventive Controls: controls designed to prevent undesirable events from occurring. Examples of preventive controls include segregation of duties, maintenance programmes, approvals and authorisations.
Detective Controls: controls designed to find errors or irregularities. Examples of detective controls include reconciliations, stocktakes and exception reports.
Directive Controls: actions taken to cause or encourage a desirable event to occur. Examples of directive controls include policies and procedures, position descriptions and preparation of budgets.
All businesses and organisations, big or small, for profit or not for profit, should regularly consider internal control reviews, including performing routine risk assessments and implementing the necessary controls to mitigate the risks identified.