Internal control is the process an organisation follows to provide reasonable assurance of the reliability of its financial reporting, its operational effectiveness and efficiency and its overall compliance with laws and regulations.
Taking its particular circumstances into account, the first step for an organisation is to define its 'control environment' - what are its values and ethics; what are its policies and practices; its management culture; organisational structure; the involvement of the Board and audit.
Using these as guide, the overall control objectives can be defined - taking into account the need to balance the need for control with efficiency. A risk assessment provides further focus, identifying those risks the organisation wishes to reduce and is willing to devote resources to reducing. This will identify the key business processes where controls are to be applied or assessed.
Internal controls follow two main strategies - preventive or detective. The first attempts to prevent errors arising at all whilst the latter attempts to identify errors for correction "after the fact". Information systems (or applications) are integral to implementing an effective internal control environment as they provide many features for real time prevention and for logging and reporting of exceptions, rejections and reconciliation. Mapping the controls onto business process maps and other documentation is also key and helps training and performance review.
The controls in place (or desired, if yet to be implemented) can be documented quite simply - process by process. Such a list provides the checklist for a review of the health or maturity of the internal control regime in the organisation.
Assessment of the control regime first identifies the critical processes and confirms the associated internal controls. Each control is reviewed and any issues logged. The risks indicated with each issue are be assessed and a decision taken on the response to the risk. An action list will result which can form the delivery plan for the next phase of implementation of the control regime.
This summary is taken from a quick survey of what is available on the subject on the Internet. It aims to pull out the key ideas of what is involved in defining internal controls. Ideas such as reporting and monitoring - how do management know that the controls are working - also need to be considered in conjunction with this summary.
The visual summary (above) was prepared using MindView and the full MindView map may be downloaded as a zip file by clicking the link: Defining and Assessing Internal Controls and saving the file.
A MindManager version of the map may be downloaded from either Biggerplate or Maps for That.