Five Steps to Building an Effective Internal Control Environment

This blog was written and produced by Adam Kozielec, CPA and Manager at The Bonadio Group. Looking to get in touch with Adam? Reach out today: akozielec@bonadio.com.

The most important steps in building an effective internal control environment are to have a plan in place and the proper resources to implement that plan. This article contains five common things to consider when looking to build or improve the effectiveness of your entity’s internal control structure.

1. Foundation: When building anything in life, you need to start with a strong foundation. In the case of an effective internal control environment, you should start with the following:

• A baseline set of documented standard policies and procedures: Standard policies and procedures should be documented to cover key financial and operational areas (e.g. procurement, financial reporting, revenue recognition, IT management, vendor management, customer management, cash management, time and expense reporting…)
• Tone at the top: Senior management and management at all levels need to demonstrate the importance of following the standard policies. They need to communicate the importance of these policies and the expectation that these policies will be followed. They need to lead by example by following the procedures themselves and hold people accountable that do not follow the procedures.
• Business Conduct and Ethics Policy: Expectations on business conduct and ethical behavior should be developed by senior management and communicated to all employees and relevant third parties associated with the entity. This policy should address the expectation of all employees and relevant third parties to follow the standard policies and procedures for finance and operations.

2. Risk Assessment: A review of the entity’s current control environment and operating activities should be performed to identify, evaluate, and manage risks. Overall risks should be determined based on a review of the current state internal control environment, as well as external factors that could affect the entity’s ability to perform in line with expectations. The risk assessment should include interviews with key personnel to identify control activities in place, review of identified control activities to determine that the control activities are operating as designed, and the identification of gaps in both the control activity and the policies and procedures that govern them. The overall risk assessment should be reviewed and updated on a periodic basis.

3. Control Activities: As part of the risk assessment process, the entity should identify control activities that are currently in place and control activities that should be added to help mitigate the risks identified in the risk assessment to an acceptable level. The control activities that management expects to be executed should be documented in the standard policies and procedures. The policies should identify the objective of the policy and control activity, who is responsible to execute the control activity, what evidence should be retained to support that the control activity took place, the timeliness of when the control should take place, who is responsible to review the control activity and what evidence should be retained to confirm the review occurred.

4. Communication and Training: Effective and timely communication is important to build and maintain a strong control environment. All personnel should be formally trained on policies and procedures that are relevant to their role in the entity. Timely communication on changes to policies and implementation of new policies is critical to help the employee understand the expectations of their role.

5. Internal Auditing and Monitoring: In order to confirm that the control activities designed to help mitigate risks are operating effectively, it is important to develop an internal audit plan to test the control activities. Internal audit plans come in many shapes and sizes and should be tailored to the entity's needs and expectations.

Bonadio is well-positioned to help you develop and/or improve the effectiveness and efficiency of your current internal control environment. We have extensive experience performing risk assessments, documenting policies and procedures, creating and executing internal control monitoring and internal audit workplans. Contact us today to discuss your current situation and how we can help mitigate the risks that your entity faces.

This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.