Internal Controls – Control Activities
We’ve discussed the reasons to love internal controls and the first two components of The Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework that many organizations follow when developing and implementing internal controls that are right-sized to them. This blog focuses on the third component.
Control activities are policies and procedures established by management to ensure the risks identified during the risk assessment process are mitigated or reduced to an acceptable level. Simply stated, they are checks and balances embedded in a company’s operations. Controls may be preventive or detective and can be manual and/or automated. Segregation of duties, which prevent one person from overseeing all phases of a transaction, is key to developing strong internal controls and identifying the person(s) responsible for performing a control activity.
Financial reporting controls may include authorizations and approvals, verifications, security of assets and reconciliations. Controls should be developed and implemented for each significant transaction cycle such as underwriting, claims, investments, treasury, payroll and financial statement close and reporting as well as the information technology environment. During the risk assessment phase, management identified “what could go wrong” (WGGW) in those significant cycles. In the control activity phase, controls are developed and implemented so “things go right”.
The following are examples of WCGW and mitigating controls for select transaction cycles:
WCGW – Policies are issued but the corresponding premiums written and receivable are excluded from the premium bordereau and premiums receivable report.
- On a weekly basis, the accountant reconciles the detailed premium bordereau to authorized policies, endorsements, and/or cancellations. The reconciliation is reviewed by the assistant Controller.
- On a monthly basis, receivable balances are aged by the account receivable supervisor and reviewed by the assistant Controller. Delinquent accounts are investigated and bad debt write-offs are approved by the Controller.
WCGW – The establishment of initial case reserves and subsequent adjustments are not appropriately set or updated by the claims adjuster.
Control – Each claims adjuster is authorized to initiate and adjust case reserve within predetermined authority levels. Changes in case reserves greater than $25,000 are reviewed by the lead claim adjuster on a bi-weekly basis.
More organizations have an integrated approval process as part of their IT environment. It is imperative that management verify that employee access has been properly designed and the IT environment is properly functioning before relying on such controls.
Documenting controls over journal entries is also essential. Management should ensure the individuals approving journal entries are not posting journal entries and that neither have check signing authority.
It is essential to identify the frequency and person(s) responsible for performing control activities. The control activity needs to be performed timely and should be documented.
Weak internal controls increase the risk of:
- Incorrect decisions made by management and/or the board of directors based on erroneous, inadequate, or misleading information
- Fraud, embezzlement, and theft by management, employees, members or vendors
- Accidental loss, misuse, or destruction of assets such as cash and equipment
- Business interruption caused by system breakdowns
- Access to personally identifiable information or sensitive personal information by unauthorized parties
- Sanctions or penalties arising from failure to comply with laws and regulations
A strong internal control system is key to a well-managed organization and will help alleviate major disruptions and financial loss.