A system of internal control consists of policies and procedures designed to provide management with reasonable assurance that the organization achieves its objectives and goals. These policies and procedures are often called controls, and collectively, they comprise an organization’s internal control. Traditionally referred to as ‘hard controls,’ these include segregation of duties, limiting access to cash, management review and approval, and reconciliations. Other types of internal controls include ‘soft controls’ such as management ‘tone at the top,’ performance evaluations, training programs, and maintaining established policies, procedures, and standards of conduct.
The auditing profession has widely accepted the Committee of Sponsoring Organizations of the Treadway Commission’s report titled The Internal Control-Integrated Framework (COSO Report) as a general definition of internal control.  The COSO Report defines internal control as a process affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following three categories:

• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations

Internal control consists of five interrelated components:

• Control Environment.  The organization’s tone is the foundation for all other components of internal control.
• Risk Assessment.  Management establishes activity-level objectives and mechanisms for identifying and analyzing risk related to their achievement.
• Control Activities.  Policies and procedures that ensure management’s directives are carried out and help ensure that necessary actions are taken to minimize risks to the achievement of the entity’s objectives.
• Information and Communication.  The information must be identified, captured, and communicated in a form and time frame that enable people to carry out their responsibilities.
• Monitoring.  Assessing the quality of the system’s performance over time.  This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two.

Effective internal control helps an organization achieve its operations, financial reporting, and compliance objectives: Effective internal control is a built-in part of the management process (i.e., plan, organize, direct, and control). Internal control keeps an organization on course toward its objectives and the achievement of its mission and minimizes surprises along the way.  Internal control promotes the effectiveness and efficiency of operations, reduces the risk of asset loss, and helps to ensure the reliability of financial reporting and compliance with laws and regulations.

Roles and Responsibilities of Internal Control: State entity heads are accountable for activities carried out in their agencies.  This means that management is responsible for identifying the risks that could prevent them from achieving their objectives and making sure that appropriate internal controls (policies and procedures) are in place to mitigate those risks.  Management is also responsible for ongoing internal control monitoring to ensure that controls are still working and whether risks have changed requiring new controls.

Management needs to understand that Internal control provides reasonable assurance—not absolute assurance regarding the achievement of an organization’s objectives. While effective internal control supports these objectives, it does not guarantee success due to cost/benefit considerations, potential collusion among employees, and external events beyond a department’s control. It is important to recognize that internal control is a process aimed at achieving goals rather than an end in itself. Additionally, it involves participation from all levels of the organization; while agency heads are accountable for their activities, everyone shares some responsibility for maintaining internal control.