Is it an internal control or is it a process? Here’s why it matters
By Josh Haidenthaller, Assurance Manager
Internal controls are a major part of any modern-day entity, but many of us don’t know if we have a control in place or only a process. If you have been through an audit, your auditor has probably asked you the following questions, or something similar to: Will you walk me through your process? What controls do you have in place?
Have you ever thought, “What is the difference? Are my controls not the same thing as my process?” If so, you are not alone. Over my years in public accounting, I have had several people ask me these very questions, and even had a time when I was not completely sure of the differences. So, let’s break down these two terms together: internal control and a process.
According to Webster’s Dictionary, internal control means “a system or plan of accounting and financial organization within a business comprising all the methods and measures necessary for safeguarding its assets, checking the accuracy of its accounting data or otherwise substantiating its financial statements, and policing previously adopted rules, procedures, and policies as to compliance and effectiveness.” Webster’s Dictionary defines a process as “a series of actions or operations conducing to an end.” Well, doesn’t that clear things up. If we look a little closer here, there are some key words stated to understanding the difference between a control and a process: safeguarding and checking.
An internal control’s job is to ensure the safeguarding of something and/or checking something against certain parameters. Controls are often categorized into three types: detective, preventive or corrective. A detective control is a control that will identify when an error was made, or fraudulent activity occurred. For example, your accounting software will alert you when you are making a journal entry in which your debits do not equal your credits. A preventive control will not allow an error to be made or a fraudulent activity to occur. For example, your computer will not log into your account if you do not enter your correct password. A corrective control is a control that will correct errors or fraudulent activity that has occurred. An example is a cashier till that is not balanced at the end of a shift and the difference is taken out of the cashier’s pay. A control can and often is more than one of these categories.
Internal controls are often part of the process, especially manual controls. However, your procedures (or process) are not always a control. To better help illustrate this, consider a hypothetical example regarding a bank reconciliation process. To set the stage, we have a small company with a few bank accounts, an office manager named Morgan, an accounting clerk named Austin, and an accounting manager named Jordan. Morgan receives the mail and opens the bank statements. After signing and dating the statements, she gives them to Austin to prepare the reconciliations. Austin prepares the reconciliations and ensures that balances match their records and the bank statements. Upon completion of the reconciliations, Austin gives Jordan the reconciliations and the bank statements. Jordan reviews and approves the reconciliations. The reconciliations and the bank statements are then returned to Morgan to be filed.
Having outlined the process of preparing the bank reconciliations for this company, what are the controls? The first control to note is the separation of duties: not one person is doing the process by themselves, but it is split between the three of them. The next control is Morgan signing and dating the statements. This prevents Austin from being able to change the statements. The last almost control is Jordan reviewing and approving the reconciliations. Why is this an almost control? For it to be considered a control, it has to be documented. It is vital that we have some way of proving that a process happened to truly call it a control.
Ben Ripple, assurance services practice leader at Bernard Robinson & Co. said, “It is important to recognize the difference between a control and a process. Relying on processes rather than controls opens an organization up to misstatements and fraud.” As shown, controls and processes are very similar and can easily be mislabeled. There are many other aspects to consider that were not covered in this article. Consistent consideration and evaluation of controls and processes is important to ensuring that they are adequate.