Internal controls are a set of standards, processes and procedures that help government entities and other organizations achieve their objectives. Clearly defined and consistently enforced internal controls are critical to reduce organizational financial, operational and regulatory risk. Developing an internal control manual is an important element in your overall risk reduction strategy, as this valuable tool sets expectations and provides clarity to guide team members across the organization.
Depending on its functions and threat environment, your business, nonprofit or government entity may need multiple levels of internal controls that apply to different roles and areas within the organization. But whether it’s a vast state agency or a small private business, an internal control manual helps you achieve your objectives and responsibly manage resources by:
Organizations often experience problems when internal controls are absent. For example, consider a city parks and recreation department where the director is responsible for collecting recreational league fees and depositing them into the city’s general bank account. Without additional oversight, the director could divert some of the collected fees for personal use — and continue stealing these funds year after year.
Even when internal controls are established and documented, problems can arise if organizations don’t pay adequate attention to their controls. In addition to theft and fraud, lax oversight allows negative consequences — such as missing out financially by failing to draw down federal grant funds owed in a timely manner simply because an employee is unaware of the relevant controls.
Both of these scenarios describe actual instances that Armanino advisors uncovered while performing internal audit services, and similar situations happen quite frequently at all levels of government, nonprofits and business. As cautionary tales, they illustrate the importance not only of maintaining a strong and current internal control manual, but also of consistently enforcing the policies it sets forth and communicating them to all team members.
There are six broad steps to follow in order when creating an internal control manual (or updating an existing manual): Plan, review, evaluate, design, document and educate.
To complete these steps, you’ll need to perform multiple tasks, methodically and comprehensively addressing considerations related to people, processes and technology. The table below can help you think through different aspects and tasks that may be required at each step.
| STEPS | KEYS |
| PLAN |
|
| REVIEW |
|
| EVALUATE |
|
| DESIGN |
|
| DOCUMENT |
|
| EDUCATE |
|
Once you’ve gathered all the relevant information, it’s time to put together your internal control manual. Carefully consider the structure and try to organize your manual for efficient use. Team members should be able to easily find and understand complete information about expectations related to the tasks for which they are responsible, including documentation requirements and any exceptions to the established processes and controls.
The content and length of your internal control manual will reflect the specific needs and functions of your individual organization. Your manual should include the following sections at a minimum, but based on your users (and governmental responsibilities, if applicable) you may choose to add additional components.
A thoughtfully developed and consistently implemented internal control manual alone cannot prevent every problem or eliminate all risk. Properly used, however, it can assist the organization in preventing, identifying and controlling many potential problems. It can also signal an opportunity for process or control improvements, such as when users face difficulty in complying with specified controls or information in the manual does not match current procedures.
The rapid shift toward digitalization has brought new challenges to the forefront. Many organizations face excessive risk from outdated manuals — and internal controls — that do not capture the technologies and tools quickly replacing older methods of performing or documenting business and governmental functions.
It’s important to include information technology experts, both internal and external, as you design or update your internal control manual. Work closely with these professionals to identify and implement solutions for reducing cybersecurity risk and ensuring data security, which may necessitate significant overhauls to existing processes and controls.
Your internal controls manual is a critical part of safeguarding your organization. But new threats, common mistakes and omissions can render it toothless or impossible to implement fully, leaving the door open to threats. Get the guidance you need to create a strong tool for mitigating your risks. Reach out to our Internal Control consultants today to develop an effective internal controls manual and environment that protect your organization.
