A Basic Overview of Internal and External Controls

Due to the generalized and situational nature of control, there can be many ways in which one implements and aligns controls to risks.  The focus area of a control can be within the internal and external business environment. Each of these focus areas provides the organization with valuable information for which to use as part of a risk and control framework.

Many risk and control frameworks exist that have its own method for executing risk and controls (e.g., SOX, SOC, NIST, ISO, COSO, COBIT).  Each of these frameworks or standards implements risk and controls differently, but all have the same objective which is the management of risk and implementation of control to protect the key assets of the organizations. 

Financial institutions play a crucial role in the development of the world economy by facilitating trade, loans, investments, and a wide range of other financial activities. These institutions must operate with honesty, security, and dependability given their crucial role. Financial institutions must implement internal and external controls for several reasons.

• Effectiveness of Operations
• Asset Protection for Customers
• Adherence to Regulations
• Financial Reporting Reliability
• Fraud Prevention and Detection
• Risk Management
• Building public confidence
• External review and auditing
• Crisis management and Preparedness
• Ongoing Development

Internal Controls

The internal business environment is the foundation for internal control.  Many entities have its own definitions of internal controls.  A few of those definitions are as follows:

·         The Institute of Internal Auditors (IIA) defines internal control as "a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations."

·         The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines internal control as "a process, affected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations."

·         Information Systems Audit and Control Association (ISACA): ISACA, within COBIT (Control Objectives for Information and Related Technologies).  COBIT defines internal control as "the policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented, detected, and corrected."

These definitions emphasize the common idea of internal control, which centers on processes and systems.  These processes and systems are usually employed within an organization to provide assurance in accomplishing company objectives, managing risks, ensuring compliance, and maintaining dependable financial reporting.

Implementing internal controls can be complicated because there are so many different methodologies that employ internal controls such as IIA, COSO, and COBIT.  There is no one standard means of implementing internal controls, but there are best practices that can be understood and implemented as part of a more comprehensive risk management and control implementation methodology. 

External Controls

Like the internal business environment is the focus for internal controls, the external business environment is the foundation of external controls.  External controls have a slightly less widespread definition and understanding.  There is no specific definition of external control from entities such as IIA, COSO, or ISACA.  That doesn’t mean that the concept isn’t important. 

An example of external control would be an activity taken by an external entity to promote control effectiveness within an organization.  Basically, the decision an external entity makes would impact an organization.  This could be demonstrated through legislation from regulatory agencies such as the Federal Reserve System (FRB), Office of the Comptroller of the Currency (OCC), and Federal Deposit Insurance Corporation (FDIC)

The concept of external control is more nuanced and evidenced in the activities that relate to the external environment that have an impact on risk management and control implementation within an organization.  If one were to define external controls, it would be somewhat consistent with the concept of internal controls, just with an external focus.  Therefore, the idea of external control would still focus on processes and systems and have aspects of assurance as part of its implementation.

In summary, internal and external controls in financial institutions include more than merely checking boxes and obeying the laws. They are essential for these institutions' reliable, effective, and secure functioning in the complex and evolving global financial system.

What are your thoughts and experiences on Internal and External Controls? Your thoughts and comments are welcome.