Public Sector

Weaknesses in internal controls have been the root cause of many problems, including fraudulent activities, errors, and non-compliance with laws and regulations. Accordingly, the adequacy of internal control should be the primary concern of the government and audit committees.

Understanding an organization’s internal controls will help audit committees understand the organization’s risk management and the processes used to mitigate risks.

Definition of Internal Control

COSO defines internal control as "a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations"

An organization’s internal controls consist of the policies and procedures in place that provide a reasonable level of assurance that these objectives are achieved. Not all of the policies and procedures employed by an organization would be relevant to an independent auditor performing an audit of the financial statements. Certain controls governing the efficiency of operations, while significant to the ultimate success of the organization would not be considered in an audit.

It is important to understand that the objective of internal controls is to provide reasonable, but not absolute, assurance that an organization’s control objectives have been met. Success in achieving control objectives can be limited by circumvention, breakdown of external controls, poor management oversight, the ability to override the system, and the high cost of implementing certain controls. Despite the existence of adequate internal controls, the reliability of financial reporting and compliance with laws and regulations are not ensured.