[NOTE: this is the second in a four-part series on internal control]
In my last post I covered the what and why of internal control, listing five key components. Now we move on to how you implement those components. What follows is a high-level look at the key steps courts should take to minimize risks — in the next post I will give a practical illustration in the area of financial controls.
The first internal control key component is the Control Environment. In an effective internal control environment, management must provide discipline and structure in these ways:
• Commitment to integrity and ethical conduct.
• Establishment of an organizational structure that effectively assigns and delegates responsibilities.
• Hire, develop, and retain competent staff, evaluate their performance, and hold them accountable.
The second key component is Risk Assessment. In order to minimize (and hopefully, eliminate) risk, management needs to:
• Articulate clear organizational and operational objectives to enable the identification of associated risks and risk tolerance.
• Consider the potential for fraud and other malfeasance.
• Analyze and respond to changes that could impact the internal control system.
The third key component is Control Activities. To respond to the identified risks to the organizational objectives, management should:
• Design specific control actions to respond to the identified risks.
• Ensure that both manual and automated systems are included in control actions.
• Enact comprehensive control policies.
The fourth key component is Information and Communication. It isn’t enough to create a good environment, assess risk, and create policies. Management needs to:
• Ensure that quality information is used to make decisions (and has been used in risk assessment and creation of policies).
• Effectively communicate information about internal control both internally and externally. For instance, employee training should incorporate appropriate policies.
The fifth key component is Monitoring. Ongoing evaluation of how well internal control activities are performing is extremely important. Management should assess and remediate the quality of performance over time by:
• Establishing and implementing activities that monitor and evaluate control activities.
• Monitoring activities continuously (e.g., via daily data analysis) and periodically (e.g., via audits), as appropriate.
• Remediating identified control deficiencies on a timely basis.
It is easy to see how internal control really cuts across every aspect of court operations: human resources, information technology, space & facilities, security, finance & budget/procurement, etc. What is also striking is how the control components and principles parallel the classic strategic planning cycle of activities.
One can think of internal control as strategic planning with a focus on risk assessment, avoidance, and remediation.
As written above, the internal control components and principles I’ve written about so far are at a high, theoretical level. What may be helpful is to next explore one court operational area and focus on practical internal control actions. I will do that in part three of this series on internal control: “Risky Business – practical aspects of financial internal control.”
Thanks for reading the Vantage Point blog, and I welcome your comments. In particular, comments about your experiences with internal control (especially financial control) are appreciated.
The principles outlined herein are based on material on page 9 of GAO Standards for Internal Control in the Federal Government – Publication GAO-14-704G (2014) https://www.gao.gov/products/GAO-14-704G