Internal Controls

These controls ensure companies do not misrepresent their financial statements or profits.

Author: David Bickerton
David Bickerton
David Bickerton
Asset Management | Financial Analysis

Previously a Portfolio Manager for MDH Investment Management, David has been with the firm for nearly a decade, serving as President since 2015. He has extensive experience in wealth management, investments and portfolio management.

David holds a BS from Miami University in Finance.

View Profile
Reviewed By: Himanshu Singh
Himanshu Singh
Himanshu Singh
Investment Banking | Private Equity

Prior to joining UBS as an Investment Banker, Himanshu worked as an Investment Associate for Exin Capital Partners Limited, participating in all aspects of the investment process, including identifying new investment opportunities, detailed due diligence, financial modeling & LBO valuation and presenting investment recommendations internally.

Himanshu holds an MBA in Finance from the Indian Institute of Management and a Bachelor of Engineering from Netaji Subhas Institute of Technology.

View Profile
Last Updated:July 28, 2023
In This Article

Internal controls are practices and processes that companies use to ensure the legitimacy and compliance of all written and published financial statements. These controls ensure companies do not misrepresent their financial statements or profits.

Derived from the Sarbanes-Oxley Act of 2002, financial controls are now integral to company standards and procedures. These rules and regulations are mandatory for any company that publicizes statements or has stock in public exchanges.

The Sarbanes-Oxley Act mandates that all companies must prevent fraud and manipulation of financial statements and investigate all allegations or possible sources of accounting manipulation.

These laws target companies that attempt to falsify their financial statements to enhance profits or minimize losses and liabilities. Although illegal, companies use tactics to manipulate financial statements to appear more successful.

More investors will likely be willing to invest in a company if profits rise, especially with a company that continues to increase profits and minimize losses. 

Due to the potential benefits of illegal tactics, multiple types of internal controls are employed to counteract such practices. There are preventative and detective controls that try and minimize these tactics. 

Preventative controls try to minimize all sources of fraud. This includes ensuring employees are actively against fraud, assessing risks and possible sources of fraud, monitoring, and communicating with authorities if such occurrences were to happen.

These controls usually stop most legal activities before they happen, but unfortunately, some do make it through. This is where detective controls come in; they work to ensure that all statements are traceable to the accountants that wrote them, the sources they came from, and all other relevant information.

Key Takeaways

  • Internal Controls are practices and safeguards companies use to prevent accounting fraud.
  • The main motive for fraud is to boost profits on financial records.
  • The Sarbanes-Oxley Act pioneered modern Internal Controls.
  • The two types of Internal controls are preventative and Detective.
  • It’s important to prevent and stop fraud so companies cannot deceive investors or the government. 

Why Internal Controls Are Important

Internal controls are of utmost importance. They exist to ensure that companies maintain honesty and integrity toward their investors and customers. They are also implemented to prevent fraud and dishonest practices.

These controls ensure that companies remain ethical and compliant while sustaining a thriving business. In addition to maintaining control and integrity, some internal controls enhance efficiency in a company's overall operations. 

Most control systems include an internal audit component. These audits will track all sources of financial statements, where each piece of income comes from, who works on them, and other important additional information.

With this trail, employees and business leaders can easily access information in an efficient and clear format rather than having to trail down every single employee that works on a financial statement.

NOTE

To ensure effective control mechanisms, it is advisable to minimize reliance on human judgment and instead prioritize automation. This approach accounts for the potential risks associated with human error, impulsiveness, or carelessness, particularly in high-pressure situations.

Besides being useful for a company, these systems are much more useful for law enforcement and the government. As mentioned before, audit trails are an amazing way for individuals to keep track of and Source down financial statements.

In investigations, especially federal investigations, these audit trails provide crucial pieces of evidence for finding out who is responsible for possible fraud and who should be held accountable.

By adding these controls to a company, not only will they improve their preventability of fraud, but they will all increase their production and efficiency. These benefits far outweigh the possibility of attracting investors with an increase in profit. 

Types Of Internal Controls 

As stated before, there are two types of it. These controllers are divided between preventative and detective. Some companies May specialize in one form of control While others try to use both at the same time.

Each company's policies are different. Some are more strict, while others have fewer rules. Regardless, all companies must adhere to the Sarbanes-Oxley Act of 2002 regarding their internal controls. 

1. Preventative Controls

Preventative controls ensure that fraud on financial statements cannot have it in the first place. Tactics like separation of duties will prevent a single individual from being able to authorize records and finalize any financial statements.

NOTE

There are also policies for signatures. High corporate management must all personally pledge that all financial statements are factual and not manipulated. 

All these tactics work towards ensuring that no single person or group of people within a company tries to alter a financial statement to benefit themselves or the company.

If individuals are found, they will be prosecuted and punished based on their involvement, if they pledge that statements are true, and to what degree the statements were altered.

2. Detective Controls 

As much as we hope preventative controls stop all fraud, it's unlikely that a company will ever suffer these problems. Detective controls aim to find problems Within faulty financial statements once they have occurred. 

NOTE

If a company has successfully implemented controls like these, fraud is much more easily detectable after it's occurred. With practices like quality control, fraud prevention, and legal compliance, solving and investigating fraud becomes much easier.

One especially used tool with these types of controls is audit trails. These long lines of data show where each piece of information on a financial statement comes from. 

This can include where profits came from within a company, which accountant wrote the statement, all employees involved with the statement, the location where all financial statements are held, and other relevant information. 

These trials are crucial to figuring out solving fraud cases as they give the company and possible investigators the ability to track down every responsible employee and individually assess whether they participated in the fraud. 

Sarbanes-Oxley Act Of 2002 introducing Modern Internal Controls

To talk about Internal Controls without mentioning the Sarbanes-Oxley Act of 2002 would be impossible. The act, enacted after the financial scandals during the early 2000s, pioneered most modern internal practices and stipulations.

Companies such as Enron Corporation, Tyco International, and Worldcom were found to be responsible for several financial scandals. These scandals were made public, and the outrage that followed forced the SEC to pass laws to prevent these scandals from occurring again.

Decade-old regulatory standards made these scandals possible. Before the Sarbanes-Oxley Act of 2002, they were little in regulations about financial statements and internal regulations. These weaknesses were exploited by the companies mentioned above and used to publish financial statements fraudulently.

NOTE

The Sarbanes Oxley Act is an extremely long law. For further information, review the law at the IRS

The Sarbanes Oxley Act worked to counteract and revise these old regulations. They revamped all existing laws and reformed them with four principles in mind. These principles are:

1. Management Responsibility

Section 302 of the Sarbanes-Oxley Act requires that higher-ups or senior corporate officers personally ensure, in signature, that a company's financial statement complies with all regulations and requirements of the act.

These signature pledges ensure that financial statements don't contain untrue statements or missing information, the statements accurately represent the company's financial condition, and that those who sign are accountable for internal controls regarding statements. 

This pledge describes that all Financial material will be fairly presented and be truthful. Every higher-up that signs these financial statements is informed that if the financial statements are found to be manipulated, they will be subjected to criminal punishment.

These signatures ensure that if a senior corporate officer were to affiliate in any kind of fraud, they would willingly do it, knowing that it was illegal. 

NOTE

This directly works with section 906 of the SOX Act, where willingly signing a fraudulent document increases the maximum punishment for corporate officers. 

2. Increased Punishment

In response to the large outrage produced by the numerous scandals in the 2000s, criminal punishment for these crimes has increased. These punishments have been targeted toward corporate offices and higher-level employees. 

The maximum punishment for these officers is “Ten years for certifying while knowing that the periodic report does not comport with this Act, and (2) twenty years for willfully certifying a statement knowing it does not comport with this Act.” -U.S 107th Congress H.R.3763

NOTE

These punishments can be in terms of fines for employees or the company as a whole, prison time for those found guilty, or a combination of both.

When companies are found guilty, the SEC can sue companies that have been found to violate federal security laws. If the SEC wins, the company will be forced to pay penalties in terms of civil money. 

3. Regulation

Another part of the SOX Act requires that companies and auditors establish internal controls within their companies. Although the term is broad, the law sets a few requirements for these controls.

Section 404 specifically requires a company to have internal audit reports with yearly company reports.

NOTE

Section 404 also regulates departments within companies regarding electronic records. These regulations dictate which records need to be kept and how long. The exception is that they don't mention how they should be kept. 

4. Extra protections

They're also a lot of extra additional protections within the act. These protections help to ensure that no loopholes or companies try to bend the law to disregard these internal controls.

Section 802 of the ACT dictates that the SEC will promote regulations on the retention of documents. Additionally, the section establishes criminal punishments for violating these promotions. 

Lastly, another rule outlines the specific types of business records companies need to record.

These three regulations help deal with both time and the containment and storage of these files. If a company were to destroy any financial statements in the last few years, it could hinder the ability of the company and law enforcement to investigate fraud.

Summary 

In summary, internal controls are systems and practices companies use to ensure that financial statements are legitimate and that they can prevent fraud or detect it when it occurs.

These controls contain preventative measures as long as detective measures to either prevent fraud from happening in the first place and ensure that if fraud is detected, companies and investigators will have the necessary tools to track down anyone involved. 

These internal controls are crucial to the process of fraud prevention. They ensure that companies adhere to accounting laws and are truthful to their investors. 

The Sarbanes-Oxley Act of 2002 pioneered the most modern internal control regulations. The act came into effect after numerous scandals in the 2000s. These scandals provoked the SEC to enact new regulations and laws regarding accounting fraud.

NOTE

It's important to make sure that companies don't lie to make themselves look like a more profitable business. 

The Act made sure to include laws regarding the responsibilities of senior employees, increasing the punishment for accounting fraud, regulations for all accounting statements, and extra limitations on the duration, containment, and removal of financial statements. 

Every company must follow these laws.  Without such controls, companies would be free to lie on all financial statements about their profits and liabilities. 

Accounting Foundations Course

Everything You Need To Build Your Accounting Skills

To Help you Thrive in the Most Flexible Job in the World.

Learn More

Research and Written by William Hernandez-Han | LinkedIn

Reviewed and Edited by Arnav Singh | LinkedIn

Free Resources

To continue learning and advancing your career, check out these additional helpful WSO resources: