In short, the term refers to the way a controller or accountant looks at an organization. An accountant sees business processes that hide potential risks, require control (for example, to prevent fraud or money laundering), or require a separation of functions and responsibilities. Such processes typically involve a lot of money.
An important step in these processes is to record and describe the internal control framework. This is not so easy, because these days, describing that framework involves much more than simply mapping the financial processes. ICT or HRM, and the processes involving those departments, now also play an important role within organizations. The internal control framework should be an accurate blueprint of your organization.
In addition to the internal control framework, there are two more elements to explain: the internal control system (ICS) and internal control and risk management (Internal Control). These terms are closely related and sometimes used interchangeably. Wronly used interchangably, because there is indeed a difference between simply controlling and managing and controlling.
Internal control is part of the arsenal of internal management measures. Thus, a well-designed internal control system doesn't just control processes, but also manages them, directing them where necessary. To explain this further, we use William Deming's PDCA cycle.
This Plan-Do-Check-Act cycle is the best known example of continuously improving the quality of your organization. To do that, you have to master processes. And if you control them, you can also improve processes. In contrast, those who only control processes (to see if a process meets the set requirements) only complete three-quarters of the cycle; namely, up to the 'Check' phase in the PDCA cycle. The process is checked, it meets the requirements (or not), and is reported to management.
Those who practice internal control do go through the full PDCA cycle. In that case, you actually start working with the improvement points the control process pointed out. You control processes by evaluating them and then optimizing them (if necessary). Of course, you document this well so that you and others in the organization know exactly what has changed in a process.
Internal control is often mentioned in the same breath as an internal control manual or an internal control and risk management manual. What exactly are these manuals? There is an essential difference between an internal control framework and an internal control handbook, about which there are many questions. The internal control framework is a description of the internal organization, seen through a financial lens. That, however, is not the same as an internal control manual.
An internal control manual is used by management (or, in larger organisations, by the planning & control department) to control processes. For example, internal control manuals describe how to assess processes, which control checklists to use in doing so, exactly how spot checks should be done, and how to report all these steps correctly.
Thus, an internal control manual is really nothing more than a guideline that provides support for controlling processes. So, an internal control framework and an internal control manual are really two very different things, although they are certainly related.
Wondering how to get started with internal control and risk management and aninternal control system – directly in WoodWing Scienta? Click the button below to make an appointment with one of our experts – they'll be happy to show and tell you more.