What Are Internal Controls and Why Should Investors Care?
Good companies have robust procedures to protect themselves and investors.
Financial markets and the health of our broader economy can only be trusted if we believe that organizations are operating honestly and with integrity.
Internal controls are procedures, policies, and mechanisms that a company puts in place to ensure it is following the law and all relevant regulations, specifically with regard to financial accounting. More broadly, internal controls can refer to all procedures a company uses to ensure that it is operating effectively and efficiently and protecting itself against risk.
Internal Controls and Accounting
Worldwide, most public companies follow a system of internal controls outlined in a framework from the Committee of Sponsoring Organizations of the Treadway Commission. This framework has five major components that span all aspects of an organization’s operations. They include:
Control Environment – This covers the broader culture of a company, including its commitment to integrity and ethical values, guidelines for board oversight and independence, and accountability.
Risk Assessment- This refers to the company’s ability to identify and respond appropriately to risks and be aware of the potential for fraud.
Information and Communications- This relates to the company’s ability to use relevant, quality information and communicate it clearly.
Control Activities- This relates to the company’s ability to control how employees behave through policies that will reduce risk for the business. This also relates to control over technology.
Monitoring- The company will perform ongoing evaluations to determine of procedures and processes are being followed.
In addition to these broader principals, there are specific internal controls that relate to financial accounting. These can include:
- Standardizing documents – Companies must ensure invoices, internal department financial records, and other statements look the same and follow a consistent format. Without this, key documents could be missed or there could be other confusion.
- Controlling access - Who has the ability to update financial spreadsheets? Who has the passwords to databases and computer systems? Well-run companies restrict such access to a limited number of people and track who has been logging in and out of systems.
- Reconciliation – Think of it like balancing your checkbook. Even large companies need to make sure balances match up and find out if there are discrepancies or errors.
- Approval authority – Money isn’t spent and financial decisions aren’t made without specific people signing off. This goes for the approval of an IPO to a reimbursement for a client lunch.
- Audits – All financial data is checked by an internal team and then an independent external team of skilled accountants.
Many internal controls are actually required by certain regulations and laws. The Sarbanes-Oxley Act of 2002, for example, has rules regarding how company managers report internal controls over reporting and certifying financial information. The law says that executives can’t report that a company has been following good internal control procedures if it hasn’t.
Internal controls are vital to ensure a company isn’t running afoul of financial laws and regulations, and they can also prevent an organization from being victimized by fraud or theft from within. But they can also help a company’s bottom line by improving operational efficiency.
For example, a company can institute an internal control to ensure it’s not spending more than necessary on materials, or labor. Or it can have an internal control to reduce energy consumption at its office and warehouse facilities.
Internal Controls vs. More Regulation
Laws governing how businesses operate are necessary, but most executives will argue for a light regulatory burden. The tradeoff to fewer regulations, however, is that companies must be disciplined in their own management to ensure public trust. Government officials have at times pushed for more regulations—particularly after scandals and crises impacting the public-- but have generally supported the idea of self-regulation.
“Self-discipline is always more welcome than discipline imposed from above,” former Securities and Exchange Chairman (and eventual Supreme Court justice) William O. Douglas once said.
After the collapse of the technology sector in the late 1990s, the Securities and Exchange Commission urged companies and the investment community to take a harder look at their internal controls.
“Vigilant self-discipline can and will increase the competitiveness and further the business interests of competing firms in today's world,” said Lori Richard, SEC’s compliance director, in November of 2000. “I believe that the investing public will migrate to those firms that inspire trust and confidence. And the best way to inspire trust and confidence is by ensuring strong and steadfast internal controls.”
The Relevance for Investors
When investors consider purchasing shares in a company, they examine many factors, and financial performance is chief among them.
A company with poor internal controls may report incorrect or flatly false information on their financial reports. This could lead to a restatement of earnings, and possibly place executives and other employees in legal jeopardy. This can crush investor confidence and a company’s stock price.
With public companies, most financial information is audited by an external accounting firm, but those firms still rely on the integrity and good work of those within the company to ensure reports are accurate.
If a company appears to have poor internal controls in one area, investors are right to question whether proper controls are in place elsewhere. For example, if a firm has made accounting errors, is it also sloppy with regard to operational efficiency, protecting customer data, or quality control of its products? A company that takes its internal controls seriously will avoid problems and deservedly earn the confidence of investors.