Internal Control Policy

By Andy Clark
SOCLogoCPAs
Internal control is key within any organization. The controls set in place aid the organization in being able to produce reliable financial information and reporting. Internal controls are meant to be safeguards to detect and deter errors and fraud. Organizations often have good internal control structures for their main office or business site but lack controls in remote office sites. It is important that the same system of internal controls are in place system-wide or, at a minimum, controls are in place at each location to achieve the organization’s objectives. Additionally, some organizations outsource financial functions and therefore are reliant on that service organization’s internal controls. For those organizations that outsource functions, it is important to obtain a service organization control report (commonly referred to SOC 1, SOC 2, or SOC 3 reports) from the service organization. This report will provide management with the necessary information about the service organization’s controls to assess the risk associated with the outside service. These reports are to be utilized in addition to the user’s controls in order for the internal controls to function appropriately. Common functions to be outsourced are payroll, collections and billing.

For state and local governments, there are new TCA requirements that require those entities and other governmental entities in the State of Tennessee to adopt a written internal control policy by June 30, 2016. The basic premise is that there should be a written internal control policy in place that addresses the five components of internal control: (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring. The State of Tennessee Comptroller’s office has released an internal control manual to aid state and local governments in writing their internal control policy.

Please visit the Internal Control Manual here.

Scroll to Top