Monitoring Internal Controls

One of the most important steps public entities can take to prevent fraud is to monitor their internal controls on a regular basis. Monitoring allows entities to determine (a) if the controls are being followed, and (b) if the controls are still effective. An entity may adopt a control, but that control will not be effective if employees or management consistently ignore or circumvent the control. Additionally, changes in an entity or the environment in which the entity functions may reduce the effectiveness of internal controls. Those changes could stem from budget reductions, which could result in organizational restructuring or in a modification in the services provided by the entity. Changes could also stem from technology changes, such as updated information systems. A best practice is to establish a schedule on which each internal control will be reviewed and tested to see if it is functioning as intended and still effective. Annually is a common cycle for such reviews; entity's that do not have the capacity to review all controls annually may wish to stagger review cycles over multiple years. When inadequacies in an existing control are detected, either through a scheduled review or through day-to-day work, the entity should act promptly to correct the problem, either through a revised control (if needed) or through action to ensure that the existing control is being applied as intended.

Maintaining sound internal controls is an ongoing process, which is vital to protecting public assets.

Date this Avoiding Pitfall was most recently published: 7/29/2022