Armanino Blog
Article

Developing an Internal Control Manual

by Ronald Steinkamp
June 26, 2023

Internal controls are a set of standards, processes and procedures that help government entities and other organizations achieve their objectives. Clearly defined and consistently enforced internal controls are critical to reduce organizational financial, operational and regulatory risk. Developing an internal control manual is an important element in your overall risk reduction strategy, as this valuable tool sets expectations and provides clarity to guide team members across the organization.

Why Your Organization Needs an Internal Control Manual

Depending on its functions and threat environment, your business, nonprofit or government entity may need multiple levels of internal controls that apply to different roles and areas within the organization. But whether it’s a vast state agency or a small private business, an internal control manual helps you achieve your objectives and responsibly manage resources by:

  • Identifying performance goals
  • Establishing processes and procedures
  • Allowing efficient operations
  • Facilitating regulatory compliance
  • Tracking financial activity
  • Enabling accurate financial reporting
  • Preventing fraud
  • Monitoring the results of processes and activities
  • Ensuring appropriate oversight of public funds
  • Documenting events and activities
  • Minimizing physical and data-related security risks

Organizations often experience problems when internal controls are absent. For example, consider a city parks and recreation department where the director is responsible for collecting recreational league fees and depositing them into the city’s general bank account. Without additional oversight, the director could divert some of the collected fees for personal use — and continue stealing these funds year after year.

Even when internal controls are established and documented, problems can arise if organizations don’t pay adequate attention to their controls. In addition to theft and fraud, lax oversight allows negative consequences — such as missing out financially by failing to draw down federal grant funds owed in a timely manner simply because an employee is unaware of the relevant controls.

Both of these scenarios describe actual instances that Armanino advisors uncovered while performing internal audit services, and similar situations happen quite frequently at all levels of government, nonprofits and business. As cautionary tales, they illustrate the importance not only of maintaining a strong and current internal control manual, but also of consistently enforcing the policies it sets forth and communicating them to all team members.

6 Steps for Developing an Internal Control Manual

There are six broad steps to follow in order when creating an internal control manual (or updating an existing manual): Plan, review, evaluate, design, document and educate.

Developing an Internal Control Manual

To complete these steps, you’ll need to perform multiple tasks, methodically and comprehensively addressing considerations related to people, processes and technology. The table below can help you think through different aspects and tasks that may be required at each step.

STEPS KEYS
PLAN
  • Gain support from leadership (board, council, etc.)
  • Establish clear objectives and timelines for completion
  • Select a project team and leader
  • Determine the format of the manual
  • Identify processes to include in the manual
  • Identify process owners
  • Meet with process owners to notify them of the project and gain their support
  • Assign team responsibilities
  • Schedule team check points
REVIEW
  • Review currently documented policies and procedures
  • Walk through "as is" process with the process owner
  • Document the "as is" process
  • Validate the "as is" process documentation with the process owner
EVALUATE
  • Identify existing internal controls in the "as is" process
  • Determine the adequacy and effectiveness of the existing controls
  • Identify control gaps and poorly designed controls
  • Review evaluation results with the process owner and seek input on the design or redesign of the process and related internal controls
DESIGN
  • Redesign the process with adequate and effective internal controls
  • Walk through the redesign process with the process owner
  • Update or revise process design as needed
DOCUMENT
  • Formally document the process and related internal controls
  • Compile a written internal control manual detailing all processes and controls, specifying any exceptions
EDUCATE
  • Roll out the manual and train all affected employees
  • Provide appropriate Internal Control Manual training for new hires based on their role in the organization
  • Provide periodic refresher training and remediation training as needed

Components of an Effective Internal Control Manual

Once you’ve gathered all the relevant information, it’s time to put together your internal control manual. Carefully consider the structure and try to organize your manual for efficient use. Team members should be able to easily find and understand complete information about expectations related to the tasks for which they are responsible, including documentation requirements and any exceptions to the established processes and controls.

The content and length of your internal control manual will reflect the specific needs and functions of your individual organization. Your manual should include the following sections at a minimum, but based on your users (and governmental responsibilities, if applicable) you may choose to add additional components.

  • Introduction – The introduction should include the purpose, scope and authority of the manual. It should provide a discussion of how to use the manual, as well as whom to contact with questions related to the manual and internal controls.
  • Internal control basics – This section should provide a definition of internal control and emphasize the importance of internal controls in the organization. It also should explain leadership’s responsibility for internal controls.
  • Fraud awareness – This section should define fraud and its characteristics. It should clearly delineate each team member’s responsibility for fraud reporting, as well as providing detailed instructions for reporting fraud appropriately.
  • Control activities – This section is the heart of the manual and should identify procedures and critical internal controls within key processes such as:

Information Systems and Security

A thoughtfully developed and consistently implemented internal control manual alone cannot prevent every problem or eliminate all risk. Properly used, however, it can assist the organization in preventing, identifying and controlling many potential problems. It can also signal an opportunity for process or control improvements, such as when users face difficulty in complying with specified controls or information in the manual does not match current procedures.

The rapid shift toward digitalization has brought new challenges to the forefront. Many organizations face excessive risk from outdated manuals — and internal controls — that do not capture the technologies and tools quickly replacing older methods of performing or documenting business and governmental functions.

It’s important to include information technology experts, both internal and external, as you design or update your internal control manual. Work closely with these professionals to identify and implement solutions for reducing cybersecurity risk and ensuring data security, which may necessitate significant overhauls to existing processes and controls.


Do Outdated Internal Controls Put You at Risk?

Your internal controls manual is a critical part of safeguarding your organization. But new threats, common mistakes and omissions can render it toothless or impossible to implement fully, leaving the door open to threats. Get the guidance you need to create a strong tool for mitigating your risks. Reach out to our Internal Control consultants today to develop an effective internal controls manual and environment that protect your organization.

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Resources
Related News & Insights
Fireside Chat: Access to Top-Tier Talent Through Outsourcing
Webinar
The Crucial Role of Internal Communications in Driving Engagement

April 30, 2024 | 10:00 AM - 11:00 AM PT
5 Signs Your Business Has Outgrown its Legacy Accounting System
Webinar
Don't Let Your Legacy System Limit Your Potential

April 24, 2024 | 10:00 AM - 10:45 AM PT
Transform Your Healthcare Operations With Technology & AI
Webinar
Learn How to Maximize Operational Efficiency

April 17, 2024 | 10:00 AM - 11:00 AM PT