What Are Internal Controls?

An organization’s internal controls are the rules, policies, and procedures specifying how various functions are carried out, as well as measures designed to verify those procedures are being performed effectively.

Management is responsible for developing an appropriate system of internal controls, but every employee is responsible for following and applying those practices. They are established to help an organization achieve its objectives supported by strategic, financial, and operational initiatives. At a tactical level, internal controls help organizations and management prevent errors in routine functions, reduce fraud risk, and identify and correct any problems that may arise.

Internal controls typically fall into two broad categories, which include preventive and detective controls.

Preventive controls are designed to avoid errors or misclassifications. This includes the segregation of duties designed to reduce fraud risk. For example, having someone reviewing invoices and someone else sending payments.

Detective controls are designed to identify an error or misclassification after it has occurred. Common measures include records reviews, account reconciliations, and physical inventories. One example is reconciling the general ledger to various accounts, such as reconciling cash to ensure the balance on the organization’s books matches its bank balance.

Beyond a compliance focus, organizations that support strong governance, internal controls, and risk management demonstrate stronger performance than their peers that ignore these important success factors.

A strong system of internal control will depend on identifying, establishing, and maintaining controls based on certain key components. There are several established control frameworks to aid management. No specific framework is required, and management may utilize any of their choice.

Leveraging from an established and commonly used control framework adds to the flexibility, reliability, and cost-effectiveness of management’s approach to the design and evaluation of internal controls. An example is the 2013 COSO Framework (Committee of Sponsoring Organizations of the Treadway Commission), which focuses on five components of internal control detailed below.

Often described as “tone at the top,” the control environment describes a set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.

The risk assessment forms the basis for determining how risks will be managed. A risk is defined as the possibility that an event will occur and adversely affect the achievement of organizational objectives. Risk assessment requires management to consider the impact of possible changes in the internal and external environment and to potentially take action to manage the impact.

Control activities are actions (generally described in policies, procedures, and standards) that help management mitigate risks in order to ensure the achievement of objectives. These can include segregating duties, transaction review and approval, and routine account reconciliation.

Information is obtained or generated by management from both internal and external sources in order to support internal control components. Communication based on internal and external sources is used to disseminate information throughout and outside of the organization, as needed to respond to and support meeting requirements and expectations. The internal communication of information throughout an organization also allows management to demonstrate to employees that control activities should be taken seriously.

Monitoring activities are periodic or ongoing evaluations to verify that each of the five components of internal control, including the controls that affect the principles within each component, are present and functioning.

In addition to a strong control environment, an organization should have an internal audit function (either on a staff or outsourced basis) to verify the effectiveness of its internal controls. For example, internal auditors will help management assess the design of the controls as well as the organization’s risks, and update management and the audit committee on the performance of those controls. Internal auditors can also help the organization prepare for its external audit.

Vital internal audit functions include:

No system of internal controls is perfect. However, there are conditions that may undermine internal controls, which include:

Communication and monitoring must be consistent to ensure gaps in internal control do not occur. This is a task made more complex as an organization’s control environment is constantly evolving.

Whether you’re looking to establish, enhance, or outsource your internal audit function, we provide ‘right-sized’ audit support to assist you. For more information about optimizing the value of your SOX investment or want to learn more about internal controls, contact our team.