What Are Internal Controls?

Four people sitting around a table and talking

An organization’s internal controls are the rules, policies, and procedures specifying how various functions are carried out, as well as measures designed to verify those procedures are being performed effectively.

What is the Purpose of Internal Controls?

Management is responsible for developing an appropriate system of internal controls, but every employee is responsible for following and applying those practices. They are established to help an organization achieve its objectives supported by strategic, financial, and operational initiatives. At a tactical level, internal controls help organizations and management prevent errors in routine functions, reduce fraud risk, and identify and correct any problems that may arise.

Internal Control Types

Internal controls typically fall into two broad categories, which include preventive and detective controls.

Preventive Controls

Preventive controls are designed to avoid errors or misclassifications. This includes the segregation of duties designed to reduce fraud risk. For example, having someone reviewing invoices and someone else sending payments.

Detective Controls

Detective controls are designed to identify an error or misclassification after it has occurred. Common measures include records reviews, account reconciliations, and physical inventories. One example is reconciling the general ledger to various accounts, such as reconciling cash to ensure the balance on the organization’s books matches its bank balance.

Beyond a compliance focus, organizations that support strong governance, internal controls, and risk management demonstrate stronger performance than their peers that ignore these important success factors.

Components of Internal Control

A strong system of internal control will depend on identifying, establishing, and maintaining controls based on certain key components. There are several established control frameworks to aid management. No specific framework is required, and management may utilize any of their choice.

Leveraging from an established and commonly used control framework adds to the flexibility, reliability, and cost-effectiveness of management’s approach to the design and evaluation of internal controls. An example is the 2013 COSO Framework (Committee of Sponsoring Organizations of the Treadway Commission), which focuses on five components of internal control detailed below.

Control Environment

Often described as “tone at the top,” the control environment describes a set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.

Risk Assessment

The risk assessment forms the basis for determining how risks will be managed. A risk is defined as the possibility that an event will occur and adversely affect the achievement of organizational objectives. Risk assessment requires management to consider the impact of possible changes in the internal and external environment and to potentially take action to manage the impact.

Control Activities

Control activities are actions (generally described in policies, procedures, and standards) that help management mitigate risks in order to ensure the achievement of objectives. These can include segregating duties, transaction review and approval, and routine account reconciliation.

Information and Communication

Information is obtained or generated by management from both internal and external sources in order to support internal control components. Communication based on internal and external sources is used to disseminate information throughout and outside of the organization, as needed to respond to and support meeting requirements and expectations. The internal communication of information throughout an organization also allows management to demonstrate to employees that control activities should be taken seriously.


Monitoring activities are periodic or ongoing evaluations to verify that each of the five components of internal control, including the controls that affect the principles within each component, are present and functioning.

Internal Control Function

In addition to a strong control environment, an organization should have an internal audit function (either on a staff or outsourced basis) to verify the effectiveness of its internal controls. For example, internal auditors will help management assess the design of the controls as well as the organization’s risks, and update management and the audit committee on the performance of those controls. Internal auditors can also help the organization prepare for its external audit.

Vital internal audit functions include:

  • Inspection: Reviewing transactions, reports, and other key documents.
  • Observation: Watching staff members carry out duties to ensure procedures are being followed.
  • Confirmation: Verifying account balances and financial statements.

What Can Weaken or Undermine Controls?

No system of internal controls is perfect. However, there are conditions that may undermine internal controls, which include:

  • Segregation of duties conflicts
    • a lack of separation of cash handling responsibilities related to physical custody, deposit, recording, and reconciling of cash
  • Control override capabilities
    • excessive access provisioned within significant applications, including an organization’s accounting system
  • Inherent limitations
    • the number of staff and/or staff knowledge and experience

Communication and monitoring must be consistent to ensure gaps in internal control do not occur. This is a task made more complex as an organization’s control environment is constantly evolving.

Internal Audit Help

Whether you’re looking to establish, enhance, or outsource your internal audit function, we provide ‘right-sized’ audit support to assist you. For more information about optimizing the value of your SOX investment or want to learn more about internal controls, contact our team.