Subscribe for NewsLetters
Email: *
First Name: *
Last Name:
Enter Captcha:*
Wk Audit Net 468x60 Ad 1
Workiva Auditors Playbook 468x60 1

AuditNet® Audit-library::Auditnet-internal-controls-primer

To those of us in the audit profession it seems intuitively obvious what internal controls are and the reason for having them. Unfortunately in many organizations internal auditors spend a great deal of time and effort explaining to others (including management) what constitutes internal controls, who is responsible for establishing controls and who evaluates those controls to determine if they are adequate and working as designed. This page should answer those questions and provide guidance on what can be done to communicate to management, boards and senior executives the concept of internal control.

What are Internal Controls?

In plain English, internal controls are like good old common sense practices. In your personal life, you exercise good internal control principles when you:

  • make travel plans 
  • store and lockup valuable personal belongings 
  • keep copies of your tax returns 
  • match credit card receipts to monthly statements 
  • save for a rainy day or retirement 
  • balance your checkbook 

More formally, internal control is broadly defined as a process, affected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations 
  • Reliability of financial reporting 
  • Compliance with applicable laws and regulations 

Internal controls are tools that help managers be effective and efficient while avoiding serious problems such as overspending, operational failures, and violations of law. Internal controls are the structure, policies, and procedures put in place to provide reasonable assurance that management meets its objectives and fulfills its responsibilities. Management meets its responsibilities for internal controls when:

  • Programs and functions achieve their intended results (effective) 
  • Resource use is consistent with the agency mission (efficient) 
  • Laws and regulations are followed (compliance) 
  • Accurate and timely information is prepared (reliable reporting) 

Effective internal control begins with written goals and objectives including:

  • Operational objectives 
  • Financial reporting objectives 
  • Compliance objectives 

The principles of effective internal control should ensure that:

  • Internal controls benefit rather than encumber management. 
  • Internal controls make sense within each organization’s unique operating environment. 
  • Internal controls are not stand-alone practices. They are woven into day-to-day responsibilities of managers. 
  • Internal structures and controls are cost effective. 

After assessing risk, management should develop and implement internal controls to help provide reasonable assurance that policies are in place, which: 

  • Provide accountability 
  • Encourage sound management practices 
  • Encourage proper resource management 
  • Facilitate preparation for auditors 

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) model is recognized throughout the world as a significant standard for discussing internal control. In addition to identifying three categories of control objectives, the COSO report addresses five interrelated components of internal control, including: establishing an appropriate control environment, assessing risk, implementing control activities, communicating information, and monitoring. Everyone in the work place has a role in making sure that internal controls are working. It is up to mangers to set them up and check that they are working, but unless every employee is aware of his/her responsibilities in the process, the internal control system will not be completely functional.

What is Effective Internal Control?

Everyone in the work place has a role in making sure that internal controls are working. It is up to mangers to set them up and check that they are working but unless all employees are aware of their responsibilities in the process, the internal control system will not function completely. Internal controls help to ensure that we are doing the right job in the right way to achieve effective, efficient operations in the work place in compliance with laws and regulations. Here is a five-step process to follow when developing and implementing effective internal controls in an organization:

  • Step 1: Establish an Appropriate Control Environment 
  • Step 2: Assess Risk 
  • Step 3: Implement Control Activities 
  • Step 4: Communicate Information 
  • Step 5: Monitor 

Step 1: Establish an Appropriate Control Environment

The core of any organization is its people – their individual attributes, including integrity, ethical values and competence – and the environment in which they operate. They are the engine that drives the organization and the foundation on which everything rests. Effectively controlled organizations set a positive "tone at the top" and strive to:

  • Train staff to understand and use appropriate management controls in all areas. 
  • Provide structure and process for implementing these controls. 

Step 2: Assess Risk

Management must be aware of and deal with the risks the organization faces. It must set objectives, integrated with other activities so that the organization is operating in concert. Management must also establish mechanisms to identify, analyze and manage the related risks.

  • Identify Potential Problems 
  • Review goals and objectives. 
  • Determine potential problem areas - for example, areas that receive complaints or have had problems in the past.
  • Areas that have undergone recent changes in staff or structure. 
  • Complex activities
  •  Determine severity of risks by asking both, Where do we face the greatest possible harm? What types of losses are most likely to occur? 
  • A moderate loss that is likely to occur presents as much danger as a more serious loss that is less likely to occur. 
  • Use this evaluation to prioritize your efforts. 

Identify and Analyze Cycles 

  • A cycle is a group of interrelated processes used to initiate and perform an activity. Event cycles can be programmatic or financial. Programs usually contain several event cycles. For example, a human services program might include the following five cycles: outreach, eligibility determination, record keeping, service delivery, and monitoring. 
  • The eligibility determination cycle might include interview, application form, verification, approval or denial, supervisory review, and initiate services or mail denial explanation. 
  • Determine cycles of likely problem areas. 
  • Prepare a written narrative or flow chart explaining how the cycle is supposed to be handled by describing each activity or transaction within the cycle. 
  • Describe in the narrative: Who is performing each step? What is involved in the step? Any resulting documentation, for example, reports. 
  • Review the information available in policy and procedure manuals. Also, use written materials such as organizational charts, job descriptions, reviews, checklists, department records, and reports. 
  • Supplement written sources through conversations with and observations of appropriate staff. 
  • Finally, "walk through" the process to be sure every item is understood. 

Step 3: Implement Control Activities

Control policies and procedures must be established and executed to help ensure that management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the organization’s objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.

  • Review each cycle to determine whether existing controls are sufficient to avoid potential problems. 
  • Identify any outside policies or procedures in place to offset potential risks. 
  • If controls do not exist or appear ineffective, establish new controls. 
  • Identify any controls that are excessive or unnecessary and modify or eliminate them. 
  • Remember that a good control environment is the first step toward establishing effective controls. 

Step 4: Communicate Information

Control activities are surrounded by information and communication systems. These systems enable the organization’s people to capture and exchange the information needed to conduct, manage and control its operations.

  • Obtain external and internal information, and provide management with necessary reports on the organization’s performance relative to established objectives. 
  • Provide information to the right people in sufficient detail and on time to enable them to carry out their responsibilities efficiently and effectively. 
  • Develop or revise information systems based on a strategic plan, linked to the organization’s overall strategy, and responsive to achieving the entity-wide and activity-level objectives. 
  • Demonstrate support for developing necessary information systems by committing adequate human and financial resources. 

Step 5: Monitor

The entire process must be monitored, and modifications made as necessary. This way, the system can react dynamically, changing as conditions warrant. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures.
  • Schedule monitoring on a regular basis. 
  • Test controls at least annually to determine whether they continue to be adequate and are still functioning as intended. 
  • Use program monitors, auditors and reviewers as a resource in monitoring controls. 
  • Select a sample. Review all documentation. Visit outside sites, if appropriate. Supplement sample with special tests of sensitive items and problem areas. 
  • Always follow up to insure that any identified problems are corrected. 

Steps to Effective Internal Control

The internal control process has five components:
  1. Internal Control Environment
  2. Risk Assessment
  3. Internal Control Activities
  4. Information and Communication
  5. Monitoring

Internal Control Environment

Internal controls are likely to function well if management believes that those controls are important and communicates that view to employees at all levels. If management views controls as unrelated to achieving its objectives, or even worse, as an obstacle, this attitude will also be communicated. Despite policies to the contrary, employees will then view internal controls as "red tape" to be "cut through" to get the job done. An effective internal control environment:

  • Sets the tone of an organization influencing the control consciousness of its people
  • Is an intangible factor that is the foundation for all other components of internal control, providing discipline and structure
  • Describes "organizational culture"
  •  Includes a commitment to hire, train, and retain qualified staff 
  • Encompasses both technical competence and ethical commitment

Risk Assessment

A risk is anything that endangers the achievement of an objective. Always ask: What can go wrong? What assets do we need to protect? 

  • Risk assessment is the process used to identify, analyze, and manage the potential risks that could hinder or prevent an agency from achieving its objectives. 
  • Risk increases during a time of change, for example, turnover in personnel, rapid growth, or establishment of new services. 
  • Other potential high risk factors include complex programs or activities, cash receipts, direct third party beneficiaries, and prior problems. 

Internal Control Activities 

Organizations establish policies and procedures so that identified risks do not prevent the organization from reaching its objectives.

  • Clearly identified activities minimize risk and enhance effectiveness. 
  • Internal control activities are nothing more than the policies, procedures, and organizational structure of an entity. 
  • Controls can be either preventive, for example, requiring supervisory approval, or detective, for example, reconciling reports. 
  • Avoid excessive controls, which are as harmful as excessive risk and result in increased Bureaucracy and reduced productivity. 

Information and Communication

To be useful, information must be reliable and it must be communicated to those who need it. For example, supervisors must communicate duties and responsibilities to the employees that report to them and employees must be able to alert management to potential problems. 

  • Information must be communicated both within the organization and to those outside, for example, vendors, recipients, and other constituents 
  • Communication must be ongoing both within and between various levels and activities of the organization. 


After implementing internal controls, organizations must monitor their effectiveness periodically to ensure that controls continue to be adequate and continue to function properly. Management must also revisit previously identified problems to ensure that they are corrected.

Web Resources

Internal Control Institute