Policies, procedures, and other best practices are all essential to the smooth functioning of any organization. They help set the right expectations at every level, guide employees to distinguish good from bad conduct, and bring consistency and predictability to daily operations.
They also protect the firm’s business-critical assets and allow the company to comply with laws, regulations, and internal rules. Ultimately, they empower the enterprise to meet its objectives and deliver value to stakeholders.
All three are types of internal controls. Different organizations use different types of controls, depending on their business needs, risk environment, or stakeholder demands – but overall, any system of internal control that wants to be effective consists of five interconnected key elements. Read on to learn more about these elements.
What Is an Internal Control?
COSO (the Committee of Sponsoring Organizations) defines internal controls as “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives.”
Also known as internal safeguards, internal controls can be processes, procedures, tasks or activities, rules, policies, and even automated tools. Controls could also include any of the following:
- Physical security
- Access controls
- Internal or independent audits
- Transaction authorizations, verifications, and reconciliations
- Management reviews
- Segregation of duties
- Employee training
Internal controls are essential for any organization because of what they do:
- Improve the effectiveness and efficiency of company operations
- Assure the reliability of financial disclosures
- Help to maintain the integrity of financial statements and accounting records
- Allow the firm to meet regulatory compliance objectives
A robust internal control system also increases transparency and accountability throughout the enterprise. It promotes ethical behaviors. It assures consistent actions and output, which can improve employee productivity and quality, and enable the firm to meet its stated goals.
Well-designed, consistently implemented controls also prevent undesirable situations such as cyber breaches, fraud, errors, and other irregularities; that protects your company’s assets, reputation, and brand value.
On the other hand, poorly designed or missing controls can cause all sorts of problems, including:
- Financial information misreporting
- Inefficient, error-prone processes
- Poor output quality
- Customer complaints
- Unethical or illegal behaviors such as fraud
- Costly fines
- Legal damages
Types of Internal Controls
Regardless of your organization’s structure, size, or industry, you should have an internal control system that includes three types of internal controls:
Detective controls help to find and investigate a problem that has already occurred. For example, if the company has recently experienced a data breach, these controls will help you find the cause and implement an appropriate response strategy.
The right detective controls show whether preventive controls (more on those in a moment) are operating properly or if there are control gaps that resulted in the unwanted event. Detective controls also help to improve process quality and prevent errors that may result in financial, legal, regulatory, or reputational damage.
Some common detective controls are:
- Monthly transaction reconciliations
- Performance reviews
- Physical inventories
- Cash counts
- External and internal audits
- Surveillance systems
- Intrusion Detection Systems (IDS)
Preventive controls, as the name implies, aim to prevent issues or errors from occurring in the first place. These issues include accounting errors, material misstatements, fraud, cyber attacks, financial manipulations, and so forth
Many organizations implement these preventive controls:
- Segregation of duties
- System access controls
- Financial authorizations
- IT access controls
- Physical security controls
- Firewalls and Intrusion Prevention Systems (IPS)
- Data backups
- Employee training and drug testing
Corrective controls come into play after an issue has already occurred and needs to be fixed. They play a vital role in the internal control system because they resolve the issue that may result in (or has already resulted in) fraud, data breaches, financial losses, or reputational damage. These controls also provide a measure of relief that the issue has been fixed and won’t recur in future.
Corrective controls include:
- Software patches
- Device upgrades
- Quarantine of infected devices
- Updated policies
- Ledger verifications
- Disciplinary action
- Business continuity planning and incident response planning
Altogether, detective, preventive, and corrective controls allow organizations to identify risks, detect threats, and respond appropriately to prevent damage to their systems, people, customers, or data.
The Five Components of an Internal Control System
In 2013, COSO released its revised Internal Control – Integrated Framework (first released in 1992). The updated framework helps organizations to design internal controls, implement audit procedures to assess and improve these controls, and mitigate risks to acceptable levels.
The framework consists of five components that together create an effective and integrated enterprise controls system.
The control environment is how senior management tries to inculcate a strong sense of ethics and high performance across the whole enterprise. It includes all the standards, processes, policies, and rules that enable an organization to implement and improve its internal controls. The control environment provides a foundation so the company’s other, more specific controls can:
- Support its strategic objectives
- Assure reliable financial reporting to stakeholders
- Improve business efficiency and effectiveness
- Facilitate compliance with all applicable laws and regulations
- Safeguard assets from the effects of careless errors or malicious activities
An effective control environment includes these seven important factors:
- Integrity and ethical values
- Commitment to competence
- Audit committee or board of directors
- Management philosophy and operating style
- Organizational structure
- Assignment of authority and responsibility
- Human resource policies
These factors demonstrate the organization’s commitment to responsible and ethical operations. A strong tone from the top is crucial to build a strong control environment. Senior managers must reiterate the importance of internal controls and establish the expected standards of conduct throughout the organization. Only then can the environment help to:
- Align business processes with applicable laws, regulations, and industry-standard practices
- Attract and retain competent staff
- Increase accountability throughout the organization in pursuit of objectives
Risk assessment is the basis for risk management. For effective risk assessment, management must identify possible changes in the internal and external environment that may impede the organization’s ability to achieve its goals. Managers must also:
- Act in a timely manner to manage the effect of these changes
- Consider risk tolerance when assessing acceptable risk levels
- Consider risk severity after considering its velocity, persistence, impact, and likelihood
The COSO internal control framework suggests that risk assessment should be a “dynamic and iterative process” – meaning, risk assessments should happen at regular intervals. The risk assessment should also include sub-processes for risk identification, risk analysis, and risk response.
Control activities are the specific actions that allow the enterprise to mitigate risk and achieve its objectives. These actions are usually described in standards, policies, and control procedures, and are communicated to all stakeholders.
Control activities can be preventive, detective, or corrective. They are performed at all levels of the business and at various stages of business processes.
Information and Communication
Information is an important element in an internal control system because it supports the other components and allows the organization to achieve its objectives. Effective, clear, and honest communication is required to assure that the necessary information is available whenever required to manage and optimize the internal control system.
Communication then disseminates the information, so the relevant stakeholders can carry out daily internal control activities. For example, if an audit identifies a major flaw in cybersecurity, the audit findings should then be communicated to the IT department, the CISO, and perhaps even the board or legal team. Those executives will then (ideally) understand their responsibilities for assuring that the findings are addressed and internal controls work as expected.
Internal or external auditors must regularly monitor the internal control system to verify that it is functioning properly. They should also evaluate the findings and communicate internal control deficiencies to top management and the board.
Per COSO’s framework, ongoing evaluations should be built into routine operations and performed in real-time. Regular spot checks instead of an annual “big bang evaluation” can help to identify and fix control gaps quickly, before the company suffers significant harm.
What Makes an Internal Control System Effective
An effective internal control system incorporates all five elements working together. Its control activities are designed using a risk-based approach to address and mitigate significant risks. Stakeholders communicate relevant information regarding risks with each other through established channels.
Leadership provides direction and demonstrates its commitment to internal controls and risk management. They also share the organization’s values regarding ethical behaviors and about “toeing the line.” Equally important, leaders promote a culture where transparency, honesty, and accountability are valued.
In such organizations, risk assessments are performed regularly. The controls system itself is monitored continuously and reviewed periodically. Any problems that are discovered are addressed quickly.
Make ZenGRC Part of Your Internal Control System
Feeling overwhelmed about implementing internal controls in your organization? Need a unified foundation for all your compliance needs?
ZenGRC can help!
ZenGRC is an integrated platform for all your risk, compliance, audit, governance, and policy management applications. With ZenGRC, you get complete views of your control environment so you can easily manage both risk and compliance throughout the enterprise.
ZenGRC will reveal risk across your business so you can act quickly to prevent adverse circumstances. It will also enable you to evaluate your risk program and continually monitor compliance and compliance violations.
Schedule a demo to know more about ZenGRC’s rich suite of features for your system of internal controls.