Any modern organization looking to navigate today’s risk environment successfully needs both strong internal controls and ongoing internal audits. There can, however, be confusion between these two terms.
This guide aims to eliminate that confusion by explaining the meaning and importance of internal controls and internal audits. It unpacks the differences between them and explores how they work together to help organizations manage risk, operate efficiently, and assure business continuity.
What Are Internal Controls?
COSO (Committee of Sponsoring Organizations) defines an “internal control” as a process that can provide reasonable assurance that an organization’s operations are efficient, its financial disclosures are reliable, and its regulatory compliance objectives are met.
Less formally, internal controls refer to the rules, policies, procedures, tools, and other mechanisms implemented by an organization to increase transparency, promote accountability, assure the integrity of financial and accounting information, and reduce the risk of fraud.
A system of internal controls is usually directed by senior management and the board of directors. The primary goal is to provide reasonable assurance around:
- Information integrity, accuracy, and timeliness
- Compliance with applicable laws and regulations
- Accurate internal procedures and policies
- Financial reporting reliability, accuracy, and timeliness
- Operational efficiency, productivity, and profitability
- Asset safeguarding and the prevention of asset misappropriation or manipulation
- Fraud prevention
Why Are Internal Controls Important?
Internal controls became more important in the wake of several high-profile accounting frauds in the late 1990s and early 2000s. Later scandals after the 2008 financial crisis also increased the importance of robust internal controls.
Laws and regulations like the Sarbanes-Oxley Act (SOX) require publicly traded companies to have a system of internal controls. Industry-specific regulations and compliance frameworks such as PCI-DSS and HIPAA also drive the need for robust and reliable internal controls.
When controls are built into the organization’s day-to-day operations and business processes, they can help prevent errors and irregularities. They empower employees to identify problems and take corrective action to fix these issues. Ultimately, well-implemented and maintained controls enable companies to achieve their established objectives and goals more efficiently.
Although internal controls can be expensive to implement and require effort to maintain, the alternative – a lack of controls – can cause a lot of problems:
- Poorly functioning processes
- Inefficient operations
- Low employee productivity
- Costly errors
Any of the above can result in financial losses, increase customer churn, cause compliance-related issues, harm the organization’s reputation, and even invite legal trouble.
Key Components of Internal Control
An internal control is a process to improve and maintain the quality of the organization’s operations or compliance posture. Internal controls processes are driven by tools and technologies and maintained with the help of policies, procedures, and manuals. Ultimately, however, the people using internal controls at every level of the company define its success.
The internal control process consists of five interconnected elements that determine the internal control system’s overall strength or weakness. Together, these elements provide reasonable assurance that controls enable the organization to meet its objectives.
These elements are:
The control environment influences the discipline, structure, and effectiveness of internal controls. It incorporates multiple elements, such as:
- Management philosophy
- Technical competence of employees
- Behavioral and ethical values
- Assignment of authority and responsibility
- How people are organized, managed, and developed
The control environment also sets the “tone from the top” that guides the rest of the enterprise.
Control activities are the various procedures, approvals, verifications, reviews, and authorizations implemented to carry out proper risk responses. Depending on the organization and its risk landscape, these activities can be very diverse. Examples of control activities include:
- Inventory counts
- Physical security
- Segregation of duties
- Enforcing purchasing limits
- Enforcing multiple authorizations for transactions above a certain amount
Ongoing risk assessment is a critical component of the controls ecosystem. As part of this analysis, organizations must consider the likely impact and probability of each risk to minimize any possible impact or damage.
Risk assessments provide a basis for risk management and mitigation. It’s essential to perform these assessments regularly to assure that the proper controls are in place to mitigate and manage existing and evolving risks.
Information and Communication
To verify adequate controls are in place and that they work as well as they should, it’s crucial to capture and share relevant information throughout the organization. This information could be in the form of emails, reports, dashboards, meetings, and surveys.
To maximize the effectiveness of internal controls, this information should be in a structure and form that people can understand. Communication should also be timely, accurate, clear, and flow seamlessly across every level of the organization.
All internal controls must be monitored regularly to evaluate their performance and efficacy over time. Monitoring helps identify and correct control gaps before they can harm the organization. Monitoring can be done via monthly or quarterly reviews of performance reports, metrics, and internal audit procedures.
Two Types of Internal Control Activities
In general, internal controls improve operating effectiveness, protect the organization from risk, and help minimize loss in case of an adverse event. Controls achieve these goals through preventive or detective methods.
Preventive controls aim to thwart risks and threats before they can happen. They allow organizations to find, assess, and fix potential problems before those problems even occur. They reduce the probability of errors, improve process accuracy, and prevent fraud.
Common examples of preventive controls include:
- Segregation of duties (or separation of duties)
- Pre-approvals and authorizations of financial transactions
- Verification of invoices, expense vouchers, and timesheets
- Access controls for information systems using passwords, two-factor authentication
- Employee cybersecurity training
- Physical security of premises, inventory, cash, and data centers
- Double-entry accounting
Detective controls are also critical since they are needed to find problems, irregularities, or errors after those issues occur. Detective controls also help prevent the recurrence of these errors, strengthen quality control, and boost the organization’s cybersecurity, compliance, and legal posture.
Some common detective controls are:
- Internal audits
- External audits
- Inventory, cash, and supplies counts
- Regular reconciliations of transactions
- Organizational performance reviews
- Exception reports
- Analytical reviews
- Trend analyses
- Financial statements and reports, like balance sheets
- Comparing actuals versus budgets
When detective controls identify a problem or risk, corrective controls are implemented to fix the problem. Two such controls are ledger verification and the adjustment of entries in the accounting system.
Internal controls can also be classified as:
- Hard controls: tangible controls including policies, procedures, segregation of duties, and so forth
- Soft controls: intangible controls such as organizational culture, tone at the top, and the company’s ethical climate
In addition, controls can be manual and performed by human controllers (such as security guards) or happen automatically (such as software bots). Finally, some controls are required to operate at a predetermined level to reduce the risk to an acceptable level. In contrast, others may be “secondary” – that is, not essential, but still desirable to help a process run smoothly and efficiently.
What Are Internal Audits?
An internal audit is an objective and unbiased evaluation of the organization’s internal controls, accounting processes, and corporate governance systems to measure their effectiveness.
As part of an audit, internal auditors will test the organization’s processes and internal controls, and then provide opinions about the controls’ quality, performance, and effectiveness. In addition, the auditor will report findings and recommendations to develop action plans to fix any gaps.
To be truly effective at improving the controls environment, the audit of internal controls must be:
- Unbiased and objective
- Regular and ongoing
- Focused on improvement rather than on assigning blame
Why Are Internal Audits Important?
Internal audits are critical because they:
- Guide the evaluation and assessment of internal controls
- Reveal problems in the controls environment, activities, and monitoring structure
- Allow the organization to correct any lapses before they are discovered in an external audit
Through an internal audit, management can understand if the company’s financial information and accounting records are accurate and authentic. They can also assess whether the organization is meeting its compliance objectives, if any gaps in operations exist, and if there are any costly liabilities.
Internal audits can also reveal whether employees are engaging in potentially fraudulent or unethical behaviors. Internal audits play a vital role in a company’s corporate governance ecosystem.
How Do Companies Use Both Internal Controls and Internal Audits?
Why Both Controls and Audits are Required
A lack of internal controls can be a severe problem for organizations that fall under laws and regulations such as SOX and HIPAA (Health Insurance Portability and Accountability Act). Without effective internal controls, the company is more susceptible to risk and fraud. Top management may even face criminal penalties for failing to establish these controls.
While internal controls are essential, they can only provide reasonable assurance about their effectiveness – which can be limited by human judgment, error, or even greed. Sometimes these controls can be circumvented through collusion.
Personnel may also override internal controls. They might do this for valid reasons to improve operational efficiency in cases where internal controls are poorly designed. Employees might also override internal controls for malicious purposes, such as to perpetrate a ghost employee scheme or to give an external party access to sensitive IT systems or data.
To keep internal controls strong, therefore, organizations also need internal audits to:
- Evaluate existing controls
- Ensure that they work as intended
- Assess the internal governance process and system
Internal Audits Versus Internal Controls
An internal audit is performed at specific times for self-assessment. The implementation of internal controls, meanwhile, is an ongoing activity. The internal audit function should be strategically developed to provide reasonable assurance about the effectiveness and functionality of the company’s internal controls.
Internal audits should help the organization understand its risk environment and assess whether its current internal controls are effective at mitigating these risks. The audit should also be action-oriented to help improve control activities.
The Relationship Between Internal Audits and Internal Controls
The Three Lines of Defense Model developed by the Institute of Internal Auditors shows the relationship between internal controls and internal audits.
According to this model, internal controls are part of the first line of defense – that is, the operating business units. For most companies, controls are part of day-to-day operational management and administration. Operations managers are accountable to senior managers and the board of directors for achieving the department’s goals.
The second line of defense consists of elements such as compliance, risk management, financial control, security, and quality. These groups anticipate and monitor risks, providing guidance to the first line.
The audit committee and internal auditors are the third line of defense. The internal audit team assesses the effectiveness of the first and second lines. The function may report directly to the board, senior management, and the audit committee.
Manage Internal Controls and Audits with ZenGRC
The right software can help you manage and streamline your internal controls and internal audits. A platform such as ZenGRC can bring greater consistency, reliability, and transparency into your controls ecosystem and audits program.
Take advantage of its single-pane-of-glass view, pre-loaded content library, benchmark reports, risk heat maps, and built-in integrations to improve risk assessment and boost cybersecurity.
With its advanced visibility, integrated experiences, and complete views of control environments, you can improve operational performance, maintain the integrity and reliability of financial reporting, and prevent fraud.
Ask the Reciprocity team for a hands-on demo of ZenGRC. Schedule a demo today.