Internal Controls: Definition & Auditing Guidance

Published/Updated February 23, 2021

Section 1: Introduction

Interested in learning more about internal controls and how to implement them within your organization? You’ve come to the right place.

In this in-depth guide, we will provide an understanding of internal controls, their procedures, and how auditors assess them. Furthermore, we’ll explain how automation can help managers implement a strong internal control framework within their organization.

Let’s get started.

What is an internal control?

Internal controls are the protocols, procedures, and activities that protect organizations from financial, strategic, and reputational risk.

What industries need internal controls?

Any industry with an information technology environment needs internal controls to protect the business and assure regulatory compliance. Some examples include the financial sector, healthcare, nonprofits, manufacturing, and retail. 

Why are internal controls important?

Internal controls are important because they help the organization to meet various obligations in operations, reporting, and regulatory compliance. Those obligations might come, for example, from regulators imposing standards for financial reporting or data protection. They could also come from the organization’s own board of directors as the board specifies operational objectives or reporting demands the board wants employees to achieve. 

Internal controls also help to prevent employees from stealing assets or committing fraud; and improve overall operational efficiency and accuracy of financial reporting.

What are the costs associated with internal controls?

Some of the costs associated with implementing internal controls include hiring additional staff to enable appropriate segregation of duties, as well as implementing manual controls such as verifying transactions, authorizing payments, and reconciling accounts.

Hiring additional employees can be costly, and implementing manual checks and balances can be tedious and decrease efficiency. Alternatively, one might employ automation to add information security to your operational procedures and save on the cost of hiring additional employees. 

We’ll discuss more on that later.

Section 2: What Are Internal Controls?

What are the types of internal controls?

There are three main types of internal controls: detective, preventative, and corrective. 

  • Detective internal controls are activated after an adverse event occurs, to investigate the incident and try to determine how and why the event occurred. Example: a review of user access logs after a data breach. 
  • Preventive internal controls are implemented before any specific adverse event happes, to prevent such events from happening in the first place. Example: using multi-factor authentication to restrict access to confidential data.
  • Corrective internal controls are implemented after detective controls have been completed, to rectify the problem and (ideally) prevent it from happening again. Example: implementing a new policy for prompt destruction of unnecessary data, to prevent attackers from stealing it.

What is the purpose of internal controls?

Internal controls exist to protect your business from the risks that can occur within an IT environment and compromise security. There are a few main objectives of internal controls. They can be summarized as follows:

  • Assure reliability in an organizations’ financial reporting
  • Protect assets and safeguard against their theft 
  • Achieve compliance with laws and regulations
  • Achieve greater effectiveness and efficiency in business operations

What is the COSO internal control framework?

The COSO framework for internal control is a flexible framework for designing, implementing, and evaluating internal controls. 

The COSO framework was first developed in 1992 by the Committee of Sponsoring Organizations (COSO), and underwent a significant overhaul in 2013. The current version of the framework has five primary components designed to support organizations working in a modern, complex global environment. 

What are the elements of internal control?

The five components of internal control in the COSO framework are:

  • Control Environment is the foundation of an organization’s internal control system. The control environment sets the tone for expectations for and the importance of internal controls as it relates to the company culture at large.
  • Risk Assessment includes the measures taken to identify and prevent risk, both internally and externally; as well as the strategies to mitigate those risks. 
  • Control Activities are the policies, procedures, and mechanisms that make up the organization’s risk management strategy.
  • Information and Communication encompass the internally generated reports that deliver information to both auditors and stakeholders during the monitoring phase, and inform strategy behind the creation of control activities. 
  • Monitoring assures that proper control activities are being implemented and used during day-to-day operations. Monitoring should be ongoing and regularly reviewed by the board of directors so that improvements can be made, as needed, to control activities.  

Worry-free internal controls are the Zen way! For a free consultation and demo of ZenGRC, contact us today.

What’s the relationship between internal controls, ERM, and a company’s business model? 

The COSO Enterprise Risk Management Integrated Framework is another widely accepted framework, this one to develop effective risk management programs for organizations working in an increasingly volatile and unpredictable landscape.

The COSO internal controls framework and the ERM framework are separate but related documents. Organizations can (and should) use both as tools to guide and implement your business strategy. Taken together, the frameworks support strong corporate governance and administration, which ultimately enhances the organization’s ability to achieve its objectives and generate long-term value for stakeholders. 

What are the types of risks in internal controls?

Businesses need to consider inherent risk, control risk and residual risk when implementing internal controls. 

Inherent risk is the risk of a material misstatement or omission in a company’s financial reporting due to a cause outside of financial controls. For example, estimating the value of some exotic financial instrument during an acquisition is inherently risky, because it relies on the judgment of executives and auditors. 

Control risk is the risk of material misstatement or omission because there wasn’t a relevant internal control in place to protect against the risk, or the internal control did exist but failed to work. For example, if company policy is that two executives must sign checks above $25,000, there is a control risk that accounting employees might not notice a check for $30,000 with only one signature and process that payment anyway.

Residual risk is the amount of risk that still exists after the organization implements its internal controls, which executives are willing to accept. For example, if the company processes only one payment above $25,000 every year, the residual risk of accounting employees overlooking two signatures may be acceptable; if the company processes $30,000 payments every day, perhaps not. 

Simply implementing a system of internal controls and fraud prevention is not sufficient enough to protect against risk. Every business transaction an organization executes has a level of risk (low, medium, or high) that must be assessed and mitigated through internal controls.

What happens if the controls are weak?

As stated before, sometimes internal control weaknesses occur when systems are implemented that don’t adequately address all of the risks associated with a businesses’ transactions.

Malicious actors can exploit internal control weaknesses to evade even what might appear to be strong security tactics. With so much complexity and innovation in modern business, internal controls need constant monitoring and improvement to neutralize existing or emerging threats.

What is a good framework for internal controls?

COSO is the most widely used framework for internal controls, but others do exist. For example, some organizations might decide to use the ISO 31000 standard, or the COBIT framework (which focuses more on IT controls).

Section 3: Sarbanes-Oxley Act of 2002: How it Changed Internal Controls

The Sarbanes-Oxley Act (SOX), also known as the Corporate Responsibility Act, was enacted by the U.S. Congress in 2002 in response to a series of large corporate frauds that had struck the U.S. capital markets. It mandated extensive reforms to existing securities law and imposed much harsher penalties on executives and businesses that committed accounting fraud against investors. 

How does SOX affect internal controls?

SOX imposed new governance standards on corporate boards of directors and greater accountability for accurate, reliable financial reporting. As such, it had a profound effect on how businesses develop, implement, and maintain effective internal control over financial reporting (ICFR); as well as on the audits of financial statements that all publicly traded businesses are required to publish. 

What are the main functions of SOX?

SOX has 11 major sections (“titles”) in total, but the most important requirements for internal control exist within Sections 302 and 404. While both relate to internal controls, SOX 302 and SOX 4040 differ in several ways

What are internal controls over financial reporting?

Internal controls over financial reporting are internal controls that specifically aid in the processing of financial transactions. ICFR helps to reduce the number of errors in financial statements and to prevent or detect fraud within a company’s financial transactions. 

To help assure effective financial reporting, SOX requires large publicly traded firms to have an external audit of their ICFR every year; this is Section 404(b) of the law. Moreover, all publicly traded firms, regardless of size, must declare every year whether management believes ICFR is or isn’t effective; that is Section 404(a.)

How do you implement SOX controls?

Implementing SOX controls in your organization can seem overwhelming, so it’s best to make a plan and execute it in stages. We recommend breaking the process down into stages like those we’ve indicated below. 

  • Identify a framework for internal controls that fit your business needs. 
  • Complete a risk assessment. 
  • Document processes and key controls.
  • Evaluate IT general controls. 
  • Document all third-party vendors.
  • Test your internal controls.
  • Evaluate identified deficiencies. 
  • Communicate results and reevaluate.

What is the SOX compliance checklist?

The SOX compliance checklist includes a number of auditing measures to assure compliance. They mostly deal with Sections 302 and 404 as mentioned above. For each item on the checklist, your compliance auditor must confirm your compliance.

  1. Create safeguards against data tampering. (Section 302.2)
  2. Create safeguards to determine timelines. (Section 302.3)
  3. Establish controls that track and record access to data. (Section 302.4.B)
  4. Verify that safeguards are functioning as intended. (Section 302.4.C)
  5. Routinely report on the effectiveness of controls. (Section 302.4.D)
  6. Establish methods for detecting security breaches. (Section 302.5.A/B)
  7. Inform SOX auditors of all security safeguards. (Section 404.A.1.1)
  8. Inform SOX auditors of any security breaches. (Section 404.A.2)
  9. Inform SOX auditors of internal control failures. (Section 404.B)

Is the COSO framework required by SOX?

No. SOX itself does not specify that businesses must use an internal control framework to achieve effective ICFR. Rather, implementing rules from the U.S. Securities and Exchange Commission strongly encourage firms to use an internal control framework, and those rules cite the COSO framework as an example of one framework that firms might use. 

Since then, most businesses and audit firms have adopted COSO as their framework of choice, to the point that almost all publicly traded businesses now use it.

Section 4: Risk Assessments and Internal Controls

What are the internal control risks?

We previously discussed inherent, control, and residual risk. In this section, we want to provide more granular examples of risk associated with internal controls. Let’s look at those now.

  • Manager Risk. Managers are the individuals charged with creating, implementing, and maintaining internal controls, so a manager typically has the ability and knowhow to bypass those controls if he or she wants. This is why another tier of governance is required to evaluate the possibility of fraud occurring at a managerial level.
  • Segregation of Duties. Segregation of duties exists to assure that no single individual has enough power to manipulate your financial reporting system to commit fraud. (Say, one person both approving new vendors and issuing payments to those vendors.) By segregating duties among multiple people, you reduce the risk of fraud.
  • Lack of Preventative Controls. Some organizations put too much emphasis on detective and corrective controls, while neglecting the importance of preventive controls. Strong preventive controls, however, can avoid much of the work required by the other two types of controls. That’s why it’s important to have a robust ICFR system that includes all three.
  • “Trust, but verify.” This saying is an important one to remember. Sometimes the people perpetrating a fraud seem like trustworthy, good employees that you’d never expect to be malicious. That’s why it’s important that everyone in charge of internal controls or those handling financial reports have oversight.   

What is the relationship between risk management and internal controls?

At a high level, risk management and internal controls are similar, but there are some differences in emphasis and implication.

Internal controls are geared toward assuring an organization’s goals for operational efficiency, accurate financial reporting, and regulatory compliance. In contrast, risk management addresses a wider range of risk (supply chain, reputation, and cybersecurity issues, for example), although the chores of identifying, evaluating, and reducing risk are fundamentally similar.

What is an internal control risk assessment?

An internal control risk assessment will evaluate both the internal and external risks that can affect your organization’s ability to conduct reliable financial reporting, protect assets, achieve compliance, and maintain effective operations. The findings then drive the development of internal controls that will help to mitigate risk.

A risk assessment is comprised of:

  • Identifying qualitative and quantitative risks.
  • Evaluating the severity of potential risks.
  • Establishing control measures to safeguard against those risks.

Section 5: What Are IT General Controls (ITGCs)?

IT general controls (ITGCs) play an important role in both business operations and financial reporting.

The phrase refers to the basic controls applicable to IT infrastructure, such as controls for application usage, operating systems, databases, and so forth. ITGCs exist to assure the integrity of data and the processes that the IT system supports.

General controls govern the creation, implementation, and security of computing programs and data used across an organization’s whole IT infrastructure. In contrast, application controls are unique to a single computing application, such as accounting software.

Is there a difference between ITGCs and GITCs?

No. You may sometimes hear people use the term “general IT controls” and abbreviate them as GITCs, but they are the same as ITGCs.

What are the objectives of IT general controls as they relate to auditing?

The goal of ITGCs as they relate to auditing is to assure the integrity of data and the processes that the organization’s IT system supports. ITGCs include:

  • Access controls for applications, data and infrastructure
  • Change management controls
  • Backup and recovery controls
  • Operations controls
  • Physical security controls
  • System development life cycle controls

Why are ITGCs important for assuring integrity in business operations and reporting?

ITGCs are vital to assuring the integrity of business operations and financial reporting because they encourage the use data, reporting, and automation of business processes to improve the business.

Section 6: Best Practices for Internal Controls

If your organization is considering rolling out a system of internal control or would like to improve your existing controls, get started with these best practices.

What are the best practices for internal controls?

  1. Identify your internal and external risks.
  2. Define the internal controls that help to mitigate those risks. 
  3. Roll out your system of internal controls in structured phases.
  4. Support the adoption of internal controls from the top down through education and training.
  5. Encourage communication and collaboration between supervisory roles. 
  6. Reinforce and strengthen adoption through role-playing scenarios.
  7. Automate business processes to improve the efficiency of internal controls. 
  8. Use data analytics to monitor and continuously improve internal controls.
  9. Use tooling to govern and further improve the efficiency of business operations around internal controls.

What does a good internal control system look like?

A good internal control system uses the five components of internal controls listed earlier, as well as business planning, to achieve key objectives around safeguarding business assets, improving operational efficiency, and assuring compliance with laws and regulations through accurate financial reporting.

Tips for accounting

Internal controls are needed to assure the accuracy and reliability of financial reporting and the systems used for accounting. Without strong ICFR, financial records can be rife with errors, and accounting managers are hindered in their decision-making ability. The following are some tips to help identify reporting mistakes and to mitigate fraud in accounting.

  • Segregate duties as they relate to bookkeeping, handling financial assets, reporting, and auditing.
  • Control access to your accounting system with strong password guidelines, lockouts, and access logs. This will prevent unauthorized access and allow for a way to audit the system. 
  • Perform physical audits of assets tracked in your accounting system to assure there are no discrepancies in account balances. 
  • Create standardized documentation to govern financial transactions and encourage consistency in record keeping. This will also make it easier to search for discrepancies in an audit. 
  • Leverage a double-entry accounting system to increase reliability and assure that the books are balanced. 
  • Use trial balances to provide insight into the state of your accounting system and uncover discrepancies as soon as possible. 
  • Conduct accounting reconciliations to assure that accounting balances match balances in accounts held by other entities such as financial institutions, lenders, and vendors. 
  • Enlist a manager to supervise certain transactions to add a layer of accountability and prevent employees with malicious intent from making fraudulent transactions.

Tips for manufacturing

For manufacturing companies, internal controls can help to identify inefficiencies within business operations that may be causing a disruption in production. The following are some tips to help manufacturers and distributors improve their internal controls.

  • Implement an inventory management system to assure your inventory reflects what you’ve purchased or created.
  • Use a costing methodology to help monitor purchase price variances and identify when purchase costs are starting to misalign with what you’ve budgeted for the year.
  • Purchasing controls are critical to mitigating risk for financial fraud. One such purchasing control might include assuring that no single employee is responsible for both making a purchase and receiving the goods. 

Tips for nonprofits

Implementing effective internal controls for a nonprofit involves the proper governance and oversight of responsibilities so that nonprofits can fulfill their fiduciary duties. Some tips to help non-profits include:

  • Create and implement protocols for managing and monitoring assets.
  • Define roles within the organization so segregation of duties is present.
  • Define the organization’s personnel policies to assure ethical standards are followed. 
  • Implement a conflict of interest policy and code of ethics. 

Tips for healthcare

Businesses in the healthcare industry must use internal controls to prevent poor operational practices and safeguard against errors and fraud in reporting. This sector can benefit from the following tips concerning their internal controls:

  • Separation of duties to prevent fraud and reduce the number of reporting errors.
  • Ensure internal controls are effective by letting employees know that managers are observing them to assure compliance.
  • Keep appropriate records. This includes patient files, lists, and petty cash so you can spot unusual activity and weak internal controls. 
  • If you believe that fraudulent activity is happening, you should contact appointed supervisors immediately. An investigation can happen later to validate or invalidate your concerns.

Tips for cybersecurity

For those businesses in cybersecurity, having internal controls embedded in your operations is vital to assuring that your operations are effective and reliable. You should also be aware of how your compliance program is performing over time, so that if a cybersecurity threat emerges, third-party auditors reviewing your controls will be able to see that your organization has made its best effort to maintain compliance. Here are some tips on how to do that:

  • Implement a cybersecurity breach response policy and test it regularly. This assures that if an incident occurs, your team will be trained and ready to act quickly.
  • Perform a risk assessment. This is an important first step to ensuring that you can actually protect your assets as threats emerge. 
  • Consider both physical and digital threats. When it concerns information security, it’s just as important to understand who has digital access as it is who has physical access to documents and infrastructure.
  • Continually iterate on compliance procedures. Working through these programs will give your organization a chance to identify vulnerabilities within your security program.

Section 7: Impact of Emerging Technologies on Internal Controls

How can internal controls be applied to new technologies?

As new technologies are introduced, the organizations that use them are forced to re-evaluate and even transform their internal controls, perform new risk assessments, and re-evaluate their business models.

What are examples of technology where there are implications for internal controls?

Adoption of new technologies inherently includes risk, especially pertaining to data privacy and information security. 

For example, manufacturing businesses might use sensors to monitor production environments, and then analyze the data from those sensors to improve operations. That technology can bring far-reaching benefits, but it also drives up the importance of strong data security controls so the sensors and the data they collect aren’t tampered with.

Finance and accounting teams, meanwhile, might use robotic process automation (RPA) to streamline controls and improve accuracy in reporting. Sufficiently large businesses (such as banks, for example) employ artificial intelligence (AI) to supervise and measure risk in real-time. 

All businesses use technology in one form or another. Internal controls are invaluable to strike the right balance between innovation and continued assurance over operations, compliance, and reporting.

Section 8: Internal Control Audits: What Your Organization Needs to Know

How do auditors assess internal controls?

When an auditor comes to assess your internal controls, the first thing he or she will do is gain a thorough understanding of your organizational systems and controls, to assess potential control risks. As stated previously, a control risk is that which existing controls fail to prevent or detect.

What are the objectives of internal control in auditing?

Once the auditor has a grasp of your existing systems and has assessed any control risks, the auditor will then rate the severity of the risks, typically from low to high. Low risk is one that has a minimal chance of thwarting internal controls, while a high risk implies that existing internal controls aren’t strong enough to prevent the threat in question. 

Additionally, the auditor will test the organization’s internal controls to assure that they are functioning as expected — and if they aren’t, to then determine where the gaps are. This process can involve communicating with both management and employees, reviewing resource documentation, observing processes, and potentially re-performing certain processes to assure accuracy and reliability.

Finally, the auditor will assess the overall amount of risk to the organization.

How Do I Prepare for a SOX Compliance Audit?

A SOX compliance audit can be quite expensive, as well as time-intensive. Therefore, when your compliance audit comes due, you want to assure that you are fully prepared and able to avoid missteps that might cause additional costs. To that end, here are some best practices to help assure you’re ready for your next SOX compliance audit.

  • Perform a self-audit. Running an internal audit is the best way to uncover deficiencies that you can correct prior to your official external audit.
  • Assure your staff is trained on all security and compliance policies. Every employee should understand what SOX compliance entails so that they can avoid missteps that will likely be revealed during your audit. 
  • Monitor employees and vendors with privileged access. Unfortunately, those with the highest levels of authority also have the easiest time committing fraudulent activity, should they choose to do so. Therefore it’s important to have monitoring in place and methods to keep those in senior positions accountable.
  • Maintain an audit trail. Document processes through an audit trail to prevent malicious actions and spot suspicious activity. Assure these audits are routinely reviewed and structured in a way that’s easy to read and understand.
  • Use technology that enables you to monitor SOX compliance. Functionality that keeps a record, in real-time, of changes made to documentation and by whom.

What Is the Concept of Reasonable Assurance?

Reasonable assurance refers to the level of certainty that material misstatements in financial reporting will be prevented or detected on a timely basis.

To achieve reasonable assurance, an auditor must obtain a sufficient amount of evidence, during an audit, to declare that the level of risk facing an organization is at an acceptable, low level. 

What public companies are not required to have an ICFR audit?

The SEC has declared that any public company with less than $100 million in annual revenue can be excluded from the ICFR audit requirement in Section 404(b) of SOX. Newly public companies are also excluded from Section 404(b) as well.

Do auditors in a financial statement audit also test internal controls?

Yes. According to the PCAOB Release No. 2010-004, Auditing Standard No. 13,  line 32: “The auditor should assess control risk for relevant assertions by evaluating the evidence obtained from all sources, including the auditor’s testing of controls for the audit of internal control and the audit of financial statements, misstatements detected during the financial statement audit, and any identified control deficiencies.”

How to document internal control processes

The following are some best practices to help organizations with both financial and IT-related internal controls. These steps will help you not only to develop, but also document these processes.

  1. Plan your internal controls objectives by conducting a risk assessment of both internal and external risks
  2. Establish and document a control structure to address risks. This documentation should identify all the functional areas of the business, their key operations, how to determine the achievement of objectives for each operation, and statements to help employees maintain compliance with controls. The framework should also include statements regarding documentation and testing for the internal control environment. It would be wise to get the opinion of an external auditor who can review and inform you as to whether your framework will be effective at achieving its intended purposes of risk mitigation.
  3. Lay out each specific control. It’s important to know the specifics of how your control framework will be enacted for every scenario. Do this by defining each control.
  4. Document control activities. That is, document how your employees will adhere to controls. Depending on your business requirements, this documentation may be granular down to each task, or it may be high-level and summary style. This will also include: 
  • Who performs the control.
  • How they perform the control.
  • How performing a control should be documented.
  • How frequently the control should be performed.

Section 9. How to Measure Internal Control Effectiveness

How do you measure the effectiveness of control?

Test your controls. Once your controls have been designed and documented, they should be systematically tested to assure they function as intended.

During your testing period, some of your tests may fail. You may find that you’ve missed an implication while designing your controls. Once testing has exposed this vulnerability, you can address the issue and retest to assure the control is effective.

It may be best to enlist an outside auditor to assist with validating your internal controls. An auditor will be able to help you rigorously test your controls, and also help you assess your risk and determine if your control framework needs improvements to be effective.

What is effective internal control?

Effective internal controls have the following characteristics:

  • They sufficiently decrease the likelihood of a breach or loss of assets. 
  • They help to assure financial reports are complete and that reporting is accurate.
  • They increase efficiency in business operations.
  • They help the organization to maintain compliance with applicable laws and regulations.

Section 10: Improving Compliance With Internal Controls Software

How can internal control management software help my business?

Leveraging internal control management software can help to assure that an organization’s internal control framework is robust, that controls are applied consistently, and that documentation of controls is transparent.

Additionally, software of this kind will help to improve efficiency within the organization by increasing the effectiveness of operations and mitigating risk that could result in an audit—or, worse, harm the organization’s reputation.

What is Reciprocity’s solution?

Reciprocity understands the challenge of managing the interrelated components of internal control such as risk assessments, documenting control procedures, testing, and reporting. We also understand that the more people are involved with controls, the higher the likelihood of error.

This is why we’ve developed ZenGRC. It can help mitigate potential missteps by controlling access to sensitive data and financial information, and by implementing a process for authorization of any changes that are made so your information stays secure.

ZenGRC also automates the creation of easy-to-read reports that can supply your board of directors with the visibility it needs to supervise the control environment properly. This can also lead to a more positive outcome during an audit.

Lastly, in the event that you are audited, the ZenGRC SaaS platform allows you to procure quickly and easily any documentation the auditors require while conducting the review of your system. This spares your IT department the chore of constructing an audit trail, so they can do what they do best: protect your organization from threats.

ZenGRC Solutions

The ZenGRC platform can help your organization to:

  • Provide the required documentation for an audit
  • Comply with privacy regulations
  • Manage third-party risk
  • Quickly identify and respond to security incidents
  • Automate routine compliance checks
  • Safeguard your business through disaster recovery and business continuity planning

Hassle-free internal controls implementation and compliance is the Zen way! For a free consultation and demo of ZenGRC, contact us today.