Every business needs to manage risk somehow, and most businesses (especially those working globally) also need to comply with a complex web of laws and regulations that govern how the business operates and handles data.
At the heart of both challenges are internal controls: the mechanisms companies use to guide employee behavior so that risks are managed and compliance obligations fulfilled.
So how do you go about developing the right internal controls for your organization? And once they’re in place, how do you know whether they’re working the way they should?
In this article we’ll examine internal controls, including the five components of internal controls. We’ll also look at some of the best practices for developing a system of internal control. Armed with these tips, you can begin the process of implementing – or improving – your own internal controls.
What Are Internal Controls?
Internal controls are the policies and procedures or technical safeguards that organizations implement to prevent problems and protect assets.
Internal controls are typically established to avoid or minimize loss. To do so, organizations can implement three different types of internal controls: detective, preventative, and corrective.
Detective controls try to identify an adverse event after it has occurred. Corrective controls are implemented to remedy whatever vulnerabilities allowed the event to happen. Preventative controls actually attempt to prevent those risks from occurring in the first place. In information security, internal controls consist of security policies and procedures, plans, devices, and software intended to strengthen cybersecurity.
When managing cybersecurity risk, several frameworks and standards for implementing controls can help your organization to manage information security controls consistently across all your systems, networks and devices. That includes issues such as configuration management, physical security, personnel security, network security, and information security systems.
Cybersecurity frameworks also define what constitutes “good” cybersecurity practices, and they can provide organizations with a structure to use for managing their information systems’ security controls.
Similar frameworks exist for managing internal business controls. For instance, the Committee of Sponsoring Organizations (COSO) developed its Internal Control Integrated Framework, one of the most widely recognized internal control frameworks in the world.
The COSO framework was developed to help organizations assure that their financial reporting is accurate, their assets and stakeholders are protected from fraud, and their operations are running effectively and efficiently. Indeed, fraud deterrence was the main objective behind the formation of COSO and its original 1992 framework. (COSO introduced a new, more modern internal control framework in 2013.)
COSO also provided the first widely accepted definition of “internal control,” which COSO defines as:
A process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance.
In addition, COSO identified five components of internal control, which we will explore in more detail in the next section:
- control environment
- risk assessment
- control activities
- information and communication
- monitoring activities
What Are the Five Internal Controls?
The five key components of internal control (sometimes referred to as the elements of internal control) each include principles with supporting “points of focus” to help with designing, implementing, conducting, monitoring, and assessing internal control processes.
The control environment is the foundation for all other internal control components; it encompasses your organization’s attitude about internal controls. Your board of directors and senior management are responsible for establishing the “tone at the top” regarding the importance of internal controls and the expected standards of conduct. Ideally, lower level employees will follow suit.
An effective control environment should include:
- A commitment to integrity and ethical values
- Independent board of directors’ oversight
- Well-documented structures, reporting lines, authorities, and responsibilities
- A drive to attract, develop and retain competent people
- Accountability for internal control responsibilities
The risk assessment process includes identifying and analyzing your organization’s risks. It forms the basis for how risks should be managed and mitigated.
Your risk assessment should:
- Clearly specify objectives
- Identify risks to the achievement of objectives
- Consider the potential for fraud
- Identify and assess significant changes
These are the actions established by policies and procedures that help to assure management directives are carried out. Control activities should be performed at all levels of your organization, and at various stages within business processes.
To be successful, your control activities should:
- Address the risks identified in your risk assessment
- Be clearly documented and communicated to stakeholders and staff
- Evolve with the changing needs of your business
Information and Communication
The systems and processes that support identifying, capturing, and exchanging information allow people to carry out their duties effectively.
Your information and communication systems should:
- Facilitate the generation, gathering, and use of quality information throughout your enterprise
- Define the processes for internally communicating information about internal controls
- Define the processes for externally communicating information about internal controls
These are the processes that identify, monitor, and report on the quality of your internal controls.
Your monitoring activities should include:
- Ongoing and/or separate evaluations
- Evaluation and communication for any internal control deficiencies
How Do You Implement Internal Controls?
Now that you have a better understanding of what internal controls are, let’s consider how to implement them.
Developing an effective internal control system involves:
- Policies and procedures, including organizational structure, job descriptions, and an authorization matrix
- Segregation of duties and responsibilities
- Authorization and approval processes
- Performance monitoring and control procedures
- Methods for safeguarding assets, completeness, and accuracy
- Manpower management
- An independent internal audit function
- Regulatory compliance and risk management
Like any other business process, when implementing a system of internal control, the order of actions you take matters; complete the foundation first for the most successful implementation. Simply put, you shouldn’t skip any steps when designing, implementing, operating, and monitoring your internal control framework.
Establish Your Internal Control Environment.
It’s generally accepted that you need five things to achieve change successfully: vision, skills, incentives, resources, and a plan.
When implementing or improving your internal controls, your control environment is an important factor that will ultimately affect all the other aspects of your internal control system. A poor tone at the top set by the board of directors or executive management will hinder or damage the other components of internal control.
Establishing the control environment also involves creating a team of experts to carry out the internal control processes and upholding your commitment to integrity and ethical values. This team should be cross-departmental and will ideally include: senior management, the chief information security officer (CISO), a privacy officer, the compliance officer, and representatives from marketing, product management, human resources, and each major business line.
Choose this team wisely; they will be the ones responsible for managing risks.
Identify and Analyze Risks
The process of understanding risks to your business begins once you’re able to identify those risks. To do so, first perform a risk identification exercise. The goal is to create a comprehensive list of risks for your entire organization.
This includes risks to your IT infrastructure and the various Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) solutions, as well as any assets your third-party vendors use. For each risk, you should also consider the potential for fraud and misconduct.
Once those risks are identified, group the risks by type: operational, environmental, strategic, financial, compliance, and so forth. This will make reporting these risks much easier in the long run.
After you’ve prepared your risk list, perform a risk assessment. Smaller businesses with limited resources sometimes turn to software to help them assess, mitigate, and monitor their risk management strategies – but regardless of size, all organizations should conduct risk assessments regularly, whether done internally or with the help of a software solution.
Risk assessments can be performed for specific areas of risk, such as data risk management or IT security, with a cybersecurity risk assessment.
The three stages of a risk assessment are as follows:
- Develop assessment criteria. This step assures that the team members assessing and prioritizing risks all use the same metrics to do so. High-, medium-, and low-risk is the most common qualitative scale for measuring risk, but choose whatever scale works for you. Without these defined criteria, it will be difficult to interpret risk ratings throughout your organization.
- Assess risks. This is where your team actually rates each risk based on the assessment criteria, and this step should be iterative. Risk assessments can be conducted in a variety of ways, including online surveys, in-person interviews, group workshops, or benchmarking. Ultimately, the result should be a risk rating for each risk based on the average likelihood and impact.
- Prioritize risks. While risks are prioritized based on their risk rating from the risk assessment, risk prioritization is actually a subsequent process that helps your organization expand the view of risks beyond terms of financial impact and probability. Prioritization should also include subjective criteria such as reputational harm, health and safety, vulnerability, and any other qualitative factors.
Once your team has identified, analyzed, and prioritized risks to your organization, decide what to do about each of them. To keep yourself from getting overwhelmed, we recommend that you start with your highest-ranked risks and develop risk mitigation strategies for those risks first. Any risks that require mitigation will need to be addressed by control activities.
Design and Implement Control Activities
Control activities are put into place to address whatever risks management believes should be mitigated. Typically this is done through policies and procedures. These can be any number of actions within your organization: training, audits, access controls, and much more. Typically the activities are categorized by type and nature.
Control activities are specific actions that can be observed and documented for future inspection, or re-performed by a third party. When designing your control activities, use a risk-based approach so that controls are designed to address the risk factors you identified during the risk assessment stage rather than a predefined control list.
If you’re considering an internal control framework such as COSO, keep in mind that each organization faces unique challenges. Even if you use the best framework for your industry, expect to customize it for your specific needs.
Develop Information and Communication Channels
For your internal controls to work, personnel within your organization must understand their responsibilities. This is best achieved when individuals can see and understand how their activities affect the achievement of business goals and objectives.
This should be an ongoing process that includes training to personnel on a regular basis, making current policies and procedures available to staff and stakeholders, and communicating any other critical information in a timely manner, whether it be via meetings or emails.
Establish Monitoring Activities
Your monitoring activities should consist of frequent evaluations that examine the implementation and operation of the five components of an internal audit.
These findings should be evaluated against criteria established by your board of directors, management policies, industry standards, and regulators. Any deficiencies should be communicated to management and your board of directors, as needed.
While internal controls are critical to risk management, they do have limitations. For instance, any process that involves human engagement will inevitably have shortcomings. And people are especially adept at finding vulnerabilities in internal control systems (accidentally or deliberately).
An internal control review, or an overall assessment of your organization’s internal control system across each business area, will help you determine the effectiveness of internal controls: whether they are functioning as intended and if they’re able to manage the risks that your organization faces in its daily operations.
This is the best way your organization can assure that its internal control system is operating the way it should, and it provides company leaders with the assurance that your internal control environment is working effectively. Ultimately, an internal control review will highlight any vulnerabilities in your internal control environment and identify the processes that can be strengthened.
If all of this sounds overwhelming to you, you’re not alone. Fortunately, there are solutions available to help.
Review Internal Controls with Reciprocity ZenRisk
Developing internal controls for your organization is already a difficult and time-consuming task. Then you also need to determine whether the controls are even working. Most organizations aren’t sure where to begin.
To make this process easier, the answer is automation. Whether your organization is struggling to manage cyber risks and achieve cybersecurity goals, or to improve performance management, meet business objectives, or comply with regulatory requirements, software solutions can simplify all these tasks and streamline your efforts.
Reciprocity ZenRisk is an integrated cybersecurity risk management solution designed to provide you with actionable insights to gain the visibility you need to stay ahead of threats and to communicate the impact of risk on high-priority business initiatives. Turn the unknown into quantifiable and actionable risk insights with built-in expertise that identifies and maps risks, threats and controls for you, so you can spend less time setting up the application and more time using it.
A single, real-time view of risk and business context allows you to communicate to the board and key stakeholders in a way that’s framed around their priorities, keeping your risk posture in sync with the direction your business is moving.
Reciprocity ZenRisk will even notify you automatically of any changes or required actions, so you can be on top of your risk posture like never before. Eliminate time-consuming, manual work and streamline collaboration by automating workflows and integrating with your most critical systems.
Plus, Reciprocity ZenRisk is seamlessly integrated with Reciprocity ZenComply so you can leverage your compliance activities to improve your risk posture with the use of AI. Built on the Reciprocity ROAR Platform, the Reciprocity product suite gives you the ability to see, understand and take action on your IT and cyber risks.
Now, through a more active approach, you can give time back to your team with Reciprocity ZenRisk. Talk to an expert today to learn more about how the Reciprocity Product Suite can help your organization mitigate cybersecurity risk and stay ahead of threats.