U.S. Generally Accepted Accounting principles (GAAP) are the set of financial reporting standards that businesses in the United States are expected to follow (and that publicly traded companies must follow, as required by law). The Financial Accounting Standards Board (FASB) is the body that develops and adopts GAAP as necessary.

Internal controls are the policies, procedures, and other measures that businesses put in place to reasonably assure that their financial operations follow GAAP.

Under the Sarbanes-Oxley Act (SOX), all publicly traded companies should have effective internal controls, and must declare in their annual reports whether their internal controls are effective. All large publicly traded companies must also undergo an annual audit of their internal control over financial reporting.

What Are the Five Internal Controls?

The Committee of Sponsoring Organizations (COSO) has adopted a framework for effective internal control, which defines five components of an internal control system. Those components can guide how the company manages financial information and operational processes on a day-to-day basis.

Let’s examine each of the five components individually.

Control Environment

A company’s control environment as the most critical component of its internal control. The control environment outlines the company’s culture and ethics, and those things provide the foundation for the rest of the operation to function effectively and appropriately.

While the control environment does apply to the entire business, foremost it guides the conduct of senior management and board of directors in their high-level oversight of financial reporting.

The control environment defines management’s responsibility, how management delegates power, organizational structure, and dedication to internal control policies. The more importance management places upon a company’s internal controls and procedures, the more diligently lower-level employees will follow them.

Risk Assessment

Once the control environment is defined, next the company should assess its risks. The risk assessment should consider potential threats to the company’s ability to pursue its strategic objectives — including the objectives of accurate financial reporting and regulatory compliance. A good risk assessment will help to prioritize which risks are most pressing, and therefore need the most (and immediate) attention.

The assessment process aims to identify various threats that confront the organization. Both internal and external elements must be considered. Risks vary across organizations and industries. Understanding these elements is crucial when performing a risk assessment.

Control Activities

Control activities encompass all processes that a business uses to mitigate recognized risks. Companies might employ various controls depending on the type of risk. Control activities that are often employed include approval processes, physical and digital security measures, verifications, reconciliations, segregation of roles, accounting controls, training, control testing, and so on.

Information and Communication

“Information and communication” is the correspondence about control operations, which should reach the appropriate personnel to carry out necessary actions. Control activities are pointless if team members don’t understand how to perform them and why those activities are essential. The quality of a company’s information systems also plays a role in this component.


Companies should have mechanisms to monitor control activities after the activities have been implemented. Monitoring can also assist businesses in identifying and correcting flaws in their control efforts. Routine internal audits and monitoring procedures are crucial to keeping management informed and maintaining the control environment.

Internal Controls for Financial Reporting

An organization’s internal controls over financial reporting (ICFR) includes policies and procedures that assure the reliability of financial reporting. ICFR should:

  • Pertain to maintaining records that accurately and fairly reflect transactions and dispositions of company assets;
  • Provide reasonable assurance that transactions are appropriately recorded to enable the company to prepare its financial statements consistent with GAAP;
  • Provide reasonable assurance about the prevention or detection (on a timely basis) of unauthorized acquisition, use, or disposition of the company’s assets that could result in a material misstatement in the company’s financial statements.

GAAP aims to assure the consistency and effectiveness of the company’s financial reporting. By following GAAP industry standards, investors and other interested parties can more easily read and understand the information contained in the statements.

Internal controls are important because they protect your business against risks and severe repercussions. For example, an information security control environment reduces the threat of data breaches or malware infection. Likewise, management authorization for expenditures over a certain amount can prevent employee theft.

Section 404 of SOX aims to prevent fraud and errors in financial statements and records by requiring businesses to disclose the effectiveness of their controls and procedures. This is known as “reporting control procedures“.

When a business has robust internal control processes in place (and especially when an independent auditor has examined such procedures) investors will be more confident that the company’s reported financial statements are credible.

Basic Principles of Internal Controls

Internal controls are a set of standards that aim to minimize material weakness and prevent material misstatements within the organization.

A material weakness in ICFR occurs when the company’s overall control system is deficient and could result in a material misrepresentation in the company’s financial statements. Such errors can arise on an annual report (before or after an audit of financial statements) or through periodic financial reporting, such as un-audited quarterly reports.

Segregation of Duties

The segregation of duties among employees reduces the chance that any one person can commit fraud. “SoD” also creates procedures for double-checking work to decrease clerical errors. For example, separating duties means the employee who handles record keeping should not have physical custody of the asset.

Controlled Access

Physical internal controls ensure that only authorized employees can access company assets. Standard physical internal controls for safeguarding assets include unique passcodes for cashiers at cash registers and key cards for warehouse employees. These physical internal controls may also be digital, such as requiring a password to access an organization’s network.


An organization should establish specific written procedures for authorizing financial statements and specific transactions. For example, managerial approval should be required for expenditures over a certain amount. Authorization controls should be tightly managed to safeguard from inappropriate overrides.

Record Keeping

A company should back up its financial statements with general ledger reports and other schedules. These forms should be numbered so you can detect missing pages or new forms used to backdate a previously unrecorded transaction. You can also avoid fraud and inadvertent errors by standardizing documents like purchase orders and sales invoices.


A manager should regularly review all critical general ledger accounts and financial statements for accuracy. The manager, however, must be an employee who did not help prepare the report. Additionally, the chief financial officer may perform attestation of financial statements at the end of a quarter or fiscal year. Some organizations also use internal auditors or an audit committee.

Manage Financial Internal Controls with ZenGRC

The key to developing excellent internal controls practices while simplifying the audit process is to use technology and software to make things easier for you and your staff.

Reciprocity’s ZenGRC platform enables organizations to document auditing standards, maintain regulatory evidence, and identify control deficiencies. It connects effortlessly with a broad range of tools to automate tasks, integrate workflows, and streamline information management.

The risk assessment modules in ZenGRC give insights about where your reporting is lacking, allowing you to take immediate action to collect the documentation you require. Benchmarks give valuable information to show your company’s progress over time and how your firm compares to its peers.

The ZenGRC constantly evaluates your networks and systems against various compliance criteria to determine where you are and where you fall short. Pre-built templates allow you to manage compliance requirements and map controls across all of your compliance standards, such as PCI, HIPAA, SOX, and others.

Schedule a ZenGRC demo to get started on the Zen way of hassle-free internal control implementation and compliance!

Improve How You Manage
Internal Controls