Modern organizations don’t operate in a perfect world where everything always goes according to plan. Mishaps can (and do) happen all the time because all companies operate in a risky business environment. Adverse events are a fact of life.

While at least some adverse events are unavoidable, organizations can evade many such events and reduce the threat of others. This is where internal controls – actions organizations can take to reduce risk – enter the picture.

So what are internal controls, exactly? What is an internal control system? What are the five key components of an internal control framework?

And how can your organization monitor these controls to ensure they work as expected?

Let’s explore.

What Is an Internal Control?

As defined by the Committee of Sponsoring Organizations (COSO), an internal control is a process designed to provide reasonable assurance that an organization’s operations are effective and efficient, its financial disclosures are reliable, and it meets regulatory compliance objectives.

An internal control (also sometimes known as an internal safeguard) can be any mechanism that helps a company to run its processes efficiently and effectively: a rule, a policy, a procedure, a statement from management, and more.

The right controls can help to assure business continuity; prevent costly errors, irregularities, and fraud; and maintain the integrity of financial statements and accounting records. They can also help:

  • Increase transparency throughout the enterprise
  • Promote accountability in every process and business unit
  • Promote ethical behaviors
  • Identify problems and take corrective action
  • Improve employee and organizational productivity
  • Maintain regulatory compliance
  • Protect the organization’s reputation and brand value
  • Retain more customers and maintain a strong competitive position

Ultimately, well-designed controls can empower your company to achieve its established objectives. Conversely, missing or poorly designed controls can result in inefficient processes, low productivity, costly errors, and fraud. These issues may increase customer churn, harm the company’s reputation, and result in financial losses, regulatory fines, and legal damages.

Types of Internal Controls

In general, internal controls fall into one of three categories:

Preventive Controls

As the name implies, preventive controls prevent issues including accounting errors, material misstatements, fraud, or cyberattacks before they have a chance to happen. Such controls are essential because they help to lower the costs of errors or malicious actions.

Some common preventive controls are:

  • Segregation of duties, especially in accounting and financial reporting
  • System access controls
  • Employee training
  • Authorization and approvals of invoices and expenditures
  • Physical security controls

Detective Controls

Detective controls find errors and irregularities that have already occurred. They are essential because they show whether preventive controls are operating as intended and because they help improve process quality and prevent the recurrence of errors.

Examples of detective controls include:

  • Monthly reconciliations of transactions
  • Organizational performance reviews, particularly budget-to-actual comparison
  • Physical inventories of cash, goods, or raw materials
  • External and internal audits

Corrective Controls

Corrective controls resolve existing issues that may lead to or exacerbate fraud, financial losses, or reputational damage. They include:

  • Software patch management
  • Updated policies for information systems
  • Disciplinary action
  • Ledger verification

The best way to implement and integrate these controls into business processes is to use an established internal control framework such as the framework developed by COSO. Let’s look at the five interrelated components of internal control systems as recommended by COSO.

See also

Best Practice Guide: Using Automation to Transform Risk Management

The 5 Internal Control System Components

The COSO internal control framework consists of five components that work together to create an effective system of internal controls. This system supports your organization’s mission, vision, business strategy, and objectives.

  1. Control Environment

    The control environment provides a structure and discipline for internal controls. It aligns business processes with applicable laws, compliance requirements, and industry-standard practices. It also assures that the company operates responsibly, ethically, and reliably while reducing its legal exposure.

    The environment sets the stage for the other elements of your internal control system. It describes the organization’s culture and ethics, the management’s philosophy and commitment to internal control policies, and the direction provided by the board of directors. It also incorporates all these elements:

    • Employees’ competence and ethical values
    • Management’s operating style
    • Assignment of authority and responsibility
    • People development processes
  2. Risk Assessment

    Regular risk assessments (say, once a year) allow the organization to identify risks and implement plans for risk elimination or mitigation. This step involves assessing each risk’s possible impact and likelihood to minimize the potential for damage or losses. Such evaluations can help you understand how risks relate to business objectives and implement appropriate controls against them.

  3. Control Activities

    Control activities are the policies and procedures to carry out proper risk responses and management directives. These controls help the organization achieve its business objectives while keeping risks low. They can occur at all levels and in all functions.

    Examples of control activities include:

    • Segregation of duties
    • Transaction verifications and reviews
    • Reviews of operating performance
    • Inventory counts
    • Employee training sessions
    • Physical and digital security
    • Data backups
  4. Information and Communication

    Effective communication is a vital element of the internal control framework because it helps to assure that the right controls are in place and working as expected. It’s vital to share risk information throughout the organization in a timely manner, and in a form that people can understand and use to take action.

  5. Monitoring

    Internal or external auditors must regularly monitor all internal controls to evaluate the control system’s performance and effectiveness and to assure that controls are followed throughout the organization. Regular spot checks can help you identify control gaps and fix them before they can harm the organization.

How to Monitor Internal Controls

You should monitor internal controls during the course of operations. Internal control monitoring can be in the form of ongoing monitoring activities, separate evaluations, or both. Outside auditors can also monitor controls and report the audit results to senior management or the board of directors.

Streamline Your Internal Control System with Reciprocity ZenRisk

Automating your internal control system and risk management program is one of the best ways to assure that they operate effectively and deliver the desired results. To do the job, try using a software tool such as Reciprocity ZenRisk.

ZenRisk is an integrated cybersecurity risk management solution for fast and efficient risk assessments and reliable risk monitoring. The software provides actionable insights in the context of your business processes so you can effectively identify, assess, and mitigate IT and cyber risk.

ZenRisk offers a guided setup process so you can select from a range of pre-built content to effectively assess risk and eliminate uncertainty. You also get built-in scoring methodologies, inherent risk scores, and automated workflows so you can stay ahead of threats and take optimal risk-based decisions for your organization.

Schedule a demo to see how ZenRisk can deliver tangible value to your organization’s internal control system.

Automating GRC: The Next Frontier
in Risk Management