A system of internal controls is a set of policies and procedures that an organization can use to provide reasonable assurance that the organization achieves its objectives and goals. Generally, these controls include segregation of duties, limiting access to cash or sensitive data, management reviews and approval, and reconciliations.

A company’s internal audit function assesses the effectiveness of its internal control system through internal audits. The board’s audit committee assesses whether the controls are appropriately designed, implemented, and working as intended. Typically the ultimate objective of an internal audit is to prepare for an external audit.

External auditors have an independent perspective when evaluating an organization’s control environment and control processes. The auditor’s report states an opinion about the strength of internal controls and makes recommendations for improving any substandard controls. The organization should then resolve the findings and implement corrective actions within a timely manner.

Effective internal controls and periodic auditing are crucial to verify the reliability of financial reporting and confirm compliance with laws and regulations. In addition, organizations can leverage a robust system of internal controls to improve operational efficiency and reinforce ethical values.

What Are Internal Controls?

The auditing profession generally uses the Committee of Sponsoring Organizations (COSO) framework known as the Internal Control-Integrated Framework (COSO framework) to provide a definition of internal control.

According to the COSO internal controls framework, the internal control system is driven by an organization’s board of directors and senior management, designed to provide reasonable assurance for the achievement of objectives in:

  • Effectiveness and efficiency of operations;
  • Reliability of financial reporting;
  • Compliance with applicable laws and regulations.

For example, internal control and compliance audits for financial services firms can determine whether those firms are complying with the regulatory requirements of various laws and agencies, such as the Bank Secrecy Act.

Why Are Internal Controls Important?

Internal controls are important to preventing and mitigating risk events. They protect your company’s ability to maintain operations should an event occur. There are three kinds of internal controls: preventive controls, detective controls, and corrective controls.

Preventive internal controls are ideal because they stop errors and problems from happening in the first place. Segregation of duties reduces fraud risk by assuring that no single person has too much power in an organization. Many applications have preventative controls built into forms, such as only allowing numeric values in a field for phone numbers.

Detective controls identify errors and problems after those issues have occurred but before they have caused severe damage. Internal audits, reviews, reconciliations, financial reporting, financial statements, and physical inventory counts are all examples of detective controls.

Corrective controls are implemented to fix problems found by detective controls. Potential corrective actions include employee discipline, software patches, updated policies, and new preventative controls. A short-term corrective action may resolve the immediate issue, and then another long-term corrective action may be put in place to avoid future occurrences.

five components of internal controls in auditing

What Are the Five Components of Internal Control?

As described in the COSO framework, an internal controls system consists of five components.

Control Environment

The board of directors and top management build the culture and set the tone from the top for the company, which other employees are then expected to follow. The control environment is vital because it supports the other components of internal control.

Risk Assessment

Periodic risk assessments identify and analyze relevant risks that affect an organization’s ability to achieve its goals and objectives. The assessment’s results form the basis for determining where internal controls must be prioritized and implemented.

Information and Communication

Systems and processes must effectively support identifying, capturing, and exchanging information in a manner and time horizon that enables people to do their jobs. If information does not flow smoothly, employees may try to avert internal controls to simplify workflows.

Control Activities

These are policies and procedures enforced to assure management’s directives are carried out.


Continuous monitoring and audits verify that internal controls are performing as expected over time.

What Are the Limitations of Internal Controls?

When implementing internal controls, keep in mind some limitations that can undermine the effectiveness of internal controls.


Segregation of duties is one of the most common internal controls that businesses use, so that no single employee has enough power to commit fraud. Employees can, however, get past this by collaborating together in an elaborate process to disguise their fraud.

Human Error

Human error can be another disadvantage of internal controls, especially when relying on manual processes and judgment calls. For example, mistakes can be made during manual inventory counts, and poor judgment could skew internal audit results. Wherever possible, automated systems should be employed to drive consistency and reduce human error.

For example, scales can be used in stockrooms to verify inventory counts. Automated systems can help perform reconciliations among accounting and financial records. Solid auditing processes, along with management oversight, will support rigorous internal auditing standards.

Unforeseen Circumstances

Internal controls rely on a company’s management anticipating all potential hazards and implementing mechanisms to prevent or mitigate them. Still, management cannot anticipate all potential challenges or events. Random variables or occurrences are prone to render internal controls ineffective.

Moreover, attempting to control unusual conditions can be costly, and a management team may instead choose to accept the risk. As a result, internal controls may be limited in their use under certain circumstances.

How Do Auditors Assess Internal Controls?

Internal and external auditors periodically examine the structure and performance of accounting controls and control activities related to other business processes, depending on the type of audit. Audits also vary based on the organization’s size, complexity, and nature of its business.

To evaluate an organization’s components of internal controls, the auditor uses various techniques to verify compliance with the respective framework.


The auditor reviews transactions and reports to assure that all requirements are fulfilled.


The auditor watches personnel to assure that employees carry out their duties following the applicable control procedures and policies.


The auditor will validate that financial reporting and account balances match internal financial statements, to assess the risk of material misstatements. Auditors will evaluate control activities linked to the fraud risk and security controls over journal entries, such as odd transactions, distribution of money, or modifications.


In some cases, an auditor will re-calculate figures to verify accuracy and cross-check the business’s financial information.


When examining business processes, an auditor will “re-perform” that process according to its proper steps, to assure that results are genuine and repeatable.

Improve Your Internal Controls with ZenComply

Managing internal controls is a necessary but arduous duty. Keeping track of risk assessments, procedures, metrics, audit records, and communication can be overwhelming.

Small companies may begin by managing their controls with spreadsheets, but this becomes unrealistic as their business grows and internal and external stakeholders increase. Companies need a scalable solution to help them adapt as their business changes.

Reciprocity ZenComply streamlines evidence and audit management for all of your quality and compliance frameworks. In addition, the risk assessment modules in ZenComply can provide substantial insight into where your documentation is lacking, allowing you to take prompt action to acquire the necessary evidence.

It is a single source of truth that ensures your organization is always audit-ready. Policies and procedures are revision-controlled and easy to find in the document repository. Workflow management features offer easy tracking, automated reminders, and audit trails. Insightful reporting and dashboards provide visibility to gaps and high-risk areas.

Schedule a demo now to discover how we help companies simplify, automate, and strengthen internal controls – The Zen way!

Improve How You Manage
Internal Controls