Navigating the basics of internal controls (2024)

Table of Contents
What is risk? What is internal control? Five components of internal control Types of control activities Documenting risks and controls Example of a simple RCM References

Whether you are diving into the world of internal controls for the first time or you’re a seasoned professional seeking a refresher, understanding the basics of internal controls is crucial in maintaining integrity and compliance within your organization. 

Learn more by tuning into our on-demand webinar to hear directly from Baker Tilly’s risk advisory specialists as they explain the essential components of internal controls, define its role in risk management and compliance and discuss how to establish robust processes to safeguard an organization’s operations. 

What is risk?

First understanding risk is critical to understanding internal controls. Risk can be defined in a few different ways:

  • The possibility of an event occurring that will impact the achievement of an organization’s mission and objectives
  • Possible events that could cause harm or loss
  • The possibility of an undesirable action taking place

Simply stated, risk is what can go wrong (or, alternatively, what needs to go right)?

Risk is typically measured in terms of potential impact to an organization and the likelihood that an adverse event will occur. Once risks are identified and ranked, organizations can then identify and implement controls to address these risks, beginning with those that are both highly likely to occur and would have a significant impact on the organization.

See Also
ISO 27001: 2022 - Control 8.8 Management Of Technical Vulnerabilities

What is internal control?

Internal control is a process designed to manage risk and provide reasonable assurance that the organization will achieve its operational, reporting and compliance objectives. Internal controls are defined broadly to allow flexibility in its application and can be broadly applied to organizations of different size, industry and geography.

Five components of internal control

The Committee of Sponsoring Organizations (COSO) is a voluntary private-sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls and corporate governance. In 2013, it issued the current version of its Internal Control – Integrated Framework, the most widely used internal control framework for U.S.-based companies.

This framework outlines five components of internal control:

  • The control environment is a compilation of an organization’s organizational structure, processes, policies and standards that are used to set the tone regarding the importance of internal controls across the organization.
  • The risk assessment is a dynamic and iterative process for identifying and assessing risks to achieving an organization’s objectives and measuring their potential impact and likelihood to effectively manage risk.
  • Control activities are components of a process designed to mitigate risks to the achievement of an organization’ objectives.
  • Information and communication refer to how internal control information is disseminated internally or externally.
  • Monitoring activities include ongoing evaluations to determine whether each of the five control components are present and functioning.

When assessing internal control, we seek to understand whether each of the five components are designed and operating effectively in an integrated manner.

Types of control activities

Controls are components of a larger process and can be grouped into three categories based on when they occur.

  • Preventive controls are front-end controls designed to keep errors and irregularities from occurring.
  • Detective controls are back-end controls designed to identify errors or irregularities after they have occurred.
  • Corrective controls are also back-end controls and help limit exposure or errors once a risk has materialized.

Controls can also be categorized by how they are executed.

  • Manual controls are executed by a human outside of a system.
  • Information Technology (IT)dependent controls rely on a human using a system. Such controls often use information produced by a system but require manual intervention to handle exceptions.
  • Automated controls (also called application controls) are executed by a system.
  • Automated controls with manual ITdependent components

Manual and IT dependent controls are most effective when judgment and discretion are needed. However, one of the drawbacks of manual controls is the ability to override, misinterpretation, error or a complete bypass. Unlike manual controls, automated controls do not require user intervention for the activity to occur. Automated controls tend to be most suitable for recurring or high-volume transactions and situations where errors can be anticipated, predicted, prevented or detected by control parameters subject to automation.

Documenting risks and controls

Answering the following questions can help an organization to design and document strong controls:

  • Who is the individual/what is the system performing the control?
  • What is the action being performed?
  • When or at what point in the process does the action occur and how often does it occur?
  • Why is the action being performed?
  • Where is the action being performed?

To provide a record of the controls designed to mitigate operational, financial and IT risks within a process, an organization’s risks and controls can be documented in a risk and control matrix (RCM). A simple RCM might be documented in a spreadsheet, including a list of risks in one column and the corresponding controls in another. More sophisticated RCMs may be in a spreadsheet or embedded in a GRC tool, and document:

  • The objective of each process
  • The potential likelihood and impact of each risk
  • The type of each control (e.g., whether the control is preventive, detective, corrective)
  • The frequency at which each control occurs
  • Control assertions (i.e., whether the control support the existence, completeness, valuation, rights and obligations and/or understandability of financial records)
  • Indication of whether the activity is a key control (e.g., primary controls vs. secondary or back up controls)
  • The control owner
  • A conclusion on the design of the control (i.e., whether the control was designed to meet its intended objectives)

An RCM can be used to support audit procedures and help determine whether key controls are designed to mitigate each risk and identify which controls should be evaluated to confirm whether all risks to the process are appropriately covered and operating as intended.

Example of a simple RCM

The below table provides an example of a risk and related controls pertaining to procurement card processes.

See Also
Annex A: Assessment of internal controls over financial management for year ended March 31, 2023What are Internal Controls? Components, Types, Benefits, and ChallengesISO 27001: 2022 - Control 8.15 LoggingAnnex A: Assessment of internal controls over financial management for year ended March 31, 2020
Navigating the basics of internal controls (2024)

References

Top Articles
Smart Reader 053024 - Flip eBook Pages 1-25
Construction - UK classified ads - buy and sell in United Kingdom
The Rev. James Lawson Jr. has died at 95, civil rights leader’s family says
2306 Georgia Drive, Perryton, TX 79070 | Compass
Duke's Flagg, Rutgers' freshman duo headline list of potential 2025 NBA lottery prospects
Lower East Side rental opens lottery for 196 affordable apartments, from $454/month
At&T Availability Check
Preggophili
K-Lite Codec Pack Standard 18.4.5 Free Download
Скачать K-Lite Codec Pack - K-Lite Codec Pack
Portugal beat Slovenia live updates
Coco Gauff has a chance to reach her first Wimbledon quarterfinal, but is aiming higher than that
Latest Posts
Cannabis: „Hanf-Messe „Mary Jane“ wird in diesem Jahr die größte Messe dieser Art in Europa - WELT
Turn Tips Colbie Caillat's Birthday Tour From Memorial Day Break Show With Songs For Her Music Tale Volunteered Kevin Goes Back To Program With Miss Cate's Friends Wish Welcoming Back To Program
Article information

Author: Msgr. Benton Quitzon

Last Updated:

Views: 5893

Rating: 4.2 / 5 (63 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Msgr. Benton Quitzon

Birthday: 2001-08-13

Address: 96487 Kris Cliff, Teresiafurt, WI 95201

Phone: +9418513585781

Job: Senior Designer

Hobby: Calligraphy, Rowing, Vacation, Geocaching, Web surfing, Electronics, Electronics

Introduction: My name is Msgr. Benton Quitzon, I am a comfortable, charming, thankful, happy, adventurous, handsome, precious person who loves writing and wants to share my knowledge and understanding with you.