Article
Navigating the basics of internal controls
Whether you are diving into the world of internal controls for the first time or you’re a seasoned professional seeking a refresher, understanding the basics of internal controls is crucial in maintaining integrity and compliance within your organization.
Learn more by tuning into our on-demand webinar to hear directly from Baker Tilly’s risk advisory specialists as they explain the essential components of internal controls, define its role in risk management and compliance and discuss how to establish robust processes to safeguard an organization’s operations.
What is risk?
First understanding risk is critical to understanding internal controls. Risk can be defined in a few different ways:
- The possibility of an event occurring that will impact the achievement of an organization’s mission and objectives
- Possible events that could cause harm or loss
- The possibility of an undesirable action taking place
Simply stated, risk is what can go wrong (or, alternatively, what needs to go right)?
Risk is typically measured in terms of potential impact to an organization and the likelihood that an adverse event will occur. Once risks are identified and ranked, organizations can then identify and implement controls to address these risks, beginning with those that are both highly likely to occur and would have a significant impact on the organization.
What is internal control?
Internal control is a process designed to manage risk and provide reasonable assurance that the organization will achieve its operational, reporting and compliance objectives. Internal controls are defined broadly to allow flexibility in its application and can be broadly applied to organizations of different size, industry and geography.
Five components of internal control
The Committee of Sponsoring Organizations (COSO) is a voluntary private-sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls and corporate governance. In 2013, it issued the current version of its Internal Control – Integrated Framework, the most widely used internal control framework for U.S.-based companies.
This framework outlines five components of internal control:
- The control environment is a compilation of an organization’s organizational structure, processes, policies and standards that are used to set the tone regarding the importance of internal controls across the organization.
- The risk assessment is a dynamic and iterative process for identifying and assessing risks to achieving an organization’s objectives and measuring their potential impact and likelihood to effectively manage risk.
- Control activities are components of a process designed to mitigate risks to the achievement of an organization’ objectives.
- Information and communication refer to how internal control information is disseminated internally or externally.
- Monitoring activities include ongoing evaluations to determine whether each of the five control components are present and functioning.
When assessing internal control, we seek to understand whether each of the five components are designed and operating effectively in an integrated manner.
Types of control activities
Controls are components of a larger process and can be grouped into three categories based on when they occur.
- Preventive controls are front-end controls designed to keep errors and irregularities from occurring.
- Detective controls are back-end controls designed to identify errors or irregularities after they have occurred.
- Corrective controls are also back-end controls and help limit exposure or errors once a risk has materialized.
Controls can also be categorized by how they are executed.
- Manual controls are executed by a human outside of a system.
- Information Technology (IT) dependent controls rely on a human using a system. Such controls often use information produced by a system but require manual intervention to handle exceptions.
- Automated controls (also called application controls) are executed by a system.
- Automated controls with manual IT dependent components
Manual and IT dependent controls are most effective when judgment and discretion are needed. However, one of the drawbacks of manual controls is the ability to override, misinterpretation, error or a complete bypass. Unlike manual controls, automated controls do not require user intervention for the activity to occur. Automated controls tend to be most suitable for recurring or high-volume transactions and situations where errors can be anticipated, predicted, prevented or detected by control parameters subject to automation.
Documenting risks and controls
Answering the following questions can help an organization to design and document strong controls:
- Who is the individual/what is the system performing the control?
- What is the action being performed?
- When or at what point in the process does the action occur and how often does it occur?
- Why is the action being performed?
- Where is the action being performed?
To provide a record of the controls designed to mitigate operational, financial and IT risks within a process, an organization’s risks and controls can be documented in a risk and control matrix (RCM). A simple RCM might be documented in a spreadsheet, including a list of risks in one column and the corresponding controls in another. More sophisticated RCMs may be in a spreadsheet or embedded in a GRC tool, and document:
- The objective of each process
- The potential likelihood and impact of each risk
- The type of each control (e.g., whether the control is preventive, detective, corrective)
- The frequency at which each control occurs
- Control assertions (i.e., whether the control support the existence, completeness, valuation, rights and obligations and/or understandability of financial records)
- Indication of whether the activity is a key control (e.g., primary controls vs. secondary or back up controls)
- The control owner
- A conclusion on the design of the control (i.e., whether the control was designed to meet its intended objectives)
An RCM can be used to support audit procedures and help determine whether key controls are designed to mitigate each risk and identify which controls should be evaluated to confirm whether all risks to the process are appropriately covered and operating as intended.
Example of a simple RCM
The below table provides an example of a risk and related controls pertaining to procurement card processes.
| Risk | Control description | Type of control |
| Cardholder makes purchases that are not in compliance with the procurement card policy and/or do not have a business purpose. | A procurement card policy exists, clearly outlines the appropriate and inappropriate use of the procurement card and is easily accessible to all cardholders and approvers. | Preventive |
| A cardholder’s transactions are reviewed for reasonableness of purchase and allocation by an approver with visibility into the cardholder’s work and an understanding of the policy. | Detective | |
| If card misuse is observed, the procurement card administrator will issue a warning to the cardholder. If subsequent instances of misuse are observed, the procurement card administrator may suspend or cancel the card. | Corrective |
Five key takeaways
- Risk is the possibility of an undesired outcome.
- The primary purpose of internal controls is to prevent, detect or correct an undesired outcome.
- The COSO Internal Control – Integrated Framework is a widely used framework to help strengthen your overall governance and internal control environment.
- Answering the four W’s (who, what, when and why) can help an organization to design and document strong controls.
- A risk and control matrix (RCM) is a tool to memorialize your organization’s risks and controls.
