Internal Controls

The role of internal auditors, as defined by the Institute of Internal Auditors (IIA), is to provide independent assurance that an organization's risk management, governance, and internal control processes are operating effectively. 

Management is responsible for establishing and maintaining the control environment.  Auditors play a role in a system of internal controls by performing evaluations and making recommendations to improve controls. 

Every employee plays a role in either strengthening or weakening the Institution's internal control system; therefore, the entire organization is responsible for being aware of the concepts and purpose of internal controls.

The following Internal Controls Definition, Objectives, Concepts, Components, and Limitations are taken from the COSO (Committee of Sponsoring Organizations of the Treadway Commission)  Internal Control- Integrated Framework.

Definition of Internal Controls

Internal Control is defined as a process, effected by an entity’s governing board, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

Internal control is:

  • A process consisting of ongoing tasks and activities - a means to an end, not an end in itself.
  • Effected by people - not merely about policy and procedure manuals, systems, and forms, but about people and the actions they take at every level of an organization to affect internal control.
  • Able to provide reasonable assurance - but not absolute assurance, to an entity’s senior management and governing board.
  • Adaptable to the entity structure - flexible in application for the entire entity or for a particular subsidiary, division, operating unit, or business process.

Objectives of Internal Controls

The COSO Internal Control Framework provides three categories of objectives, which allow organizations to focus on differing aspects of internal control:

  • Operations Objectives - Pertain to effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss;
  • Reporting Objectives – Pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency or other terms as set forth by regulators, recognized standard setters, or the entity’s policies;
  • Compliance Objectives – Pertain to adherence to laws and regulations to which the entity is subject.

Components of Internal Controls

 The five integrated components of internal control are the:

  1. Control Environment – Set of standards, processes, and structures that provide the basis for carrying out internal control across the organization, which includes the elements of integrity and ethical values, management philosophy and operating style, organizational structure, assignment of authority and responsibility, human resource policies and practices, and competence of personnel.
  2. Risk Assessment – A dynamic and iterative process for identifying and assessing risks to the achievement of objectives, forming the basis for determining how risks will be managed.
  3. Control Activities – Actions established through policies and procedures that help ensure management’s directives are carried out to mitigate risks. They may be preventive or detective in nature and may encompass a range of manual and automated activities.
  4. Information and Communication – Information is necessary for the entity to carry out internal control responsibilities and to support the achievement of its objectives. Communication is the continual iterative process of providing, sharing, and obtaining necessary information. It may be internal by which information is disseminated throughout the organization or external enabling inbound communication of the external information.
  5. Monitoring Activities – Ongoing evaluations, separate evaluations or a combination of the two, to ascertain whether each of the five components of internal control are present and functioning.

Principles of Internal Control Components

There are seventeen principles representing the fundamental concepts associated with each internal control concept:

Control Environment

  1. The organization demonstrates a commitment to integrity and ethical values.
  2. The governing board demonstrates independence from management and exercises oversight of the development and performance of internal control.
  3. Management establishes, with board oversight, structures, reporting lines and appropriate authorities and responsibilities in the pursuit of objectives.
  4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
  5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Risk Assessment

  1. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
  2. The organization identifies the risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
  3. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
  4. The organization identifies and assesses changes that could significantly impact the system of internal control.

Control Activities

  1. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
  2. The organization selects and develops general control activities over technology to support the achievement of objectives.
  3. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

Information and Communication

  1. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
  2. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
  3. The organization communicates with external parties regarding matters affecting the functioning of internal control.

Monitoring Activities

  1. The organization selects, develops, and performs ongoing and/or separate evaluation to ascertain whether the components of internal control are present and functioning.
  2. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the governing board, as appropriate.

Relationship of Objectives and Components

A direct relationship exists between objectives, which are what an entity strives to achieve, components, which represent what is required to achieve the objectives, and the organizational structure of the entity (the operating units, legal entities, and other).  The relationship can be depicted in the form of a cube. 

  • The three categories of objectives - operations, reporting, and compliance - are represented by the columns.
  • The five components are represented by the rows.
  • An entity's organizational structure is represented by the third dimension.

Organizational structure represented by the third dimension. From The Committee of Sponsoring Organization of the Treadway commission Cosco

Internal Control Limitations

Internal control provides reasonable assurance of achieving the entity’s objectives.  Even an effective system of internal control can experience a failure.  Limitations of internal control may result from the:

  • Reality that human judgment in decision-making can be faulty and subject to bias.
  • Breakdowns that can occur because of human failures such as simple errors.
  • Suitability of objectives established as a precondition to the control.
  • Ability of management to override internal control.
  • Ability of management, other personnel, and /or third parties to circumvent controls through collusion.
  • External events beyond the organization’s control.

Internal Controls - Myth vs. Fact

Myth: Internal controls result from a strong set of policies and procedures.

Fact:  Internal controls are based on a strong control environment and solid business practices.


Myth: Internal controls?  That's why we have internal auditors.

Fact:  Management and departmental personnel are the owners of internal controls.


Myth: Internal controls are all about finance and accounting.

Fact:  Internal controls are integral to every aspect of business.


Myth: Internal controls take time away from our core activities and responsibilities.

Fact:  Internal controls should be built into, not onto, business processes.


Myth: Strong internal controls will ensure errors and irregularities will be always be detected.

Fact:  Only reasonable assurance - not absolute - can be attained by implementing internal controls in preventing, detecting, and mitigating risks to the Institution and its objectives.


Content Updated March 2021