Internal Controls in a Company

Internal control is a process implemented by an entity's board of directors, management, and other personnel to provide reasonable assurance that the organisation will meet its operational, reporting, and compliance objectives.

This includes the integration of various things such as activities, plans, attitudes, policies, and the efforts of an organization's people working together.

Need for internal controls

The management needs to establish a strong internal control framework. Internal control is another aspect of financial management and financial statement auditing that requires a high degree of professional judgment.

Management establishes internal controls for three key reasons:

  • Reliable financial reporting
  • Efficient and effective operations
  • Compliance with rules and regulations

In establishing internal controls, management has to commit money, human resources, and technology. More the policy and procedures the greater the resources required to establish and implement an internal control framework in a company. Since the management cannot eliminate nor ignore internal control risk, they will undertake a cost/benefit analysis that helps them establish appropriate internal controls.

Characteristics of a good internal control system

A good internal control system should:

  • Report reliably so that it helps in making the right decisions
  • Safeguard the company’s assets from theft and accidents
  • Prevent waste and inefficiency
  • Detect and prevent fraud

Process for establishing internal controls

First, the management has to identify and list the main risks in the business. Then they can come up with mechanisms to prevent these identified risks.

For instance, let us take sales and collection as an identified risk in a hotel. Firstly, all sales must be recorded. How does the management ensure this happens? They can put in place a system to reconcile the sales to the reservations. They can also include a daily reconciliation of sales to the occupied rooms. A camera monitoring the front desk and a supervisory manager who checks the sales details are other valuable additions to establish internal control.

Internal controls are required in the restaurant where food and wine are served and cash is used for payments. Inventory management and control are also important. A manager can check invoices, void transactions, and daily inventory checks of the wine and liquor. Numbered order slips help account for all sales during each shift. These controls will help ensure the accuracy and completeness of sales and catch any fraud quickly.

Who establishes internal controls?

It is up to the company, not the auditor, to implement internal controls. Auditors provide reasonable assurance that the reported numbers are correct. A solid internal control system is built on trustworthy employees. If the systems are untrustworthy and inaccurate data is recorded, the entire decision-making and financial reporting process is called into question.

The control environment encompasses actions, policies, and procedures that are adopted by senior management and reflect its overall attitude. A corrupt control environment at Enron, Tyco and WorldCom led to their downfall. Employees in these firms were doing their designated roles well, but the top management was overriding internal controls, with an attitude that disregarded ethics and corporate policy.

Role of auditors

Auditors learn about internal controls though they do not plan to rely on them for information. Audit risk, or the danger that the auditor would be uninformed or develop an incorrect view, is determined by inherent business risk (IR), control risk (CR) - caused by inadequate internal controls - and detection risk (DR).

Audit risk = f(IR, CR, DR)

To understand internal controls, auditors can use different methods. The first one is using a narrative description of the process. In the second method, we can use a flowchart that shows the sequential process flow in the transaction cycle. An internal control questionnaire can also be used by the auditor to understand the processes and checks and balances in place.

Auditors use and maintain flowcharts and questionnaires as reference documents when they audit every year. Auditors may choose to see a few internal controls in action, to verify if the internal controls are actually working and not just present on paper. Auditors check if internal controls are functional for the different processes in the transactional cycle. Key controls are identified on the basis that they match audit goals.

Controls can be manual, computer-assisted or automatic. Manual processes have more risk of human error than the other two. Computer controls are far more reliable and require retesting only if the system software is changed.

Testing internal controls

While testing internal controls, auditors can again choose different ways. One method is an enquiry of client personnel. Inspecting internal control documents is another way to check the translation trail. In doing so, we are checking if the internal controls are in play with each transaction procedure. Thirdly, auditors may watch the internal control process in action. Computer controls are tested using test data, in which dummy data is fed into the computer and see if it processes the data as per the internal control framework.

How much testing is required is based on the auditor's assessment of control risk. The lower the assessment, the greater the reliance on control risk and therefore higher the testing to support this reliance. These results are put in the audit risk formula. If the test supports the evidence, the auditor can continue with the audit plan else they have to revisit the audit approach.

Filling the control gap

The control gap could be filled with an alternative control. If such an alternative does not exist then documentation of the control gap is undertaken. The impact of this gap in financial reporting is also documented in a control matrix. These lapses in the internal control systems are communicated to the audit committee and the management so that improvements can be made.

Approaches used by auditors

Auditors could be using a substantive or a combined approach. Both require an understanding of the internal controls environment and internal controls that enable an assessment of control risk. This is done on an overall basis and on a transactional basis.

In the combined approach, after understanding internal controls, auditors assess the control reliance, test them and reassess them to perform substantive tests. In the substantive approach, auditors understand and assess internal controls and then perform substantive tests.


Effective and efficient internal controls help the business meet its business objectives, reduce the risk of fraud and accidents, increase accountability, improve business performance, reduce audit fees, and increase the health of the business due to better monitoring of processes.