Internal Controls

You may have heard the term "internal control(s)," but what exactly is it? Evaluating internal controls is one of internal auditing's primary responsibilities.

The Institute of Internal Auditors (IIA) defines control, the control environment, and control processes as follows:

A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.

The control environment is the attitude and actions of the board and management regarding the importance of control within the organization. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements:

  • Integrity and ethical values
  • Management’s philosophy and operating style
  • Organizational structure
  • Assignment of authority and responsibility
  • Human resource policies and procedures
  • Competence of personnel​

Control processes are the policies, procedures (both manual and automated), and activities that are part of a control framework, designed and operated to ensure that risks are contained within the level that an organization is willing to accept. Risk management is a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives.

A broadly accepted definition of internal control comes from a report released in 1992 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)1 ent​​itled The Internal Control-Integrated Framework (COSO Report) as follows:

Internal control is a process, effected by an entity's board of directors, management and other personnel, designed to p​rovide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

This may sound technical, so what does it mean in plain terms? Let's think of how each of us has developed what we can call our own "personal internal control system." Consider the following:

When you came to work today, did you lock the doors to your house? If you did, that’s your own “internal control” to safeguard the assets you own.

Do you keep the PIN number for your ATM card in a safe place? (i.e., away from the card itself.) If you do, that’s an internal control the bank recommends to protect your funds from being stolen.

Do you balance your bank statements each month? (You really should, you know.) If you do, then you are ensuring the accuracy of the transactions entered on the account statement.

Do you plan the shortest possible route to complete errands? If you do, then you are promoting operational efficiency.

Do you file annual income tax returns? If you do, then you are in compliance with federal and state tax regulations.

Key points about internal control include:

  • It is a process.
  • It is achieved by people.
  • It can only provide reasonable assurance.
  • It is geared to the achievement of objectives.
  • It is adaptable to the entity structure (the entire entity or a particular subsidiary, division, operating unit, or business process).

In the California State University (CSU) environment, internal controls serve the following purposes:

  • Protect the University's Assets
  • Ensure Records Are Accurate
  • Promote Operational Effectiveness and Efficiency
  • Encourage Adherence to Policies
  • Ensure Compliance with Laws, Regulations, and Contracts

Generally, controls are of two types:

Preventative Controls: Designed to discourage errors or prevent irregularities from occurring. They are proactive controls that help prevent a loss. Examples: Separation of duties, proper authorization, adequate documentation, and physical control over assets.

Detective Controls: Designed to find errors or irregularities after they have occurred. Examples: Reviews, analyses, variance analyses, reconciliations, physical inventories, and audits.

The COSO Report further defines five interrelated components of internal control that must be present and functioning and operating together in order to conclude that internal control relating to an operation’s objective is effective:

  • Control Environment - This sets the tone of the organization and is the foundation for carrying out internal controls across the organization.
  • Risk Assessment - Management establishes activity-level objectives and mechanisms for identifying and analyzing risks related to their achievement.
  • Control Activities - Policies and procedures that help ensure that management's directives to mitigate risks to the achievement of objectives are carried out.
  • Information and Communication - Information identified, captured, and communicated in a form and timeframe to enable people to carry out their responsibilities.
  • Monitoring - Ongoing monitoring activities, separate evaluations or a combination of the two used to ascertain whether each of the five components of internal control is present and functioning.

In May 2013, COSO released an updated version of its Internal Control-Integrated Framework (Framework). The 1992 COSO Report conceptually introduced 17 relevant principles associated with the five components of internal control, which enable effective operation of the five components and the overall system of internal control. But these principles were implicit in the narrative. The 2013 Framework explicitly articulates the 17 principles as follows:

Control Environment
  • Demonstrates commitment to integrity and ethical values
  • Exercises oversight responsibility
  • Establishes structure, authority, and responsibility
  • Demonstrates a commitment to competence
  • Enforces accountability
Risk Assessment
  • Specifies suitable objectives
  • Identifies and analyzes risk
  • Assesses fraud risk
  • Identifies and analyzes significant change
Control Activities
  • Selects and develops control activities that contribute to the mitigation of risks
  • Selects and develops general controls over technology
  • Deploys control activities through policies and procedures
Information and Communication
  • Uses relevant, quality information
  • Communicates internally
  • Communicates externally
  • Conducts ongoing and/or separate evaluations
  • Evaluates and communicates deficiencies
Who is responsible for internal controls?

The auditors, right? Wrong! Everyone plays a part in the CSU's internal control system. Ultimately, it is CSU management's responsibility to ensure that controls are in place. That responsibility is delegated to each area of operation, w​hich must ensure that internal controls are established, properly documented, and maintained. Every employee has some responsibility for making this internal control system function. Therefore, all CSU employees need to be aware of the concept and purpose of internal controls. Internal audit's role is to assist management in their oversight and operating responsibilities through independent audits and consultations designed to evaluate and promote the systems of internal control.

What is internal auditing?

The IIA defines internal auditing as an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

The internal audit activity evaluates the adequacy and effectiveness of controls encompassing the organization's governance, operations, and information systems. Internal audit reviews include the reliability and integrity of financial and operational information, effectiveness and efficiency of operations and programs, safeguarding of assets, and compliance with laws, regulations, policies, procedures, and contracts. These reviews also ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization, as well as the extent to which results are consistent with established goals and objectives and whether operations and programs are being implemented or performed as intended.

1​ COSO is a voluntary private sector organization dedicated to improving organizational performance and governance through effective internal control, enterprise risk management, and fraud deterrence.^