Simplifying the Understanding of Internal Controls

I have observed that many organizations still do not understand or properly apply internal controls. Even internal auditors and internal control specialists often have doubts about the concept and practical use of internal controls.

Let’s first define internal control—or more precisely, control activities, as defined by COSO’s Internal Control–Integrated Framework (ICIF):

 “Control activities are the actions established through policies and procedures that help ensure management’s directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and across the technology environment. They may be preventive or detective in nature and may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and business performance reviews.”

To make this concept more accessible, I define internal control as:

“Actions based on policies and procedures aimed at mitigating the likelihood of a risk factor materializing.”

In my view, internal control activities are only effective if we are managing the likelihood of risk, particularly when the risk factor is of internal origin. Thus, it doesn’t make sense to use internal controls to mitigate the impact of a risk event. At most, what we can have is a monitoring process—which is one component of an internal control system, designed to detect the materialization of such impacts.

 Another important point is that a control activity must always be linked to mitigating one or more risk factors.

 As we know, no internal control is absolute. Controls can fail, either because they are executed by people, or because they are configured by people. And people can make mistakes, omit steps, or even commit fraud. Therefore, a control failing does not necessarily mean it is ineffective. If it fails within the evaluator’s expected margin, and the residual risk after applying the control remains within the organization’s defined risk appetite, then the control can still be considered adequate.

Now, we are ready to explore the internal structure of control activities and understand what I call their key attributes.

These attributes define the structure and conditions under which a control activity can be considered effective. I break them down into five essential elements:

1. Objective of the Control Activity

This is the reason the control exists. It is directly related to the associated risk factor. In fact, we can say the control’s objective is the “positive view” of the risk factor.

For example: If the risk factor is that a purchase requisition may be issued without approval from the responsible manager, potentially leading to unnecessary purchases, then the objective of the control at the beginning of the procurement process is: “Ensure that all requisitions received are signed by an authorized responsible manager.” 

2. Control Action

Every control is an action, more specifically, an action that confirms whether a previously performed task is appropriate. Controls are always decision points, which is why they are represented in process flows as diamonds or gateways.

 Control actions may include: reviews, recalculations, verifications, physical confirmations, reconciliations, validations, authorizations, approvals, etc.

 Understanding this distinction is crucial for internal control specialists and auditors to differentiate between a control action and an operational task during interviews or walkthroughs. Using the same example as before: The control action to ensure requisitions are properly signed would be a review or verification.

3. Execution of the Control Action

This attribute refers to how the control action is actually carried out. Understanding the execution method is key to evaluating the control’s ability to mitigate the associated risk. 

This is also fundamental for performing effectiveness and efficiency tests. For example: When a purchase requisition is received by the company’s email system, the attached PDF is opened and checked for evidence of approval in a designated field. If the approval is missing, the requisition is returned to the requester. If approval is present, it is compared against the company’s approval policy and matrix. If the signatory lacks the appropriate authority, the requisition is returned. If everything is valid, the reviewer sends a confirmation email so the requisition can move forward in the procurement process.

4. Evidence of Execution

This attribute is essential because it is through evidence that we can confirm whether a control was performed. In auditing, a control without evidence is considered nonexistent. In the past, evidence was often physical—signatures, stamps, initials. Today, it may be digital—system logs, email attachments, algorithm executions, checkboxes in system interfaces, etc.

Returning to our example: The evidence of control execution is the confirmation email sent by the reviewer.

5. Frequency of Execution

This attribute refers to how often the control should be executed to be effective. Frequency depends on the nature of the risk factor and the operational activity it is meant to control. Controls may be executed per event (as in the purchase requisition example), or daily, weekly, monthly, and so on.

The important point is that the frequency must align with the level of risk involved and the need for mitigation.

Understanding the five attributes of internal control activities is essential—both for designing new controls and evaluating existing ones.

This is where the Internal Control Matrix comes into play. It formalizes these attributes, providing a foundation for internal auditors and specialists to assess the adequacy and effectiveness of controls.

Finally, remember:

A control can only be considered effective if the residual risk (i.e., the remaining risk after applying controls) is aligned with the organization’s risk appetite.

It’s also worth noting that while a single control may be effective, this does not automatically mean that the entire internal control system is effective. The system comprises the combined performance of multiple control activities.

I hope this article helps you better understand what internal control activities are and how they should be structured.

Feel free to share this with your network and leave a comment. Also, don’t forget to check out @TVCrossoverbrazil on YouTube and @Radiocrossoverbrazil on Spotify.

Be happy!