Internal Control Review vs. Audit

Published October 20, 2020 by 6 min read

An internal control review is an overall assessment of your internal control system throughout all your business units to determine if it’s working as intended and if it can manage the risks your company might face on a daily basis. The term can also refer to the review of a small subset of controls, such as those around a specific process or processes.

An internal audit is an independent, objective assurance, and consulting activity that aims to help organizations accomplish their goals by evaluating and improving the effectiveness of control, risk management, and governance processes, according to the Institute of Internal Auditors (IIA). 

What Is an Internal Control Review?

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines “internal control” as a process used by a company’s board of directors, management, and other employees, to provide reasonable assurance regarding the achievement of the organization’s objectives in the following categories:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations

An internal control review assures your company’s management that its internal control environment is effective. Internal controls protect your company from financial loss, help maintain reliable financial reporting, and enable your organizations to operate more efficiently and securely.

The best way for you to make certain that your internal control system is operating efficiently is with an internal control review. Monitoring and assessing internal controls across various functions is done through continuous evaluations to ensure your internal control system is as effective as it should be. This assessment makes it easier to identify internal control weaknesses so you can correct them.

An internal control review typically tests whether your internal controls are working as designed (design testing) or are operating effectively. Evaluating internal controls involves:

  • Identifying your organization’s internal control objectives
  • Evaluating the relevant policies and procedures and the documentation standards for each of them
  • Discussing the internal controls with management and staff
  • Observing the control environment
  • Comparing documentation of the control with your expectations and with observed design
  • Evaluating whether the control achieves its intended objectives
  • Testing transactions as necessary, if you’re reviewing operating effectiveness, or, for design testing, testing one transaction through the end-to-end process, often called “walkthrough testing”
  • Sharing findings, concerns, and recommendations with the board of directors and/or senior management
  • Determining that your company has taken corrective action on weaknesses that have been identified in a timely manner.

Your internal control review analyst conducts an internal control review to find out if there are any internal control weaknesses in your internal control system. The analyst offers recommendations to help you strengthen your internal controls.

Effective internal controls are your organization’s first line of defense to prevent and detect errors, protect your assets, and mitigate risk. Internal controls let you proactively evaluate and monitor your processes to eliminate weaknesses in a timely manner.

According to the COSO framework, the five components of internal control are:

  • Control environment: This is the set of standards, processes, and structures that provide the basis for carrying out internal control across your organization. Your board of directors and senior management establish the tone regarding the importance of internal control, including your organization’s expected standards of conduct. Management reinforces their expectation regarding internal controls at the various levels of your company.
  • Risk assessment: Includes identifying and analyzing your company’s risks and forms the basis for how risks should be managed. Risk is defined as the possibility that an event will happen and negatively affect your company’s ability to achieve its objectives.
  • Control activities: These are the actions established by the policies and procedures that help ensure management directives to mitigate the risks that hinder your company’s ability to achieve its objectives are carried out. Control activities are performed at all levels of your organization, and at various stages within your business processes, and over the technology environment.
  • Information and communication: This involves identifying, capturing, and exchanging information, including accounting information, that allows your employees to do their jobs.
  • Monitoring: This is the set of processes that management uses to examine and assess whether your company’s internal controls are functioning properly.

Benefits of an Internal Control Review

An internal control review encourages compliance with your organization’s internal control policies and procedures. It also enables your company to operate more effectively and efficiently.

Additionally, an internal control review confirms the reliability of controls for financial reporting and compliance with the applicable laws and regulations. An internal control review also detects and prevents errors and irregularities in a timely manner and provides senior management with a thorough understanding of your company’s internal control procedures.

What Is an Internal Audit?

As defined by the IIA, an internal audit is “an activity that provides independent, objective assurance, and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

Auditors who understand their companies’ business cultures, information systems, and processes perform the internal audits to ensure that the internal controls in place adequately mitigate any potential risk. Internal auditors are often employees of their organizations, while external auditors work for outside audit firms. 

Internal auditors ensure that their companies have controls in place to comply with the application laws and regulations. They also help their organizations maintain timely and accurate financial reporting and data collection by evaluating whether management is doing so adequately.

Internal auditors generally focus on a process, gathering information from various departments, performing fieldwork testing, following up with employees if they uncover any issues, and preparing an official audit report. The auditors review the report with your company’s leaders, then follow up with management and your board’s audit committee to check that the organization has implemented the recommendations outlined in the report.

The internal audit report provides the tools the business needs to operate more efficiently by uncovering problems and ensuring that those issues are corrected before the external auditors find them.

Your company may also have an audit committee that oversees the internal audit function on behalf of the board of directors. The audit committee will ensure that your internal auditors operate independently from the business and that management supports them.

Benefits of an Internal Audit

Your internal auditor’s main job is to evaluate the behaviors, actions, and results of management regarding governance, risk management, and compliance, and to report its findings to the audit committee of the board of directors. The aim is to provide “reasonable assurance” that GRC tasks are being performed as they should. 

Understanding your internal controls helps your internal auditor assess the risks of material misstatement, which then helps in designing and implementing audit responses that are tailored to those assessed risks. Without a proper understanding of your internal controls, your auditor may not identify the risks associated with your internal controls and as such may not design and implement the appropriate responses.

Internal audits also identify redundancies in your business practices and procedures, as well as your governance processes. The auditors recommend how to streamline these practices and procedures, saving you time and money.

In addition, internal audits examine your cybersecurity environment, look for vulnerabilities in your digital systems and networks, and recommend how to close any gaps. Internal audits analyze and scrutinize the processes, people, and tools that support your financial statements and results, verifying their integrity and accuracy.

Internal audits also consider all the identified risks to your company and evaluate whether your risk mitigation procedures work as expected. If they aren’t working properly, the audit reports will tell you what you need to do to resolve any problems.

Additionally, internal audits check the regulations, laws, and industry standards that your company must comply with, and determine whether your organization is complying with them. Quality software such as ZenGRC can perform these audits for you, as often as you’d like. If there are any issues, your internal auditors will recommend how to correct them.

Internal Control Review vs. Internal Audit

An internal audit is a frequent or ongoing audit conducted by your company’s employees. The internal auditor mainly monitors operational results, verifies financial records, evaluates internal controls, and helps improve the efficiency and effectiveness of your operations. 

Internal auditors operate objectively, i.e., they try as much as possible to reduce or eliminate bias and prejudice, or they conduct a subjective evaluation by relying on data that they can verify. 

An internal control review examines the adequacy and effectiveness of your internal controls processes and makes recommendations if the processes need to be improved.

Since an internal audit should be independent and objective, it isn’t responsible for developing or maintaining internal controls. It’s up to management to implement the policies adopted by the board of directors or the chief executive officer and to identify, evaluate, prevent or mitigate, and control the risks your company could face in achieving its objectives. 

However, the review process performed by an internal audit and the recommendations made for improvement enhance the effectiveness of internal control.

Internal control is a business process. An internal control system is an integral part of the financial and business policies that control your company’s strategic, financial, and operational procedures. The process is based on a system of management information, financial regulations, administrative procedures, as well as a system of accountability. 

Internal control and risk management represent critical business disciplines that call for your company to identify all the risks it faces, decide which risks it needs to actively manage, and implement a plan of action, i.e., controls to mitigate the risk.

Some experts say that a company could live without an internal audit but couldn’t survive long without effective internal controls. Still, an internal audit and an internal control review add value and improve your organization’s operations, although in different ways.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo