What is Internal Control in Auditing?

Published June 25, 2020 • 2 min read

In auditing, a system of internal control consists of policies and procedures that aim to provide reasonable assurance that a company achieves its objectives and goals. 

These policies and procedures are called controls, and together they make up a company’s internal control. Generally, these controls include segregation of duties, limiting access to cash or sensitive data, management review and approval, and reconciliations. 

The company’s auditor should measure the effectiveness of its internal control system before starting an internal audit. The auditor assesses whether the controls are properly designed, implemented, and working effectively, and also makes recommendations on how to improve internal control. 

The auditing profession has generally accepted the Committee of Sponsoring Organizations of the Treadway Commission’s report titled The Internal Control-Integrated Framework (COSO framework) as a general definition of internal control. 

According to the COSO framework, internal control is a process, affected by an organization’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations. For example, internal control and compliance audits for financial services firms can determine if they’re complying with the regulatory requirements of various laws and agencies, such as the Bank Secrecy Act.

Five components of internal control

Internal control consists of five components:​​​​

  1. Control environment: Sets the tone for the company and influences the control consciousness of the employees. The control environment is the foundation for all other components of internal control.
  2. Risk assessment: Identifies and analyzes the relevant risks that affect an organization’s ability to achieve its goals and objectives. This forms a basis for how the risks should be managed
  3. Information and communication: Systems or processes that support the identification, capture, and exchange of information in a manner and time frame that lets people do their jobs.
  4. Control activities: Policies and procedures to help ensure that management’s directives are carried out.
  5. Monitoring: Processes that assess the quality of internal control performance over time.

At the organizational level, the internal control objectives concern the reliability of financial reporting, timely feedback as to whether the company is achieving its operational or strategic goals, and compliance with laws and regulations. 

At a specific transaction level, internal control refers to the actions a company takes to achieve a specific objective. 

For example, how to guarantee that the organization is paying vendors for valid services. Effective internal control is a built-in part of the management process. Internal control also keeps a company moving toward achieving its objectives, minimizing any issues along the way.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo