Part 3: Internal Controls (COSO Framework), Segregation of Duties, IT Controls, and Testing Internal Controls
Internal Controls: The Backbone of Reliable Financial Reporting
Imagine you own a grocery store.
At the end of every day, one employee:
- Collects cash from customers.
- Deposits the cash at the bank.
- Records sales in the accounting system.
- Reconciles the bank statement.
- Approves refunds.
Would you feel comfortable with this arrangement?
Probably not.
Why?
Because one person has complete control over the entire process, increasing the risk of mistakes or fraud.
Now imagine a different setup:
- One employee collects cash.
- Another employee deposits the cash.
- A third employee records the transactions.
- A fourth employee reconciles the bank account.
- A manager reviews daily reports.
This arrangement greatly reduces the risk of fraud and errors.
These safeguards are called internal controls.
What Are Internal Controls?
Internal controls are the policies, procedures, and processes that an organization establishes to achieve its objectives, protect its assets, produce reliable financial information, comply with laws and regulations, and operate efficiently.
Simply put:
Internal controls are the rules and safeguards that help an organization prevent errors, detect fraud, protect assets, and ensure accurate financial reporting.
Think of them as the company’s immune system—they help detect and respond to problems before they become serious.
Objectives of Internal Controls
An effective internal control system is designed to achieve four broad objectives:
- Safeguard company assets.
- Ensure reliable financial reporting.
- Promote operational efficiency and effectiveness.
- Ensure compliance with laws, regulations, and company policies.
Example
A company requires two signatures on checks over $10,000. This control helps prevent unauthorized payments and protects company cash.
Why Are Internal Controls Important?
Strong internal controls help organizations:
- Reduce the risk of fraud.
- Prevent accidental errors.
- Improve the accuracy of financial statements.
- Protect cash, inventory, and other assets.
- Promote accountability.
- Enhance operational efficiency.
- Strengthen investor confidence.
- Support compliance with legal and regulatory requirements.
Without effective controls, even a profitable business can experience significant losses due to fraud, theft, or poor financial reporting.
The COSO Internal Control Framework
The most widely recognized framework for designing and evaluating internal controls is the COSO Internal Control—Integrated Framework.
COSO stands for the Committee of Sponsoring Organizations of the Treadway Commission.
The COSO Framework provides a structured approach to building and evaluating an effective system of internal control.
Its primary objective is to help organizations achieve:
- Effective operations.
- Reliable financial reporting.
- Compliance with laws and regulations.
The Five Components of COSO
The COSO Framework consists of five integrated components. All five must work together for internal controls to be effective.
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring Activities
A helpful memory aid is:
“CRIME”
Control Environment
Risk Assessment
Information & Communication
Monitoring Activities
Execution of Control Activities (or simply remember Control Activities as the operational element)
1. Control Environment
The control environment is the foundation of the entire internal control system.
It reflects the organization’s culture, ethics, and attitude toward integrity and accountability.
Think of it as the “tone at the top.”
If senior management values honesty and ethical behavior, employees are more likely to follow those standards.
Elements of a Strong Control Environment
- Ethical leadership.
- Integrity.
- Independent board oversight.
- Clear organizational structure.
- Competent employees.
- Accountability.
- Human resource policies that support ethical conduct.
Example
A CEO refuses to manipulate financial results to meet earnings targets, even when under pressure from investors. This demonstrates a strong control environment.
2. Risk Assessment
Organizations face risks every day.
Risk assessment is the process of identifying, analyzing, and responding to risks that could prevent the organization from achieving its objectives.
Common Risks
- Fraud.
- Cyberattacks.
- Economic downturns.
- Supply chain disruptions.
- Regulatory changes.
- Natural disasters.
- Human error.
Example
A retail company identifies online payment fraud as a growing risk and implements additional security measures to reduce exposure.
3. Control Activities
Control activities are the specific policies and procedures implemented to address identified risks.
These are the day-to-day controls employees perform.
Examples
- Approvals.
- Authorizations.
- Reconciliations.
- Physical security.
- Segregation of duties.
- System access controls.
- Inventory counts.
- Budget reviews.
These activities help prevent or detect errors and fraud before they become material.
4. Information and Communication
An organization must generate, capture, and communicate accurate information in a timely manner.
Employees need relevant information to perform their responsibilities effectively.
Example
If inventory shortages are identified but never communicated to management, corrective action cannot be taken.
Good communication supports informed decision-making throughout the organization.
5. Monitoring Activities
Internal controls should not remain static.
Organizations must regularly evaluate whether controls continue to operate effectively.
Monitoring can include:
- Internal audits.
- Supervisory reviews.
- Performance dashboards.
- Exception reports.
- Continuous monitoring software.
Example
An internal audit department periodically reviews payroll processes to ensure payroll controls continue to function as intended.
The 17 Principles of COSO
Each COSO component is supported by specific principles, for a total of 17 principles.
A high-level summary is provided below:
Control Environment (5 Principles)
- Demonstrate integrity and ethical values.
- Ensure board independence and oversight.
- Establish organizational structure and authority.
- Employ competent individuals.
- Hold individuals accountable.
Risk Assessment (4 Principles)
- Specify suitable objectives.
- Identify and analyze risks.
- Assess fraud risk.
- Identify significant changes.
Control Activities (3 Principles)
- Select appropriate control activities.
- Implement IT-related controls.
- Establish policies and procedures.
Information & Communication (3 Principles)
- Obtain relevant information.
- Communicate internally.
- Communicate externally.
Monitoring (2 Principles)
- Perform ongoing and separate evaluations.
- Report deficiencies promptly.
These principles provide a practical framework for evaluating whether internal controls are properly designed and operating effectively.
Preventive Controls vs. Detective Controls
Internal controls generally fall into two major categories.
Preventive Controls
Preventive controls are designed to stop errors or fraud before they occur.
Examples include:
- Password requirements.
- Segregation of duties.
- Approval requirements.
- Locked inventory storage.
- Purchase order authorization.
- Access restrictions.
Example
Only authorized managers can approve vendor payments over $25,000.
Detective Controls
Detective controls identify problems after they have occurred.
Examples include:
- Bank reconciliations.
- Inventory counts.
- Internal audits.
- Exception reports.
- Surprise cash counts.
- Variance analysis.
Example
A monthly bank reconciliation identifies an unauthorized withdrawal.
Manual Controls vs. Automated Controls
Manual Controls
Performed by people.
Examples:
- Supervisor approval.
- Physical inventory counts.
- Manual review of invoices.
Automated Controls
Performed by computer systems.
Examples:
- Three-way invoice matching.
- Automatic credit limit checks.
- System-generated exception reports.
- Password expiration policies.
Modern organizations increasingly rely on automated controls because they are generally more consistent and scalable than manual processes.
Segregation of Duties (SoD)
One of the most important concepts in auditing is Segregation of Duties (SoD).
The idea is simple:
No single employee should control an entire transaction from beginning to end.
This reduces the opportunity for fraud and increases the likelihood that errors will be detected.
The Four Key Functions That Should Be Separated
Ideally, different individuals should perform the following functions:
- Authorization.
- Custody of assets.
- Recordkeeping.
- Reconciliation.
Example
A company receives customer payments.
| Function | Employee |
|---|---|
| Receives cash | Cashier |
| Deposits cash | Treasury |
| Records payment | Accounting |
| Reconciles bank statement | Controller |
This separation makes fraud much more difficult.
Example of Poor Segregation of Duties
Suppose Sarah:
- Receives customer payments.
- Records those payments.
- Deposits the money.
- Performs the bank reconciliation.
Sarah could steal cash, alter the accounting records, and conceal the theft without anyone noticing.
This is a significant internal control weakness.
Physical Controls
Physical controls protect company assets from theft or misuse.
Examples include:
- Locked warehouses.
- Security cameras.
- Badge access.
- Safes.
- Alarm systems.
- Inventory cages.
- Biometric authentication.
Authorization Controls
Certain transactions require management approval before they occur.
Examples include:
- Hiring employees.
- Issuing refunds.
- Purchasing expensive equipment.
- Signing contracts.
- Approving journal entries.
Authorization helps ensure transactions are legitimate and consistent with company policy.
Reconciliations
A reconciliation compares two independent sources of information to identify differences.
Examples include:
- Bank reconciliation.
- Inventory reconciliation.
- Accounts receivable reconciliation.
- Accounts payable reconciliation.
- Payroll reconciliation.
Reconciliations are powerful detective controls because they often reveal errors or irregularities.
Information Technology (IT) Controls
Modern businesses rely heavily on technology, making IT controls an essential part of internal control systems.
IT controls are generally divided into two categories.
General IT Controls (GITCs)
These controls support the overall reliability of information systems.
Examples include:
- User access management.
- Password policies.
- Backup and disaster recovery.
- Change management.
- System development controls.
- Network security.
- Patch management.
Example
Only authorized IT administrators can grant access to the accounting system.
Application Controls
Application controls are embedded within specific software applications to ensure data is processed accurately and completely.
Examples include:
- Required data fields.
- Edit checks.
- Automatic calculations.
- Duplicate invoice detection.
- Sequential numbering of invoices.
- Credit limit validations.
Example
An accounting system rejects invoices with duplicate invoice numbers, preventing duplicate payments.
Testing Internal Controls
Auditors do not simply assume controls are working—they test them.
Common methods include:
Inquiry
Ask employees how controls are performed.
Observation
Watch employees perform control procedures.
Inspection
Examine documents, approvals, reconciliations, or reports.
Reperformance
Independently perform the control to verify it works as intended.
Example
The auditor recalculates payroll taxes for a sample of employees to confirm the payroll system is calculating taxes correctly.
Control Deficiencies
When controls fail, auditors evaluate the severity of the issue.
There are three commonly discussed levels:
1. Control Deficiency
A control is missing or not operating effectively, but the risk is relatively limited.
2. Significant Deficiency
The deficiency is important enough to merit the attention of those charged with governance, such as the audit committee.
3. Material Weakness
A material weakness exists when there is a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected on a timely basis.
Material weaknesses are the most serious type of internal control deficiency and often require disclosure.
Real-World Example
A manufacturing company allows warehouse employees to both maintain inventory records and perform physical inventory counts without independent oversight.
An auditor discovers inventory shortages during testing. Because the same employees both control and record inventory, the risk of theft and concealment is significantly increased.
The auditor recommends:
- Independent inventory counts.
- Segregation of duties.
- Surprise cycle counts.
- Enhanced inventory monitoring.
These improvements strengthen the internal control system and reduce audit risk.
Common Mistakes Students Make
- Believing internal controls eliminate all risk. Controls provide reasonable, not absolute, assurance.
- Confusing preventive controls with detective controls.
- Assuming automated controls never fail. They depend on properly designed and maintained IT systems.
- Thinking management alone is responsible for monitoring controls. Oversight also involves boards, audit committees, and internal auditors.
Key Takeaways
- Internal controls are policies and procedures designed to safeguard assets, ensure reliable financial reporting, improve operations, and support compliance.
- The COSO Framework consists of five components: Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring Activities.
- Segregation of duties is one of the most effective controls for reducing fraud risk by separating authorization, custody, recordkeeping, and reconciliation responsibilities.
- Controls can be preventive or detective, manual or automated, and increasingly rely on strong IT governance.
- Auditors evaluate both the design and operating effectiveness of internal controls using inquiry, observation, inspection, and reperformance.