more-arw search

10 Things to Know About Internal Controls


  1.  They are the rules dictating how an organization conducts its financial transactions.

    Internal controls over financial reporting address everything from how many signatures are required on checks to how inventory is counted and managed. They should apply to every person associated with your organization – and if they don’t, there needs to be an internal control explaining why.

  2. They can help prevent and reduce fraudulent activity in your organization.

    No single mechanism can eliminate fraud in your organization, but strong internal controls that are consistently enforced can significantly limit the amount of fraud that can occur. They’re like invisible padlocks for your finance department.

  3. They can reduce personal liability in a wide range of business circumstances.

    Financial reporting reform laws such as the Sarbanes‐Oxley Act of 2002 make executives and board members personally liable for the integrity of their organization’s financial reports. When there’s so much at stake, you need more than trust in your employees; you need robust internal controls that are proven to be working effectively.

  4. They create more efficient business practices.

    In order to be efficient, you’ve got to be consistent. Internal controls and their associated procedures build a foundation for that consistency by giving straightforward guidelines that every employee will use to complete tasks in the same way, every time. A standardized approach to internal controls can further increase organizational efficiency.

  5. They reduce your exposure to business risks.

    Everybody makes mistakes; internal controls are designed to prevent those mistakes from growing into costly business risks and material mis‐statements. In this way, internal controls serve as a second (or even third) pair of eyes to head off the risks of human error.

  6. They help to ensure the transparency and integrity of your financial results.

    What can you do to ensure executives, board members, and stakeholders trust your financial results? Show them your organization has internal controls over financial reporting that are in place and proven to work.


  1. They establish one set of expectations for all employees.

    You expect employees to be reliable and consistent. So why not set expectations with internal controls that are equally reliable and consistent? Morale and productivity remain high when employees know what’s expected of them – and that there’s a written code to ensure those expectations are applied equally to everyone in the organization. And don’t forget ‐‐ some internal control procedures – like those that relate to mileage or travel reimbursement – may apply to volunteers, vendors, clients, and board members, too.

  2. They are subject to external review as part of an audit or compliance effort.

    If your organization is audited and you think internal controls don’t matter – think again. Public companies are required under the Sarbanes‐Oxley Act of 2002 to undergo a thorough review of their internal controls over financial reporting. For private companies, regulations known as SAS 104‐115 require auditors to review internal controls and investigate any deemed insufficient, no matter what type of organization is being audited. Auditors, however, are not allowed to tell you what’s wrong with your internal controls or how to fix them. So if your audits seem particularly expensive and onerous, thoroughly analyze your internal controls over financial reporting and you may discover some opportunity for improvement.

  3. They are only effective if they are followed and enforced.

    What do you call a simple, effective, written internal control? Useless, if that control is not followed and enforced consistently. How do you ensure your controls are working? For internal controls over financial reporting, you employ periodic checks by managers and executives, as well as formal testing – with random samples pulled from every process area – on at least an annual basis.

  4. You may need more or fewer internal controls than you think.                                        

    Organizations are definitely at risk when they have too few internal controls, but having too many controls can be problematic, too. Usually a catalyst event – such as a planned initial public offering, a merger, or a failed audit – will drive organizations to reevaluate their internal control infrastructure. Options range from low‐cost, off‐the‐shelf internal control sets purchased online to high‐end, expensive consulting engagements, and everything in between. Our advice is to go for an approach that’s comprehensive, efficient, and proven. That way, you’ll be sure your internal controls are effective and working to meet your organization’s needs today and in the future.