Every company faces the risk of recording errors, misuse of assets, non-compliance, data breaches, and even fraud. These risks can arise from procedural weaknesses, unclear division of responsibilities, or lack of oversight of operational activities.
To minimize these risks, companies need internal controls that are designed and implemented consistently.
Internal control is a process implemented by the board of commissioners, management, and all organizational personnel to provide reasonable assurance that operational, reporting, and compliance objectives can be achieved.
Internal control extends beyond auditing financial statements. This system encompasses policies, procedures, delegation of authority, transaction approvals, asset security, technology access controls, and follow-up monitoring.
Internal Control Summary
Some important things to understand about internal control are:
- Internal control is a process that involves all parts of the organization.
- The objectives include operational effectiveness, reporting reliability, and compliance.
- The COSO framework divides internal control into five main components.
- Control can be preventive, detective, or corrective.
- Management is the owner and the main person responsible for control.
- Internal audit is tasked with independently evaluating the effectiveness of controls.
- Internal controls provide reasonable assurance, not absolute assurance, that all risks will disappear.
What is Internal Control?
Internal control is a set of processes, policies, procedures, and activities designed to help an organization achieve its objectives while managing risks that could hinder that achievement.
Based on COSO framework or Committee of Sponsoring Organizations of the Treadway CommissionInternal control is influenced by the board of directors, management, and other personnel. This process is designed to provide reasonable assurance regarding the achievement of the organization's objectives in the areas of operations, reporting, and compliance.
Thus, internal control is more than just a standard operating procedure (SOP) document. Controls must be thoroughly implemented, documented, tested, and updated as risks and business processes change.
A simple example of internal control is:
- Payment transactions must obtain the approval of authorized officials.
- The person receiving the money should not be the one recording the transaction.
- Bank account reconciliation is done periodically.
- Access to the financial system is restricted based on position.
- Changes to vendor data must go through a verification process.
- Inventory is checked through stock taking activities.
- Audit findings are monitored until corrective actions are completed.
Definition of Internal Control According to Experts
In the following we present what the internal control system is in the opinion of some experts in full.
- According To Horngren (2009)internal control encompasses all plans and actions taken within an organization to protect assets, ensure employees comply with company policies, maintain the accuracy of accounting records, and improve efficiency in operational processes.
- Hery (2016) explain that internal control consists of a collection of policies and procedures designed to protect company assets from misuse, ensure the accuracy of accounting information, and ensure that all regulations, laws, and management policies are complied with by all employees.
- Dasaratha V. Rama dan Frederick L. Jones (2008 film states that internal control is a process that is influenced by the board of Directors, management, and other staff within the company. This process aims to ensure the achievement of several objectives, including operational effectiveness and efficiency, accuracy of financial statements, and compliance with applicable regulations.
From this information, it can be concluded that internal control is a set of policies designed to ensure that the company's operational processes run in accordance with established rules and regulations.
The policy will be standardized into a system in the company known as the internal control system. This system takes the form of a structured framework.
Why is Internal Control Important for a Company?
Company growth typically comes with an increase in transactions, employees, systems, branches, vendors, and compliance obligations. Without adequate controls, this complexity can increase the risk of errors and irregularities.
Internal control is needed to help companies:
- Protect assets from theft, misuse, or loss.
- Maintain the accuracy and completeness of company data.
- Reduce the risk of fraud and human error.
- Ensure transactions are properly authorized.
- Improve the efficiency of operational activities.
- Maintain compliance with policies and regulations.
- Support decision making based on reliable information.
- Strengthening the accountability of each work unit.
- Maintaining the reputation and trust of stakeholders.
- Make it easier the audit process and management evaluation.
Good internal controls also help companies detect irregularities early before they cause greater losses.
Purpose Of Internal Control
In general, internal control objectives can be grouped into three main categories.
1. Increase Operational Effectiveness and Efficiency
Internal controls help ensure that company resources are used appropriately, activities are carried out according to procedures, and operational targets are achieved.
Examples include limiting purchasing authority, evaluating supplier performance, inventory control, and budget monitoring.
2. Maintaining Reporting Reliability
Companies need financial and non-financial information that is accurate, complete, relevant, and available in a timely manner.
Controls in the recording, reconciliation, journal approval, and report closing processes help reduce the risk of misstatement or manipulation of information.
3. Ensuring Compliance
Internal controls help ensure that a company complies with:
- Legislation.
- Regulatory provisions.
- Internal policies.
- Contract agreement.
- Industry standards.
- Tax requirements.
- Data security and protection provisions.
In addition to these three main objectives, control also plays a role in protecting assets, maintaining organizational integrity, and supporting healthy corporate governance.
Types of Internal Control
A. Based On The Benefits
This policy is categorized into 3 based on its benefits, namely preventive, corrective, and Detective.
1. Preventive Control
Preventive controls are designed to prevent errors or risks before they occur. This type of Control focuses on trying to minimize the possibility of risks appearing by controlling the activities carried out. Examples of preventive internal controls include:
- Automatic application control to prevent incorrect data input or unauthorized activities.
- Access restrictions where only certain people are authorized to access sensitive data or systems.
- Validation procedures to ensure that a transaction or process is verified before proceeding.
2. Corrective Control
Corrective control is used after an error or problem occurs. This type of Control aims to correct inappropriate or undesirable situations, so that the effects of errors are minimized. Corrective control usually involves:
- Change or correct incorrect data after an error is found.
- Take action to restore compromised systems or data.
- Provide training for employees after errors are found in the performance of duties.
3. Detective Control
Detective Control aims to detect errors or problems after the occurrence of a process. These controls do not prevent errors, but help identify problems so that further action can be taken before they become larger. Examples of Detective control include:
- Tax Audit to periodically check financial statements or systems to detect irregularities.
- Activity Monitoring to oversee transactions or activities operated to detect anomalies.
- Recheck documents and transactions to make sure there are no errors.
B. By Purpose
Internal control by its purpose is divided into accounting and administrative internal control.
1. Internal Control Accounting
Accounting internal control focuses on the management and control of a company's financial data. Its purpose is to ensure that all transactions and financial information generated are reliable, accurate and well protected.
This process includes a variety of steps, from data verification to separation of duties, to prevent errors and fraud that can harm the company. When the integrity of financial statements is maintained, the company can minimize the risk of financial and reputational losses.
2. Internal Control Administration
Administrative internal control is concerned with the efficiency and effectiveness of administrative management in an organization. This control ensures that administrative processes run optimally to support business objectives
In addition, administrative internal control also includes regular monitoring and evaluation of existing procedures and policies, so that any potential obstacles can be identified and overcome quickly.
C. Based On The Coverage
Internal control by Scope is divided into general and application categories.
1. General Control
This control includes all activities related to data management in the computer system. The main goal is to ensure that data is managed securely and regularly. Managed elements include separation of responsibilities and data processing.
2. Application Control
This control focuses on monitoring transactions and application usage. The main elements include transaction recording, authorization, and reporting on the application. This control aims to ensure the accuracy and security of every transaction that occurs through the application.
Five Components of Internal Control According to COSO
The COSO framework divides the internal control system into five interrelated components.
| COSO Components | Primary Focus | Examples Of Implementation |
|---|---|---|
| Control environment | Culture, integrity, structure and accountability | Code of ethics, organizational structure, division of authority |
| Risk assessment | Risk identification and analysis | Risk register and fraud risk assessment |
| Control activities | Policies and procedures for managing risks | Authorization, reconciliation, segregation of duties |
| Information and communication | Provision and delivery of information | Internal reporting, complaint channels, dashboard |
| Monitoring | Evaluation of control effectiveness | Internal audit, control self-assessment, follow-up |
1. Control Environment
The control environment is the foundation of the entire internal control system. This component reflects the leadership's attitude and organizational culture toward integrity, accountability, and the importance of risk management.
The control environment includes:
- Commitment to integrity and ethical values.
- Oversight by the board of commissioners or audit committee.
- Organizational structure and division of authority.
- Employee competency development.
- Determination of responsibility and accountability.
If management ignores procedures or sets inconsistent examples, other controls risk becoming ineffective even if they are well documented.
2. Risk Assessment
Risk assessment is the process of identifying and analyzing events that may hinder the achievement of organizational goals.
Risk assessment includes:
- Define the organization's goals clearly.
- Identify operational, financial, compliance, and technology risks.
- Assess the likelihood and impact of risks.
- Considering the risk of fraud.
- Analyze significant business changes.
Examples of changes that need to be considered are the implementation of new systems, opening branches, regulatory changes, changes in key personnel, organizational restructuring, and the use of artificial intelligence technology.
3. Control Activities
Control activities are policies and procedures implemented to help ensure that responses to risks are carried out appropriately.
Control activities can be:
- Transaction approval and authorization.
- Separation of duties.
- Data reconciliation.
- Document verification.
- System access restrictions.
- Physical security of assets.
- Performance check.
- Control over system changes.
- Application usage and automatic control.
- Standardization of procedures through SOPs.
Control activities must have a responsible person, frequency of implementation, documentation method, and auditable evidence.
4. Information and communication
Organizations need relevant and quality information so that every control can run effectively.
This information needs to be communicated to the right parties, at the right time, and through the right channels.
Examples of its application include:
- Periodic financial and operational reports.
- Risk monitoring dashboard.
- Socialization of policies to employees.
- Issue escalation mechanism.
- Kanal whistleblowing.
- Communication with auditors and regulators.
- Reporting control weaknesses to management.
Ineffective communication can cause employees to not understand the authority, procedures, or actions to be taken when they discover irregularities.
5. Monitoring
Monitoring aims to assess whether internal controls are still designed appropriately and implemented consistently.
Monitoring can be done through:
- Routine supervision by superiors.
- Periodic check-up.
- Self-evaluation by work units.
- Audit internal.
- Data analysis and exception reporting.
- Follow-up monitoring of findings.
- Separate evaluation by an independent party.
Any weaknesses discovered must be communicated to the authorities and followed by measurable corrective actions.
Understanding the 17 COSO Principles of Internal Control
The five COSO components are further broken down into 17 principles.
Control Environment
- Demonstrate commitment to integrity and ethical values.
- Carry out supervisory responsibilities.
- Establish structure, authority, and responsibility.
- Demonstrate commitment to competence.
- Enforcing accountability.
Risk Assessment
- Set appropriate goals.
- Identify and analyze risks.
- Considering the potential for fraud.
- Identify and analyze significant changes.
Control Activities
- Select and develop control activities.
- Select and develop general controls over technology.
- Implementing controls through policies and procedures.
Information and communication
- Using relevant and quality information.
- Carry out internal communication.
- Carry out external communications.
Monitoring
- Conduct ongoing evaluations or separate evaluations.
- Evaluate and communicate control weaknesses.
A control system can be considered effective if the relevant components and principles are available, functioning, and working in an integrated manner.
Important Elements in Control Activities
Some control elements that are commonly applied in companies include:
Separation of Duties
The tasks of authorization, recording, asset storage, and inspection should not be performed by the same person.
Segregation of duties can reduce the opportunity for someone to commit and hide errors or fraud.
Transaction Authorization
Each transaction must obtain approval according to the established authority limits.
The higher the value or risk of the transaction, the higher the level of approval required.
Adequate Documentation
Each transaction must have complete supporting documents and evidence, be easily traceable, and be stored according to the retention period.
Asset Security
Both physical and digital assets must be protected through access restrictions, use of secure storage, inventory, encryption, and backup mechanisms.
Reconciliation
Data from two different sources need to be compared periodically to find differences or discrepancies.
Independent Review
Certain activities need to be reviewed by parties not directly involved in the execution of the transaction.
Access Control
Access to applications and data should be granted based on job requirements or principles. least privilege.
Examples of Internal Control in a Company
Here are some examples of internal controls based on business processes.
| Business Process | Risks | Example of Control |
|---|---|---|
| Procurement | Fictitious or non-needed purchases | Purchase order approval and vendor evaluation |
| Payment | Double or invalid payment | Three-way matching and tiered authorization |
| Sale | Selling to risky customers | Credit limit approval |
| Accounts receivable | Bad debts | Accounts receivable aging analysis and customer confirmation |
| What | Embezzlement of receipts | Bank reconciliation and separation of cashier functions |
| Preparation | Loss or difference in stock | Stocktaking and warehouse access restrictions |
| Payroll | Fictitious employees | Reconciliation of HR and payroll data |
| Reporting | Misstatement of the report | Journal review and account reconciliation |
| Information Technology | Unauthorized access | MFA, access review, backup, and log monitoring |
| Data vendor | Fake account changes | Independent verification of data changes |
Examples of Controls in the Payment Process
In the vendor payment process, companies can implement controls in the form of:
- Purchase orders must be approved by authorized officials.
- Goods or services must be confirmed as received.
- The invoice is compared with the purchase order and proof of receipt.
- Vendor account changes are independently verified.
- Payments above a certain limit require two approvals.
- Proof of payment is stored and can be traced.
- Bank accounts are reconciled by a party that does not process payments.
How to Implement an Internal Control System
The implementation of internal control can be carried out through the following stages.
1. Set Goals
Companies need to determine the objectives of the processes to be controlled, such as reporting accuracy, asset security, compliance, or operational efficiency.
2. Mapping Business Processes
Document the process stages, parties involved, systems used, documents produced, and decision-making points.
3. Identifying Risks
Identify risks that could prevent objectives from being achieved, including risks of error, fraud, non-compliance, system failure, and operational disruption.
4. Assess the Risk Level
Assess each risk based on the likelihood of it occurring and the magnitude of the impact it could cause.
5. Designing Control Activities
Determine appropriate controls to reduce the risk to an acceptable level.
Each control should have:
- Name and purpose of control.
- Risks handled.
- Person responsible.
- Frequency of implementation.
- Type of control.
- Proof of implementation.
- Testing method.
6. Develop Policies and SOPs
Control needs to be outlined in policies and SOPs so that it can be understood and implemented consistently.
7. Conducting Socialization
Employees must understand the purpose of control, their individual responsibilities, and the consequences if procedures are not followed.
8. Testing Control Effectiveness
Testing is done to determine whether the control:
- Precisely designed.
- Really implemented.
- Implemented by the authorities.
- Have sufficient evidence.
- Successfully reduced risk.
9. Fixing Weaknesses
Each weakness needs to have a recommendation, a person responsible for action, a time target, and a monitoring mechanism.
10. Conduct Continuous Evaluation
Controls must be updated when there are changes in processes, organizational structure, regulations, technology, or risk profiles.
Simple Control Matrix Example
Companies can use risk and control matrix to link objectives, risks, and controls.
| Risks | Control | Responsible Person | Frequency | Proof |
|---|---|---|---|---|
| Fictitious invoice payments | Three-way matching | Supervisor Account Payable | Every transaction | PO, invoice, and proof of receipt |
| Unauthorized vendor account changes | Verify with the vendor's official contact | Procurement Manager | Every change | Verification form |
| Bank balance difference | Bank reconciliation | Finance Supervisor | Monthly | Reconciliation document |
| Former employee access is still active | User access review | IT Security | Monthly | User access review report |
| Missing setup | Stock shot | Warehouse Supervisor | Monthly or quarterly | Stock take minutes |
This type of documentation helps management and auditors understand whether significant risks have adequate controls.
Ineffective Internal Control Indicators
Companies need to be aware of the following signs:
- The same audit findings keep repeating themselves.
- Reconciliation is often late.
- Many transactions lack supporting documentation.
- System accounts are shared.
- Approval is done after the transaction takes place.
- Inventory discrepancies were not investigated.
- Access rights are not reviewed periodically.
- Critical data changes have no audit trail.
- Corrective action exceeded the target time.
- Management often ignores SOPs.
- No party is responsible for any control.
- Control is only carried out prior to the audit.
Such findings do not necessarily prove fraud, but may indicate that risks have not been adequately managed.
Limitations of Internal Control
Internal controls can reduce risk, but cannot provide absolute assurance.
Some limitations of internal control include:
Human Error
Employees may misunderstand instructions, make recording errors, or make poor decisions.
Collusion
Two or more parties may work together to circumvent controls that have been implemented.
Management Override
Management has the authority to ignore or bypass procedures.
Cost and Benefit Considerations
The cost of implementing controls needs to be commensurate with the level of risk and the value of the assets being protected.
Changing Business Conditions
Previously effective controls may become irrelevant after changes in systems, processes, regulations, or business models.
Dependence on Technology
Configuration errors, system disruptions, or improper access can reduce the effectiveness of automated controls.
Due to these limitations, internal controls need to be monitored and evaluated periodically.
Differences between Internal Control and Internal Audit
Internal control and internal audit are closely related, but they are not the same thing.
| Aspect | Internal Control | Internal Audit |
|---|---|---|
| Definition of | Processes and activities to manage risk | Independent assurance and consulting activities |
| Person responsible | Management and all personnel | Internal audit function |
| Implementation | Be part of daily activities | Implemented based on the audit plan |
| Purpose | Reduce risks and help achieve goals | Assess and improve control effectiveness |
| Roles | Running control | Evaluate the design and implementation of controls |
| Independency | It is the responsibility of the process owner | Must be objective and independent of the activity being audited. |
Management should not cede ownership of control to internal auditors. Internal auditors may make recommendations, but implementing and maintaining controls remains management's responsibility.
The Role of Technology in Internal Control Evaluation
The more complex the organization, the more difficult it is to test and monitor controls using only separate documents, spreadsheets, or email communications.
Technology can help internal audit teams in:
- Compile a risk assessment.
- Linking processes, risks and controls.
- Save the program and audit working papers.
- Documenting evidence of the inspection.
- Record findings and recommendations.
- Communicate with auditee.
- Monitor corrective actions.
- Compile audit reports.
- View audit progress centrally.
The use of applications does not replace management's responsibilities or the auditor's professional judgment. However, an integrated system can improve documentation consistency, information traceability, and follow-up monitoring.
Manage Internal Control Evaluation with Audithink
Internal controls need to be evaluated regularly to keep them aligned with changes in the company's risks and business processes.
Audithink helps internal audit teams manage the audit process in a more structured manner, starting from risk assessment, audit planning, program preparation, documentation of audit results, discussion of recommendations, to monitoring auditee follow-up.
With an integrated process, companies can monitor audit findings, ensure recommendations are acted upon, and obtain better information to strengthen internal controls.
Schedule an Audithink demo to find out how internal audit applications can help improve the efficiency and traceability of your company's audit processes.
Conclusion
Internal control is a process designed to provide reasonable assurance that an organization's operational, reporting, and compliance objectives are achieved.
An effective control system needs to include the five COSO components, namely the control environment, risk assessment, control activities, information and communication, and monitoring.
However, control is more than just a set of SOPs. Controls must be implemented, documented, tested, and adjusted as risks evolve.
Through adequate controls and regular internal audit evaluations, companies can reduce the risk of errors, fraud, non-compliance, and operational losses.
