The Characteristics of Effective Internal Control

Internal controls are the security policies, procedures and tech that businesses and governments use to help prevent employee theft and financial error. Lack of internal controls can eat away at your profits and your reputation. In some cases, lack of controls may leave you and your business in legal trouble as well.


Internal controls protect your company against fraud, theft and error. The common characteristics of effective internal controls include safeguarding your assets, reducing loss and keeping your financial reports accurate.

What Are Internal Controls?

Internal controls can include using passwords to access financial information, requiring key cards to enter particular offices or having warehouse employees check that every shipment contains all the goods it should. One characteristic of internal controls is that they all share common purposes:

  • They safeguard your assets from fraud, theft and error. If assets go missing, effective internal controls help identify the reason, and the individual responsible.
  • They ensure your financial reporting is accurate. If someone with purchasing authority uses fake inventory purchases to line their own pocket, your assets would be significantly less than your accounting and financial statements tell you.
  • They keep you in compliance with legal requirements for accurate reporting, tax payments and debt payment obligations. 
  • They make your business more efficient by reducing losses. 

What Controls Can Tell You

To meet your legal and financial obligations, you need accurate information. Another characteristic of internal controls is that they give you certainty about your bookkeeping:

  • Did transactions occur when the records say they did? Accidentally recording a March payment for April makes March's finances look better and April's worse than they were.
  • Do the assets on your books exist?
  • Are the listings of your assets and liabilities accurate?
  • Are your records complete? If there are unrecorded costs or liabilities, that's going to distort the financial picture.
  • Is everything classified and reported in the proper accounts, according to accepted accounting practices? 

Internal Control Frameworks

Another characteristic of effective internal controls is that they don't exist in isolation. Your controls work together in an overall framework designed to minimize risk. A good control framework will have several characteristics:

  • A favorable control environment. This typically comes from the top down: If controls produce good results, it's because upper management throws its support behind taking the issue seriously.
  • There's an ongoing risk assessment. Organizations change, creating new risks over time. Setting up internal controls and never revisiting them means the framework eventually falls apart. A good framework regularly reassesses risk.
  • The organization has designed, implemented and maintained effective controls.
  • The organization maintains effective information-sharing and communication about controls and risks.
  • Someone in charge monitors how effective the controls are in practice. The monitoring is ongoing.  

Segregation of Duties

Dividing up responsibilities is a classic low-tech internal control method. Suppose you have one employee who can request, authorize, verify and record purchases. That makes it easy to falsify an inventory purchase, record it in the accounting journal and pocket the money or the inventory.

The American Institute of Certified Public Accountants compares it to the country's defense: If a single person with no oversight can launch a nuclear missile on their own decision, that's a poor chain of command.

Good internal controls separate key duties to ensure oversight:

  • The person who draws up a report shouldn't be the one who vets its logic and its facts; and
  • The person who writes the checks shouldn't be the one approving the purchase.  

Internal Controls and IT

In some ways, internal control characteristics in a computerized environment are the same as they are in real life. Segregation of duties applies whether your company cuts someone a physical check or sends it over the internet via PayPal. However, your IT environment requires some internal controls that businesses a century ago didn't have to worry about. These include:

  • Firewalls and patching serve the same purpose as alarm systems and safes in the physical environment. You need to keep them updated and tested regularly to see if they're effective.
  • Access to important information should be tightly controlled. Nobody should be able to read your employees' medical files or the results of disciplinary hearings unless there's a business need for that person to see it.
  • Staff needs to pick passwords that won't be obvious. Computer users often use obvious passwords, despite years of warning against this.   
  • Administrative rights and access to operating systems, sometimes called the root level, has to be tightly controlled. Anyone who has access to this level can wreak serious havoc.  

Benefits and Risk

Even if it was possible to create a completely secure environment, the effort might be prohibitively expensive. The most practical option is usually "reasonable assurance," where you are confident your accounting is accurate and that internal theft and fraud are unlikely.

When looking at methods of internal control, weigh the benefits, the costs and the risks of not imposing the controls. The cost of segregating duties is low, the consequences of not doing so potentially dire. The cost of installing a retina scanner to identify those entering your storage area is expensive - a more cost-effective approach might be a better bet.

The calculus is different for different businesses because they have different levels of risk tolerance. A billion-dollar multinational might decide a 50% chance of losing $1,000 isn't worth bothering about. For a small start-up, that might be serious money.

Why Controls Fail

As with a lot of business policies, some organizations talk the talk but don't walk the walk. Company policy says they're committed to a robust internal control framework, but in practice, things fall apart.

Like a healthy framework, ineffective control systems share some common characteristics:

  • Management isn't committed to the framework. Discussions of internal controls get postponed and there's no connection between control policies and everyday work.
  • Developing the framework is an end in itself, with little concern for whether it actually works.
  • Controls are overly complicated and impractical to use.
  • Risk assessment is perfunctory. Management has no real interest in identifying or dealing with vulnerabilities.
  • It's unclear what the role of risk management is in the organization. It's unclear who's accountable for controlling and reducing risk.
  • Instead of an across-the-board level of reasonable assurance, the assurance is strong in some areas, then very weak with other risks. This is a particular problem with risks that emerge after the controls are initially set up.
  • Risk assessment is based mostly on the management team's confidence that they have things in hand. 
  • The corporate culture doesn't align with the framework. An emphasis on getting things done fast or bending the rules doesn't encourage employees to take the time and effort to follow the controls. 
  • The system has changed, but nobody's updated the control framework.
  • The staff doesn't follow procedure, but nobody's monitoring and catching the problems. 

Audit and Assessment

One way to ensure internal controls are effective is to have someone conduct a security audit. You can do this internally or bring in an outsider. Task them with answering some key questions:

  • Have the control policies been implemented?
  • Does your staff follow the policies? They may be ignoring them to get their jobs done faster, or unaware the internal control policies exist.
  • Are problems dealt with promptly?
  • Are there regular reviews and updates when your organization changes?