How to Create Effective Internal Controls

Internal controls can help your organization achieve its objectives, stay compliant with federal and state requirements and avoid fraud. They provide accountability and oversight throughout the year, increasing the chances that an audit doesn’t uncover any problems.

But not all internal controls are created equal.

James Moore CPA Ken Kurdziel discusses ways to ensure your organization implements effective and cost-efficient internal controls. Ken is a key member of the James Moore Higher Education Services Team and a noted thought leader in the industry.

Three steps to creating effective internal controls are:

  • understanding the purpose of controls
  • knowing the five components of a good control system
  • and building a work environment in which controls are respected and seen as positive for both an organization and its employees.

What is the purpose of internal controls?

“The primary purpose of internal controls is to help safeguard an organization and facilitate the accomplishment of its financial, strategic and operational objectives,” said Ken. “An effective control system provides reasonable, but not absolute, assurance of the safeguarding of assets, the reliability of financial information and compliance with laws and regulations.”

Internal controls should be basic and consistent throughout your organization, and employees who manage them should have clearly defined responsibilities. Control systems should provide management with an appropriate balance between the risk of a certain business practice and the level of control required to ensure business objectives are met.

In other words, they shouldn’t be so complex that they get in the way of achieving your organizational mission. According to Ken, “The cost of a control should not exceed the benefit derived from it.”

In higher education institutions, internal controls often focus on staying in compliance with the laws, rules and regulations associated with federal and private grants. CPA firms also tend to frame internal controls in terms of those that promote accurate financial reporting and compliance, consistent with their objectives as auditors.

What is the COSO framework?

The Committee of Sponsoring Organizations of the Treadway Commission, or COSO, is a global collective of accounting organizations. COSO has created a framework for what internal controls are and what they entail.

COSO identifies five key components of internal control. For an internal control to be effective, it’s important that all of these components are present in the control system.

  • Control environment: This is the organization’s operating environment.
  • Risk assessment: This refers to the risks associated with reaching an organization’s goals and objectives.
  • Control activities: These are internal policies and procedures. They are often the practices that come to mind when we think of internal controls. An example is the segregation of duties.
  • Information and communications: Information is used by management to support the functioning of other components of internal control. Communication is the continual process of sharing that information throughout the organization.
  • Monitoring activities: Examples include budgets and oversight from the board of directors and audit committees.

Why is control environment important?

Control environment is the atmosphere in which people conduct their activities and carry out their control responsibilities. (This is often called the control consciousness of the organization.) While control environment can seem intangible, it’s essential to effective internal control.

Management is responsible for setting a tone of technical competence and ethical commitment from the top. It’s within management’s power to create an atmosphere in which internal controls are seen positively and are respected. Controls are good for both employees and an organization because they help promote the achievement of the organization’s mission.

An organization’s control environment is strongly influenced by the extent to which employees recognize that they will be held accountable.

How to avoid mistakes: Understand the fraud triangle

While internal controls are not a failsafe against fraud, they are a stopgap. Knowing the factors that increase the risks of fraud can help your organization minimize its vulnerability to fraudulent behavior.

The first step to protecting your organization against internal fraud is to understand the fraud triangle. The risk of fraud increases with three components: incentives, pressure and opportunities.

Fraud doesn’t always begin with an overt motive to misappropriate assets. Sometimes goals and objectives that were established with good intent can inadvertently create an incentive to commit fraud – for example, rewarding employees for achieving a certain benchmark in sales.

Pressure from outside entities on financial performance can also make the idea of committing fraud by overstating revenue or understating a receivables allowance more attractive.

Finally, examine whether there are gaps in your controls that present opportunities for someone to practice fraud. Are duties segregated? Do your employees have an amount of access and authority that is appropriate for their role and responsibilities? Is there oversight?

Analyzing your control system with the fraud triangle in mind can help you pinpoint weaknesses in your internal controls.

Industry Example: Collegiate Athletics Ticket Office Fraud

A notable example of fraud occurred in 2010 with a prominent university’s athletic ticket office. What began as smalltime sales of unused tickets reserved for donors eventually escalated into a $3 million fraud scheme.

“This was a case where the control environment broke down,” said Ken. “It started off a little innocently with taking some unused complementary donor tickets and selling them to a broker friend. And then it escalated from that.”

Over the course of five years, athletic department employees (including the person who oversaw the ticket office) stole and sold nearly 20,000 tickets to basketball and football games, either personally or through brokers for kickbacks. The scandal concluded with charges against the employees and high-level resignations in the athletics department.

This example highlights the importance of being aware of the fraud triangle. The internal control system broke down because of a lax control environment created by management, rationalization and opportunity created by unused tickets, and employees’ easy access to those tickets.

In the wake of the scandal, the university’s athletic department overhauled its internal control system to help prevent fraud at each of these steps. It’s a lesson any institution or organization can — and should — take to heart.


All content provided in this article is for informational purposes only. Matters discussed in this article are subject to change. For up-to-date information on this subject please contact a James Moore professional. James Moore will not be held responsible for any claim, loss, damage or inconvenience caused as a result of any information within these pages or any information accessed through this site.