How Internal Controls Help Your Organization Assess Risk and Avoid Mistakes

Internal controls provide accountability and oversight within your organization and form a first line of defense against fraud. The Committee of Sponsoring Organizations of the Treadway Commission, or COSO, outlines five key components of effective internal control.

  • Control environment
  • Risk assessment
  • Control activities
  • Information systems and communication
  • Monitoring activities

James Moore CPA Ken Kurdziel discusses how to use the latter four components to help your organization accomplish its financial, strategic and academic objectives. (Click here to get the basics on the control environment.) Ken is a key member of the James Moore Higher Education Services Team and a noted thought leader in the industry.

Risk Assessment: Know Your Weaknesses

A risk assessment can help reveal vulnerabilities in your current processes. To carry out an effective risk assessment, first determine your organization’s goals and objectives. This information will help you identify risks as you perform your analysis.

“It’s important to consider reputational risk, as well as compliance, operational, financial and strategic risks,” Ken said. “A good risk assessment focuses on the most vulnerable areas and the most significant risks throughout the organization.”

 Control Activities: The Workhorses of Internal Control

Control activities are actions—supported by policies and procedures—that manage or reduce risks when carried out properly and timely. They are the practices that often come to people’s minds when they think of internal controls.

Control activities can be preventative and/or detective when it comes to fraud. While preventative controls are regarded as a stronger line of defense, both categories are important to helping an internal control system be effective.

Some types of control activities include:

  • Approvals, authorizations, passwords, authentication (preventative)
  • Reconciliation (detective)
  • Security of assets (preventative and detective)
  • Segregation of duties (preventative)
  • IT controls (preventative and detective)
  • Physical inventories (detective)

Information and Communication: Sharing Across Your Organization

Information about an organization’s plans, control environment, risks, control activities and performance must be communicated up, down and across an organization.

Information and communication should be reliable, relevant and understandable. It should come from internal and external sources and shared with those who need it in a timely manner.

“This goes back to the idea of setting the right tone at the top – the idea that controls are important, that controls are followed and that they are there for a good reason,” Ken said. “You have to make sure that people understand what the control policies and procedures are and why they matter.”

Monitoring: Making Sure Your Controls Work

Monitoring helps determine whether your internal control is adequately designed, properly executed and effective. This can be done by using self-assessments, peer reviews and/or internal audits on a regular basis. Examples include budgets and oversight from the board of directors and audit committees.

Internal control is effective if management has reasonable assurance that:

  • They understand the extent to which the operational objectives are being achieved;
  • Its published financial statements are being prepared reliably; and,
  • Your organization is complying with applicable laws and regulations.

Monitoring examines your internal control processes at one or two points in time. Ongoing monitoring, as well as separate evaluations, should be performed to ensure the internal control system is operating effectively.

“It’s not necessary to look at every single piece of information to determine that controls are functioning. Focus on the higher risk areas.” Ken said.

Also keep in mind that external auditors cannot be a part of your organization’s internal control. Doing so could compromise the thoroughness of an internal control assessment and may indicate an auditor’s lack of independence. Internal audits, however, are a key part of monitoring internal control, especially in higher education institutions.

 Case Study: University Electronics Fraud

In a notable failure of internal control, a high-level employee of a prominent Ivy League school stole and resold $40 million worth of computers and electronic hardware over a period of 10 years.

The employee perpetrated the fraud by using her ability to make and authorize department purchases up to $10,000 without oversight. She bought and instructed others to buy equipment with university funds and shipped the majority of these goods directly to a resale store in another state. She was ultimately caught when someone submitted an anonymous tip and she was seen putting purchases into her own car.

“It’s hard to fathom how $40 million could go missing. There had to be breakdowns in monitoring controls for this to happen,” Ken said. “Clearly, if a risk assessment was carried out, it did not adequately look at the risk associated with misappropriation of assets. Tagging equipment, keeping an inventory, dual signatures on purchases – there are a number of controls that could have been put in place to help prevent this kind of fraud.”

The university has worked to identify and correct gaps in its internal financial controls in the wake of the incident.

It’s worth remembering that the risk of fraud increases with three components: incentives, pressure and opportunities. These form what’s known as the fraud triangle, and it’s a reminder that fraud doesn’t always begin with an obvious motive. Analyzing your control system with the fraud triangle in mind can help you find weaknesses in your internal controls.


All content provided in this article is for informational purposes only. Matters discussed in this article are subject to change. For up-to-date information on this subject please contact a James Moore professional. James Moore will not be held responsible for any claim, loss, damage or inconvenience caused as a result of any information within these pages or any information accessed through this site.