Key Controls: Recognizing the Must-Haves in Your Internal Control Processes

Internal controls can help your organization achieve its objectives and prevent errors, omissions and fraud. Some internal controls, however, are more essential than others.

James Moore CPA Ken Kurdziel explains how to protect your organization by identifying risks and implementing key controls in your corporate governance. Ken is a key member of the James Moore Higher Education Services Team and a noted thought leader in the industry.

Characterizing Key Controls

Key controls are the primary procedures on which your organization relies to mitigate risk and prevent fraud. They are the first and most indispensable line of defense. Key controls often cover multiple risks or support the execution of a process. They are usually part of high-level analytical controls.

“If a key control fails, it’s unlikely that secondary types of controls will be able to detect or deflect the problem,” Ken said. “It may be the only control that covers a certain risk of material misstatement.”

As an example, imagine a budget development process managed by a finance committee that includes the organization’s board treasurer and two other board members. After the committee prepares a draft budget, the members submit it to the entire board of trustees to review and approve at their annual meeting.

In this example, the key control is the board’s review and approval. The board ensures that the budget is correct and complete and is the stopgap that can prevent the organization from adopting a faulty budget.

Non-key controls, in contrast, are secondary or backup controls. While they are important, failure of a non-key control doesn’t necessarily result in the failure of an entire process.

“Even if a non-key control potentially fails, that key control should provide some level of assurance that controls are in place and working, and that you can still detect errors or fraud,” Ken said.

Documenting Controls

Documenting your controls provides vital guidance to those involved in implementing and monitoring them. Clearly list your internal control processes and describe how controls work, who is responsible for certain tasks and how reviews and approvals should be carried out. Flow charts and diagrams can help.

Make sure your team knows where and how to access internal control documentation and understands it.

“Clear and detailed documentation goes a long way to making sure everyone is knowledgeable about the process,” Ken said. “Documentation can also emphasize the importance of internal controls.”

How to Manage Risks in Corporate Governance

Managing risks in corporate governance requires overarching controls. These risks involve your organization’s highest levels of leadership. As you plan and design internal controls, here are four key areas to keep in mind:

Management override of controls: Certain people in your organization may have access to many systems and multiple levels of approval authority. A risk is that one or more of these individuals could try to override your controls.

Segregation of duties is one effective way to minimize this risk. “Having various people involved in a process enables them to be a check on one another and prevent someone from overriding the controls,” Ken said.

Conflicts of interest: Individuals on your board or in management positions should identify and report any of their potential conflicts of interests. Otherwise, these can leave your organization vulnerable to fraud and collusion. Have board members sign a statement annually attesting to and disclosing any conflicts of interest.

Journal entries: Make sure the person who prepares journal entries is not the same person who reviews and approves them. The reviewer should check the entry’s support, verify that amounts are correct and ensure they have posted to the right accounts. Implement controls over recurring entries and completeness of entries as well.

Financial statements and notes: Have someone with a good understanding of the organization and financial statements look at disclosures to make sure they are understandable and accurate. A checklist can help ensure a thorough review of your draft disclosures. Remember, an external auditor cannot function as a control—even if they assist in the preparation of statements and notes.

 “It’s really management’s responsibility to oversee the preparation of those notes to make sure that nothing is missing and that the notes are clear,” Ken said. “At the end of the day, they really are your entity’s financial statements, and you want to make sure you understand them and that the wording is correct.”


All content provided in this article is for informational purposes only. Matters discussed in this article are subject to change. For up-to-date information on this subject please contact a James Moore professional. James Moore will not be held responsible for any claim, loss, damage or inconvenience caused as a result of any information within these pages or any information accessed through this site.