Primary navigation:

QFINANCE Quick Links
QFINANCE Reference
Add the QFINANCE search widget to your website

Home > Auditing Best Practice > Implementing an Effective Internal Controls System

Auditing Best Practice

Implementing an Effective Internal Controls System

by Andrew Chambers

Executive Summary

  • Effective internal control gives reasonable assurance, though not a guarantee, that all business objectives will be achieved. It extends much beyond the aim of ensuring that financial reports are reliable. It includes the efficient achievement of operational objectives and ensuring that laws, regulations, policies, and contractual obligations are complied with.

  • There is growing appreciation that effective internal control does not evolve naturally. It requires concerted effort on an ongoing basis.

  • Often initially stimulated by the requirements of the Sarbanes–Oxley Act (2002), many more businesses are now systematically documenting, testing, evaluating, and improving their internal control processes. We show how to do this.

  • In a large organization this more rigorous focus on internal control is likely to encourage greater standardization of similar processes in use in different parts of the organization.

  • More effective internal control does not necessarily cost more. Aside from reducing costly risks of avoidable losses and business failures, it is often no more costly to organize business activities in ways that optimize control.

  • Better internal controls may enable a business to engage safely in more profitable activities that would be too risky for a competitor without those controls.

Back to top


In some jurisdictions law or regulation may require effective systems of internal control, with serious penalties for irresponsible failure. The Sarbanes–Oxley Act (2002) requires CEOs and CFOs of companies with listings in the United States to certify their assessment of the effectiveness of internal control over reported disclosures (s302) and financial reporting (s404), with penalties of up to $1 million and ten years imprisonment for unjustified certification, or up to $5 million and 20 years imprisonment for wilful breach of the requirements (s906). The Public Companies Accounting Oversight Board’s Auditing Standard No. 5 (2007) requires the company’s external auditors themselves to assess the effectiveness of their client’s system of internal control over financial reporting, in order to meet the audit requirements of s404 of the Sarbanes–Oxley Act.

Japan and Canada have laws broadly similar to the Sarbanes–Oxley Act. Although not reinforced by the risk of criminal sections, provision C.2.1 of the United Kingdom’s Combined Code on Corporate Governance (2008) requires that the board of a company listed on the main market of the London Stock Exchange should, at least annually, conduct a review of the effectiveness of the group’s system of internal controls and should report to shareholders that they have done so. The review should cover all material controls, including financial, operational, and compliance controls, and risk management systems. In addition, the UK Financial Services Authority’s Disclosure and Transparency Rule DTR 7.2.5 R requires companies to describe the main features of the internal control and risk management systems in relation to the financial reporting process (see Schedule C).

Back to top

What “Effective” Means

Although similar requirements exist in many countries, the principal driver for implementing an effective internal controls system should be the enlightened self interest of the company.

Effective internal control is intended to give reasonable assurance of the achievement of corporate objectives at all levels. An internal control framework should be used for the design and evaluation of an internal control system. The COSO framework is the most widely applied of three published frameworks.1 COSO (the Committee of Sponsoring Organizations of the Treadway Commission) defines internal control as follows:

“Internal control is broadly defined as a process, effected by the entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  1. Effectiveness and efficiency of operations.

  2. Reliability of financial reporting.

  3. Compliance with applicable laws and regulations.”

Other definitions of internal control categorize the objectives of internal control differently, but fundamentally, effective internal control gives reasonable assurance that all of management’s objectives will be achieved. For instance, the King Report2 defines internal control as follows:

“The board should make use of generally recognized risk management and internal control models and frameworks in order to maintain a sound system of risk management and internal control to provide a reasonable assurance regarding the achievement of organizational objectives with respect to:

  1. Effectiveness and efficiency of operations;

  2. Safeguarding of the company’s assets (including information);

  3. Compliance with applicable laws, regulations and supervisory requirements;

  4. Supporting business sustainability under normal as well as adverse operating conditions;

  5. Reliability of reporting;

  6. Behaving responsibly towards all stakeholders.”

Before a conclusion can be reached that internal control is effective, both results and processes must be considered. For the former, the test is whether there have been any known outcomes attributable to significant breakdowns in internal control. Absence of these does not lead automatically to the conclusion that internal control is effective: it is possible that there may have been breakdowns of internal control yet to be discovered; it is also possible that serious weaknesses exist within the system of internal control that have not yet been exploited. So the second test must also be applied, which is to assess the quality of the control processes or “components.”

Back to top

Design Characteristics of an Effective Internal Controls System

The COSO internal control framework recognizes five essential components of any effective internal control system:

  • The control environment: Values and culture; tone at the top; policies, organizational structure.

  • Information and communication: Reliability, timeliness, clarity, usefulness.

  • Risk assessment: Identification, measurement, and responses to threats.

  • Control activities: Procedures followed for a control purpose.

  • Monitoring: Review of internal control arrangements.

A common failing in designing and evaluating a system of internal control is to focus almost exclusively on control activities, vitally important though they are, overlooking that the other components are also essential. The Securities and Exchange Commission’s rule for management’s implementation of s404 of the Sarbanes–Oxley Act requires that a recognized internal control framework is applied. Usually it is the COSO framework that is used, and the framework comprises all of these five as being essential components of an effective system of internal control.

General hallmarks of an effective system of internal control include that controls:

  • are designed to meet objectives which are clear;

  • have regard to competitive issues;

  • enable and ensure that performance is measured;

  • result in unsatisfactory performance being rectified;

  • ensure that activities are completed in a timely way;

  • are cost effective;

  • are placed as early in the process as is practical, so that thereafter there is control;3

  • are “preventative” rather than merely “permissive”;

  • have no more movements, or steps than are necessary.

Control activities can be categorized as follows:

Preventive controls: To limit the possibility of an undesirable outcome being realized. The more important it is that an undesirable outcome should not arise, the more important it becomes to implement appropriate preventive controls. Examples are when no one person has authority to act without the consent of another, or limitation of action to authorized persons (such as only those suitably trained and authorized being permitted to handle media enquiries).

Corrective controls: To correct undesirable outcomes that have been realized. Examples are the design of contract terms to allow recovery of overpayment, or contingency planning for business continuity/recovery after events which the business could not avoid.

Directive controls: To ensure that a particular outcome is achieved or an undesirable event is avoided. Examples are a requirement that protective clothing be worn, or that staff be trained with required skills before working unsupervised.

Detective controls: To identify undesirable outcomes “after the event.” Examples are stock or asset checks which detect unauthorized removals, or post-implementation reviews to learn lessons.

Performance controls: To orientate and motivate the organization’s people to focus on the achievement of targets that are appropriate for the achievement of objectives. Examples are despatching all orders on day of receipt of order, or allowing that less than 2% of production should fail quality control checks.

Back to top

Assessing Internal Control Effectiveness

A widely followed approach to assessing and improving internal control effectiveness has been developed that comprises these steps (see case study 1):

  1. Determine the documentation to be used, such as process maps (flowcharts), control registers, and process narratives.

  2. Identify the objectives to be achieved.

  3. Determine the processes that are key to the achievement of objectives.

  4. Learn about each key process, documenting it in narrative, spreadsheet, and/or flowchart form.

  5. Within a key process, identify and document the key controls.

  6. Judge the potential of each key control to be effective, if followed as intended. Modify the control approach if necessary.

  7. Design and document tests to be conducted to assess compliance with each control.

  8. Conduct these tests.

  9. Interpret the results of these tests. Where necessary, ensure better compliance or modify the control approach if satisfactory compliance is judged impractical.

  10. Interpret the control significance of unwanted outcomes that have occurred.

  11. Consider the adequacy of the control environment, information and communication, risk assessment, control activities, and monitoring.

  12. Conclude on the effectiveness of internal control at the process level.

Back to top

Testing Internal Controls

The extent of testing is a compromise between the need for thoroughness and the testing resources available, and will vary according to the criticality of the controls that are being relied upon, the potential for the controls to be circumvented, and the results of initial testing. For controls designed to operate at intervals (such as at week, month, or year ends), initial sample sizes may be as in Table 1. For controls that apply to individual transactions Table 2 may be appropriate, which can also be used for interval controls that are used in multiple locations or on multiple occasions.

Table 1. Sample sizes to be used if the control operates at the frequencies shown

Frequency of controlSample size
Many times a day25

Table 2. Sample sizes for transaction controls

Population sizeSample size
Above 30025 max

Back to top

Ongoing Maintenance of an Internal Controls System

Changing business requirements will result in modified business processes and the risk that controls within those processes may be abandoned or made less effective. Each modified business process that is key to the achievement of a business objective should be reassessed, applying steps 3 to 6 (above), prior to releasing the new or modified business process for operational use.

For established processes, performance criteria should be established to monitor the quality of performance and the extent to which controls fail.

Back to top

Case Study 1

A multinational company took the requirement to comply with s404 of the Sarbanes–Oxley Act as an opportunity to assess the effectiveness of its internal control generally, not just internal controls over financial reporting.

First, the accounting processes that could lead to financial misstatements were identified. Second, mission critical operational processes were identified where there were significant risks of not achieving business objectives and/or risks of misstatement. These accounting and operational processes were documented in process maps (flowcharts), using distinctive symbols to denote what were considered to be key s404 controls, other key financial controls and key operational controls. These controls were described in a spreadsheet-based control register, supplemented where necessary by further process narrative. From this understanding of each process, deficiencies in control procedures were identified and corrected. Using predetermined, documented test scripts, each key control within a process was then tested for compliance prior to drawing a conclusion about internal control effectiveness of the process.

Initially this work was done by the internal audit function, before being transferred to become an ongoing responsibility of management, working to an annual cycle.

Back to top

Case Study 2

To be useful, process narrative on internal control must be sufficiently specific to indicate whether control is effective. In the three examples below, only the third is adequate. The reader of the first and second examples will be unclear as to whether it is merely the narrative that is inadequate, or that internal control is inadequate.

Control Documentation Poor

A report on duplicate invoices is produced before payments are made. It is looked at and approved by someone who plays no other part in the order processing and invoicing procedures.

Control Documentation Average

Each day, before the payments processing run, the senior creditors clerk (SCC) investigates a report on possible duplicate invoices. The SCC signs and dates this report when the check has been completed, and sends the report to James Smith for second review and final approval. James signs and dates the report to indicate completion of his review and approval of the SCC’s investigation.

Neither James nor the SCC has access to the purchase order or invoice processing SAP modules or the manual parts of those subsystems.

Control Documentation Good

Daily, before the IT-based processing of payments, the SCC personally prints out a possible duplicate payments report from the payables module in SAP (SAP report code 9VDFZ3). This report may indicate five possible types of duplicate (refer to details in the process narrative).

The SCC investigates the possible duplicate invoices as indicated in the report by checking the accuracy of invoice data captured in the SAP accounts payable module against original invoices, making sure that each invoice is valid by reference to source documentation such as purchase orders as necessary.

The SCC has no responsibility for other elements of this system, not having any involvement in, or other access to, the processing of purchase orders or invoices—these access rights are blocked to the SCC by the accounts payable module.

When the SCC has completed the investigation, he signs and dates the possible duplicate payments report to indicate that the investigation has been completed. His manager then reviews the possible duplicate payments report, together with the relevant, supporting evidence and comments from SCC’s investigation. If the manager is satisfied by the investigation and supporting evidence, he signs and dates the possible duplicate payments report to indicate approval of the SCC’s investigation.

Back to top

Making It Happen

The approach to follow:

  1. Adopt and understand a recognized internal control framework.

  2. Engage the board, management, and other personnel in the ownership of internal control.

  3. Identify the mission critical business processes.

  4. Consider standardizing processes across the business.

  5. Document those processes, highlighting the key controls.

  6. Consider the effectiveness of the key controls and improve where necessary.

  7. Design tests to confirm satisfactory compliance with key controls, and take remedial action as required.

  8. In addition to control activities, consider whether the other essential components of an effective system of internal control are sound—for example, the control environment, information and communication, risk assessment and monitoring.

  9. Draw overall conclusions.

  10. Use the results from this process as a continuous improvement tool to improve the internal control system.

Back to top


1 Other recognized internal control frameworks are the Canadian “CoCo” framework, and the United Kingdom’s Turnbull framework.

2 King Report on Corporate Governance for South Africa (March 2002), “King II,” Institute of Directors in Southern Africa. “King III” is to be published in 2009.

3 For instance, incoming cash should be controlled at the point and time of entry into the business.

Back to top

Back to Table of contents

Further reading


  • American Institute of Certified Public Accountants (AICPA). Internal Control over Financial Reporting: Guidance for Smaller Public Companies. Institute of Internal Auditors (IIA) Research Foundation, 2006. Order from:
  • Chambers, Andrew. Tolley’s Internal Auditor’s Handbook. 2nd ed. London: LexisNexis Butterworths, 2009. See especially chapter 6.
  • Committee of Sponsoring Organizations of the Treadway Commission (COSO). Internal Control—Integrated Framework. 2 vols, 1992. Order from:
  • COSO. Guidance on Monitoring Internal Control Systems. To be published in 2009. See exposure/review link at:




Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share