top of page
  • Ali Hasany

How to ensure effective internal control by following these 10 steps?

Updated: Mar 2

Is your organization well protected against errors and fraud?

Effective Internal Control
Effective Internal Control

Internal control is a central element in reducing the risk of error or fraud.

However, it is not always easy for an organization to discover its way around recommendations such as those suggested by COSO.


Follow 10 essential steps to ensure effective internal control.

1- Define scope


To determine this scope of activity, three key questions must be asked:

1. What locations and subsidiaries are in question?

2. Which business activities (procedures) are in question?

3. What categories of risks can internal control help to mitigate?

The following are some possible risk categories:

  • Financial: dangers that could result in a company's financial loss.

  • Accounting: possible account abnormalities, inaccurate accounting data, etc.

  • Compliance: risks are those that might cause the organization to not comply with rules or legal requirements.

  • Operational: risk that could make it difficult for the business to achieve its goals.

  • Health: dangers that could harm employees' physical or mental well-being.

  • Information security: threats to the confidentiality, integrity and availability of data.

  • Reputation: risks that can affect organization reputation.

  • Environment: Risks that could have an impact on the environment (air, water, soil, space)

2- Identify business activities

Business Activities
Business Activities

Once the scope of action has been defined, it is vital to list the business activities (or processes) carried out by the organization as well as the risks connected with them. Simply addressing the inquiry, "What do we do in the organization?

It is necessary to define operations with an acceptable level of detail that is uniform across sectors.

The three sentences that follow, for instance, refer to the same process yet do not offer the same amount of detail:

• “We do accounting”

• “We pay supplier invoices”

• “We enter accounting data”

3- Identify risks


Therefore, in this step, the inquiry "What are the risks connected to the categories of risks selected? must be asked for each company activity.

For example, What are the associated financial, operational, or financial reporting risks, related to "Payment of Supplier Invoices" process?

An infinite inventory of potential risks can be created by identifying risks. Even if there are numerous potential risks, caution must be taken to stay as near to reality as possible.

One solution is to start with issues that the business or its industry has already faced.

For instance, if your organization has previously made errors involving duplicate payments, you are aware that this is a risk that you will need to protect yourself.

4- Identify controls


In the context of internal control, the word “control” covers all the measures used to manage risk: control action, procedure, regulations, control software, other protection measures, etc.

Generally, organization already has internal controls and efficient methods to control certain risks based on its prior experiences and understanding of its industry. It's critical to recognize them. Often, 90% of controls already exist but not formally documented.

In front of each risk, it is therefore sufficient to identify the mitigation measures.

In addition, "controls on controls" should also be added. For example, consider the quarterly verification and analysis of "vendor bank account numbers".

5- Assess risk


Not every risk is the same, and not every company is subject to risk in the same way. The risks must then be evaluated in light of the company's reality in order to determine whether the mitigation measures are adequate and whether more controls are required.

Even though this step is optional and may appear time-consuming, determining "criticality" enables risks to be ranked in order of priority. This "criticality" considers both the impact of a risk and its probability to occur.

5 x 5 Risk Heat Map
5 x 5 Risk Heat Map - Image Source - Balbix (

For instance, errors are quite likely to occur when paying vendor invoices, although this risk has only a moderate effect on the company's ability to survive. In contrast, if no controls are implemented, the risk of fraud for a government or banking institution would be significant and also quite probable. The risk will therefore be serious, with a maximum score of 90, indicating a top priority.

6- Manage risk


Let's consider the example of paying vendor invoices. The process of paying invoices is prone to human error and fraud, making it a risky activity. To mitigate these risks, here are four possible strategies:

  • Avoid: Eliminate the risk of errors or fraud by stopping payment by cash or check, and instead use electronic payment methods.

  • Reduce: Implement a control system to check the accuracy of invoice details and payment amounts before making payments.

  • Transfer or share: Consider purchasing insurance coverage to protect against financial losses resulting from fraud or errors in payment processing.

  • Accept: Acknowledge that errors or fraud may occur occasionally, and develop a plan to quickly identify and address any issues that arise.

If the existing controls are not sufficient according to the company’s “risk appetite”, additional controls must be put in place and “further risk mitigation exercises ” must be initiated.

7- Identify mitigation measures


Making a choice is more important than producing mounds of useless paperwork that will end up on a shelf. The goal is to determine which risk mitigation strategies need to be documented in order to lower the risks.

So, detailing control activities, processes, procedures, and regulations, etc., is necessary.

For example, when numerous departments collaborate, it is vital to discuss the cross-functional process to enhance departmental cooperation and lower risks brought on by poor coordination.

Documenting a mitigating measure should allow you to:

  • Reduce errors

  • Clarify the roles and responsibilities of employees.

  • Ensure all controls are operated consistently.

  • In case collaborator is not present, make sure the activity continues.

The documentation must be modified. An explanation video, a basic checklist, or a comprehensive set of guidelines are all acceptable. Finding the appropriate form that will bring value through its clarity is crucial.

8- Identify key controls and its monitoring


Selecting the controls that are worth inspecting is crucial. Through this monitoring, controls are "done and done right."

It might be a good idea to set up a monitoring on this point, for instance, if you have a monthly control set up to verify computer access.

In order to reduce the threats to information security, this may need the business to conduct an annual control to ensure that "computer access control" is being carried out correctly.

Too many controls undermine control. Avoid defining too many essential controls because this will make deploying controls more expensive than it will be beneficial.

9- Educate and Communicate staff


Employee buy-in is necessary for internal control to materialize as an effective risk management instrument.

Do not forget to communicate with everyone about it and provide them with the necessary training.

While it is crucial to show how valuable internal controls are in regard to legal requirements, it is even more crucial to show employees how internal controls will provide them peace of mind, reduce errors, and prevent omissions.

10- Continuous Monitoring

Continuous Monitoring
Continuous Monitoring

Finally, even though your internal control system is currently functional, it is crucial to understand that it will change and advance through time. It is not a singular, isolated incident that is fixed forever.

It is vital to do the following in order for it to always be helpful and effective:

  • Reassess the risks once a year;

  • Ensure compliance with new laws;

  • Maintain current policies and procedures.

  • Monitor the proper execution of controls.

  • Monitor risk mitigation exercises.

  • Track incidents that occur and treating them as a source of improvement.

Obviously, changes and adaptations must be followed up with updated polices and clear and effective communication.

These steps will ensure smooth implementation of internal control and will allow you to fully benefit from an efficient internal control system tailored to your organisation, satisfaction of your management and employees.

Thanks for reading...

22 views0 comments
bottom of page