What are Effective Internal Controls?

Everyone in the work place has a role in making sure that internal controls are working. It is up to mangers to set them up and check that they are working but unless all employees are aware of their responsibilities in the process, the internal control system will not function completely. Internal controls help to ensure that we are doing the right job in the right way to achieve effective, efficient operations in the work place in compliance with laws and regulations. Here is a five-step process to follow when developing and implementing effective internal controls in an organization:

Step 1: Establish an Appropriate Control Environment

The core of any organization is its people – their individual attributes, including integrity, ethical values and competence – and the environment in which they operate. They are the engine that drives the organization and the foundation on which everything rests. Effectively controlled organizations set a positive "tone at the top" and strive to:

  • Train staff to understand and use appropriate management controls in all areas.
  • Provide structure and process for implementing these controls.

Step 2: Assess Risk

Management must be aware of and deal with the risks the organization faces. It must set objectives, integrated with other activities so that the organization is operating in concert. Management must also establish mechanisms to identify, analyze and manage the related risks.

  • Identify Potential Problems
  • Review goals and objectives.
  • Determine potential problem areas, for example, areas that receive complaints or have had problems in the past.
  • Areas that have undergone recent changes in staff or structure.
  • Complex activities.
  • Determine severity of risks by asking both, Where do we face the greatest possible harm? What types of losses are most likely to occur?
  • A moderate loss that is likely to occur presents as much danger as a more serious loss that is less likely to occur.
  • Use this evaluation to prioritize your efforts.

Identify and Analyze Cycles

  • A cycle is a group of interrelated processes used to initiate and perform an activity. Event cycles can be programmatic or financial. Programs usually contain several event cycles. For example, a human services program might include the following five cycles: outreach, eligibility determination, record keeping, service delivery, and monitoring.
  • The eligibility determination cycle might include interview, application form, verification, approval or denial, supervisory review, and initiate services or mail denial explanation.
  • Determine cycles of likely problem areas.
  • Prepare a written narrative or flow chart explaining how the cycle is supposed to be handled by describing each activity or transaction within the cycle.
  • Describe in the narrative: Who is performing each step? What is involved in the step? Any resulting documentation, for example, reports.
  • Review the information available in policy and procedure manuals. Also, use written materials such as organizational charts, job descriptions, reviews, checklists, department records, and reports.
  • Supplement written sources through conversations with and observations of appropriate staff.
  • Finally, "walk through" the process to be sure every item is understood.

Step 3: Implement Control Activities

Control policies and procedures must be established and executed to help ensure that management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the organization’s objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.

  • Review each cycle to determine whether existing controls are sufficient to avoid potential problems.
  • Identify any outside policies or procedures in place to offset potential risks.
  • If controls do not exist or appear ineffective, establish new controls.
  • Identify any controls that are excessive or unnecessary and modify or eliminate them.
  • Remember that a good control environment is the first step toward establishing effective controls.

Step 4: Communicate Information

Control activities are surrounded by information and communication systems. These systems enable the organization’s people to capture and exchange the information needed to conduct, manage and control its operations.

  • Obtain external and internal information, and provide management with necessary reports on the organization’s performance relative to established objectives.
  • Provide information to the right people in sufficient detail and on time to enable them to carry out their responsibilities efficiently and effectively.
  • Develop or revise information systems based on a strategic plan, linked to the organization’s overall strategy, and responsive to achieving the entity-wide and activity-level objectives.
  • Demonstrate support for developing necessary information systems by committing adequate human and financial resources.

Step 5: Monitor

The entire process must be monitored, and modifications made as necessary. This way, the system can react dynamically, changing as conditions warrant. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures.

  • Schedule monitoring on a regular basis.
  • Test controls at least annually to determine whether they continue to be adequate and are still functioning as intended.
  • Use program monitors, auditors and reviewers as a resource in monitoring controls.
  • Select a sample. Review all documentation. Visit outside sites, if appropriate. Supplement sample with special tests of sensitive items and problem areas.
  • Always follow up to insure that any identified problems are corrected.

Steps to be Effective

The internal control process has five components:

  1. Internal Control Environment
  2. Risk Assessment
  3. Internal Control Activities
  4. Information and Communication
  5. Monitoring

Internal Control Environment

Internal controls are likely to function well if management believes that those controls are important and communicates that view to employees at all levels. If management views controls as unrelated to achieving its objectives, or even worse, as an obstacle, this attitude will also be communicated. Despite policies to the contrary, employees will then view internal controls as "red tape" to be "cut through" to get the job done. An effective internal control environment:

  • Sets the tone of an organization influencing the control consciousness of its people
  • Is an intangible factor that is the foundation for all other components of internal control, providing discipline and structure
  • Describes "organizational culture"
  • Includes a commitment to hire, train, and retain qualified staff
  • Encompasses both technical competence and ethical commitment

Risk Assessment

A risk is anything that endangers the achievement of an objective. Always ask: What can go wrong? What assets do we need to protect?

  • Risk assessment is the process used to identify, analyze, and manage the potential risks that could hinder or prevent an agency from achieving its objectives.
  • Risk increases during a time of change, for example, turnover in personnel, rapid growth, or establishment of new services.
  • Other potential high risk factors include complex programs or activities, cash receipts, direct third party beneficiaries, and prior problems.

Internal Control Activities

Organizations establish policies and procedures so that identified risks do not prevent the organization from reaching its objectives.

  • Clearly identified activities minimize risk and enhance effectiveness.
  • Internal control activities are nothing more than the policies, procedures, and organizational structure of an entity.
  • Controls can be either preventive, for example, requiring supervisory approval, or detective, for example, reconciling reports.
  • Avoid excessive controls, which are as harmful as excessive risk and result in increased Bureaucracy and reduced productivity.

Information and Communication

To be useful, information must be reliable and it must be communicated to those who need it. For example, supervisors must communicate duties and responsibilities to the employees that report to them and employees must be able to alert management to potential problems.

  • Information must be communicated both within the organization and to those outside, for example, vendors, recipients, and other constituents
  • Communication must be ongoing both within and between various levels and activities of the organization.


After implementing internal controls, organizations must monitor their effectiveness periodically to ensure that controls continue to be adequate and continue to function properly. Management must also revisit previously identified problems to ensure that they are corrected.