Internal Financial Controls: Identifying Risks and Protecting Your Business

The five main internal controls and how businesses can effectively reduce risks.

Over my career, I’ve had countless conversations with business owners and managers, and one recurring challenge stands out: internal controls. They don’t usually say internal controls; they talk about issues around the controls.

So, what are internal control? They are the processes and systems are there to protect a company’s assets from theft, misuse, or mistakes while ensuring all expenditures are properly authorized. They safeguard the company’s operations and its resources. Below is a list of the five most common controls with examples of control failures.

1. Control Environment

The control environment sets the tone for an organization—it’s the foundation of a company’s internal control system and reflects its commitment to ethical practices.

One example is management override.

·       A purchasing manager has a $500 authorization limit but needs to buy at $2,500 item. Rather than requesting authorization for the purchase they split the purchase into 5 - $500 purchase orders to avoid oversight.

2. Risk Assessment

Assessing risk is the process of finding and evaluating both internal and external risks to the business. This process not only highlights vulnerabilities but also prioritizes mitigation strategies to address them.

One example is email fraud such as phishing or other fraud attempts.

·       A scammer emails the accounts payable clerk claiming to be an existing vendor asking to change the bank account used for paying the vendor. The email looks legitimate, and the clerk changes the information. The mistake often isn’t discovered until the vendor complains about not being paid.

3. Control Activities

Control activities refer to the policies and procedures designed to mitigate risks and ensure internal controls are implemented effectively.

One example is to have one person record vendor bills, a second person prepare the payment, a third authorize release of the payment (not always possible in smaller companies.

·       For example, an accounting clerk receives the invoices from vendors, enters them in the computer and releases the payments. This creates a risk that they could defraud the company with little chance of being discovered.

4. Information and Communication

A strong internal control system relies on effective information flow and clear communication. Employees must fully understand their responsibilities, and management must be kept informed of potential issues and risks.

·       Failure to communicate information about internal controls can lead to managers and employees misspending company money.

5. Monitoring

Monitoring is the final, but equally critical, part of an effective internal control system. It involves regular evaluations to ensure that controls stay relevant and effective as business environments evolve.

Internal controls are not static—they require continuous oversight and updates to address new challenges and support their effectiveness. Businesses that prioritize monitoring are better equipped to respond to emerging risks and keep operational efficiency.

·       Risks change with time and internal controls need to be updated on a regular basis.

Despite their critical importance, internal controls often become a source of frustration, especially when employees and managers fail to follow them consistently. Let’s explore the five components of the COSO internal controls framework (connects the business’s internal controls to the business process) and how they can be applied to strengthen your business.

References and Additional Reading:

• Kenton, W., Internal Controls, Investopedia, June 18, 2024: Investopedia

• Farnham, K., Components of Internal Controls, Diligent, March 7, 2023: Diligent Blog

• Leland, A., Fundamentals of the COSO Framework: Building Blocks for Integrated Internal Controls, June 20, 2024: AuditBoard