In this quick guide, we take a look at the different types of internal controls within organisations.
Definition of internal controls
Internal controls are the mechanisms, policies, and processes implemented by an organisation to ensure its financial stability and integrity, promote accountability and protect from financial, strategic and reputational risk.
In addition to complying with laws and regulations and preventing fraud, internal controls can help organisations improve their operational efficiency and sustainability.
According to the Turnbull Report 1999, the purpose of any control system should be:
“To provide reasonable assurance that the organisation can meet its objectives”.
The Association of Chartered Certified Accountants (ACCA) identifies the following 5 key objectives of internal controls:
Efficient conduct of business – Controls should be in place to ensure the smooth and frictionless operations of an organisation and avoid any operational losses and maximise profitability.
Safeguarding assets – Having a comprehensive system of internal controls can help prevent financial fraud, errors, and misconduct.
Preventing and detecting fraud and other unlawful acts – Internal controls can minimise the risk of fraud and other unlawful activities.
Completeness and accuracy or financial records – A failure to keep an effective internal control process and system can lead to inaccurate financial data and records.
Timely preparation of financial statements – The lack of internal controls can affect and delay the fulfilment of key business regulatory requirements like end-of-year accounts and financial reporting.
Stay on top of the latest governance, regtech and innovation trends and insights!
What are the different types of internal controls?
Generally, there are 3 core types of internal controls: preventative, detective, and corrective. They can also be either manually or IT-handled. Some of the most common control activities include authorisation, documentation, reconciliation, security, and separation of duties.
Preventative controls aim to prevent any fraud or misconduct from occurring and usually involve practices like systematic documentation, authorisation and separation of duties. Some of the most common examples of preventative controls include authorisation of payments and expenses, or limiting individual access to inventory, cash and other tangible assets.
Detective controls are backup practices and policies that aim to identify events or items that have been missed by the first line of defence. One of the best examples of detective controls are reconciliations and external audit.
Corrective controls are activities and measurements taken to rectify any issues that have already occurred and been detected, and prevent them from happening again. An example of a corrective control is deploying a new policy to destroy unnecessary data, to prevent attackers from stealing it.
Manual vs. IT Controls
In terms of execution, controls can also be manually or IT-managed. Manual controls are entirely managed by individuals, whilst IT controls involve implementing an integrated automated system or application. An example of a manual control is when an authorised employee signs-off a document or approves a payment. IT controls, on the other hand, usually form a complex system or application including automated processes like policy management, logical access, change management, and physical security.
Why are internal controls important?
Internal controls are important for any organisation as they help it meet its objectives, whilst remaining compliant with its regulatory, financial and operational obligations.
Internal controls can also help mitigate any internal and external risks, prevent fraud and improve the overall operational efficiency and sustainability of an organisation.
Still using paper-based checklists or excel spreadsheets to manage your internal risks and controls?
ControlNet helps you automate the process, and create an efficient, accountable and secure operational environment.