Site icon BoardAndFraud

Internal Controls – A Process to Help Ensure Internal Controls are Designed Consistently and Appropriately

Developed by: Jonathan T. Marks


The concept of Internal Control appeared as a practice in the USA at the beginning of the 20th century, whereas in the economic literature began to be extensively approached after the ‘50s.

The internal control concept originated in 1949 from the American Institute of Certified Public Accountants (AICPA), with a plan to coordinate organizations’ activities to increase effectiveness in organizational operations (Lakis & Giriunas 2012). Internal controls denote the rules or standards by which the objectives of an organization are attained. Through compliance to the set procedures, the organization ensures that employees implement these standards in an optimistic manner to accomplish the business maximize the competency of the organization (Flair 2017).

Hightower 2009 refers to internal controls as operational procedures and processes to establish efficiency and effectiveness of operations within an organization’s procedures and compliance with applicable laws. Providing an auditors view, Mihaela and lulian 2012 explain that internal controls and procedures form part of an organization’s control system and mention that internal control is not only for accounting purposes but also a system through which people interact with one another. Mihaela and Iulian 2012 stress the importance of an effective leadership plan for the long-term achievement of effective internal controls.

I have realized that many don’t understand what internal controls are or what they are supposed to do. For example, Recently, a twenty-year professional told me that internal control starts with a strong set of policies and procedures. That’s incorrect.  Internal control starts with a strong control environment based on a clear understanding of the business process objectives.  Here are some other inaccuracies –

It’s no secret the regulators continue to scrutinize compliance.  There are many deferred prosecution, non-prosecution, and enforcement releases that hammer companies for poor internal controls. The regulators don’t seem to realize that companies need a methodology to have properly designed internal controls; everyone consistently follows without exception. Many are treating the symptom and not the ROOT CAUSE!

Definition of Internal Control

An “internal control” is an action or a process of interlocking activities designed to support the policies and procedures detailing the specific preventive, detective, corrective, directive, and corroborative actions required to achieve the desired process outcomes or the objective(s).

This, along with CHECKS AND BALANCES that could include continuous monitoring, continuous auditing, and training, reasonably assures:

Enemies of Internal Controls

Control Design Steps


Fraud, including financial reporting, misappropriation of assets, bribery
Poor or inappropriate accounting
Business interruption
Loss or destruction of assets
Incorrect management decisions
Statutory sanctions
Excessive or high costs

A variety of actions make up a process.  All may have a role in achieving the final result, but only a few are truly critical to the outcome; that is, their absence would make it difficult, if not impossible, to achieve the desired result.  These critical actions are referred to as key or critical controls.  This step focuses on identifying and documenting the key controls in a process.






There are undoubtedly many other categories and examples of controls, all of which are necessary to achieve the desired result.  Control models (e.g., COSO, COCO, COBIT) have been developed to focus on the roles controls play in a business environment.  For further information, readers should consult these control frameworks as well as introductory auditing books.

Also, controls can be –


Proactive management actions and controls include prevention but go beyond it. Proactive management actions and controls should encourage desirable conditions, events, or outcomes and prevent undesirable errors or irregularities.


Detective management actions and controls determine progress toward objectives and identify the actual or potential occurrence of desirable and undesirable conduct, conditions, and events. These controls are the most common type of mitigating or compensating controls.


Responsive management actions and controls do more than correct errors. They help the organization recover from undesirable conduct, events, and conditions; fix identified weaknesses; execute necessary discipline; recognize and reinforce desirable conduct and deter future undesired conduct or conditions.

Lastly, when designing a control, always consider the EcoSystem and your objective(s)!

Copyright 2021 Jonathan T. Marks


We hope you find this information useful. I don’t believe guidance like this exists anywhere, and that is why I embarked on developing something useful.

Thoughts and comments are always welcome and appreciated!


Jonathan T. Marks, CPA, CFF. CFE

Special thanks to Rob Mainardi for your input.

Additonal Information



In every organization, there are established targets and goals which the executive team designs and documents to direct each business unit team to complete their associated responsibilities for the company to achieve the set targets. To ensure these goals are reached, every business unit must set process and performance objectives for their own teams and have the corresponding controls in place to provide an environment for success and, more importantly, consistency of the work product.

The key to not only achieving these established goals but also generating maximum team performance in the supporting business units is to create a robust control environment. Successful control environments are built on a foundation of internal controls designed to support the business process policies and procedures. The internal controls will ensure the achievement of the business objectives consistently while providing the business teams with a structure, direction, and requirements to complete their daily process activities.

Control Identification

In an effort to develop a robust control environment, there must be a process to evaluate the existence and effectiveness of the controls which are currently in place over each business process. The evaluation of controls, or control assessment, always begins with the business objective(s). The business objective is defined as the purpose or the reason the process was established in the first place. Why was this process created, and what must the process generate consistently to ensure the outcome is correct, timely, and in compliance with any internal/external rules or regulations? While this “objective” approach may seem simple, it is surprising how many individuals, and even teams, have difficulty defining their own process objectives. In any control assessment, the business objective(s) must be clearly identified and defined before any attempt to determine the effectiveness of the corresponding business process.

After identifying, defining, and confirming the business process objective(s), the next step is to document each process step from the beginning to the end of the business process being reviewed. This documented flow allows for a clear and detailed examination of the current controls to determine if they alone will generate the intended outcome. Remember that every process will generate an outcome, but it may not always be the intended one. The individual controls will be dissected to determine if there are sufficient to produce the intended outcome most effectively and efficiently. The only method to validate the existence of proper controls is to select a sample of transactions and follow the current established controls through the process to the outcome and determine how effective the process was at producing the result. If sample transactions produce the intended outcome, then the associated controls can be labeled effective. An additional consideration, other than producing the correct outcome, is to verify that the controls are implemented in such a manner that allows for the process team to navigate the requirements easily. Just because the controls produced the intended outcome does not necessarily mean the process controls are well designed and effective.

Control Assessment

The process to assess the effectiveness of established controls is a five-step evaluation to determine if the current controls are properly (1) designed; (2) developed; (3) implemented; (4) executed; and (5) reported. Each one of these five evaluations has specific requirements to ensure the control not only works effectively but also is linked directly to the achievement of the confirmed process objective. Our assessment breaks down each control into its core components to verify and validate it was designed with consideration of objective achievement in the most efficient manner through the development, implementation, and execution of each step. The fifth element of the control assessment is often overlooked but is just as critical as the previous four. A success factor in every effective control is that there is regular internal reporting and confirmation that the control is doing the job it was designed to do. All processes in all industries should have built-in reporting for their established controls.


This control assessment process, using the business objective(s) as the foundation, has been validated as the most effective method to confirm that the controls in place are not only focused on delivering the intended outcome of the business objective but also provide the roadmap and validation points for the business process team to be successful consistently.

I look forward to discussing the control assessment evaluation process to provide continual improvement in your operations.

Please follow and like us:
Skip to toolbar