This is a second in a series of blogs on Internal Control and this one specifically asks, is there a list of internal controls and why would you want such a list?
Why Lists are a Good Idea
Starting with the second part of the question, a list is the metaphoric toolbox. By having a comprehensive enumeration of controls, an organization can say that Control X achieves the control objective at the best relative cost in circumstance Y. In other words it allows process craftsmen (and women) to construct a system that both safeguards organizational resources while enabling the organization to achieve its objectives. The list of controls are mapped into the following categories:
- Governance & Oversight Controls: establishing the organizational values and structures to monitor, motivate and manage the control environment.
- Preventive controls: prevents an entity from failing to achieve an objective or address a risk [1, 10.04].
- Detective controls: discovers when an entity is not achieving
an objective or addressing a risk before the entity’s operation has
concluded [1, 10.04]. - Corrective Actions: The oversight body or management oversees the
prompt remediation of deficiencies of a control by communicating and delegating authority to the appropriate level of the organizational structure [1]. - Hard versus Soft Controls.
- A hard control is tangible, often physical (even in a digital sort of way), generally easier to understand. Structure, reconciliations, policies, etc. are all examples of a hard control.
- A soft control is intangible, more informal and often a cultural or social norm. When existing it is more effective than a hard control but when corrupted may result in actions that are harder to detect. Trust, culture, integrity and competence are examples [2].
A Comprehensive (‘ish) List of Controls
The following provides a handy cheat sheet of controls organized by the above categories. I have tried to list the overall control and not derivations thereof unless the derivation is of particular interest. Thus, for example, reconciliation is an example of a preventive internal control which in theory includes the accounting control of 3-Way matching to pay an Accounts Payable Invoice. Because 3-Way matching is such a profound and important control it is included in addition to reconciliation.
Check back periodically to this blog (or future article) as I suspect that I will be adding controls to the list for a few years (decades?) to come. My list of controls is as follows:
| # | Control | Type | Notes |
| 1 | Demonstrated commitment to integrity and ethical values | Governance | COSO 1 |
| 2 | Board Independence.Description | Governance | COSO 2 |
| 3 | Establish structures, reporting lines, authorities and responsibilities | Governance | COSO 3 |
| 4 | Commitment to a Competent Workforce | Governance | COSO 4 |
| 5 | Hold People Accountable (COSO Principle 5) | Governance | COSO 5 |
| 6 | Specify Objectives (COSO Principle 6) | Governance | COSO 6 |
| 7 | Selects and develops general controls over technology (COSO Principle 11) | Governance | COSO 11 |
| 8 | Manage, Monitor, Review, Revise and Retire Controls (COSO Principle 0) | Governance | COSO 0 |
| 9 | Authorization Limits | Governance, Preventive | |
| 10 | Review and approval | Governance | |
| 11 | Manage or Eliminate Related Party Transactions | Governance | |
| 12 | Manage Significant Project or Operational Change | Governance | |
| 13 | Reconciliations | Preventive, Detective | |
| 14 | Segregation of duties | Governance | |
| 15 | Digital Security over Assets | Governance, Preventive | |
| 16 | Standardized Documentation | Governance, Preventive | |
| 17 | Master Data Record Management | Governance, Preventive | |
| 18 | Competitive processes for purchases, contracts and hiring staff | Preventive | |
| 19 | Confidentiality Agreement for Staff and Contractors | Preventive | |
| 20 | Physical Audits | Detective | |
| 21 | Implement Whistle Blower Protection and Processes | Detective | |
| 22 | Management of Financial Statement Estimates | Detective |
COSO Principle Based Controls
The 17 principles and their Points of Focus from the COSO Integrated Framework (see the previous blog) provide an excellent list of governance controls for organizations although some are too broad to be readily converted into a control. 8 principles have been highlighted below which are particularly control focused.
- Demonstrated commitment to integrity and ethical values.
- Description: (COSO Principle 1) The oversight body and management should demonstrate a commitment to integrity and ethical values.
- A soft control which can be indirectly measured.
- Cost to Implement: Low cash cost, high integrity and moral costs.
- Consequence if Lacking: Subordinate levels may not feel compelled to take internal control serious.
- Examples: Mission and Value statements, ethical behaviour on the part of the board, codes of conduct.
- Description: (COSO Principle 1) The oversight body and management should demonstrate a commitment to integrity and ethical values.
- Board Independence.
- Description: (COSO Principle 2) The board of directors, or equivalent, demonstrates independence from management and exercises oversight of the development and performance of internal control.
- A hard control which can be directly measured.
- Cost to Implement: Low cash cost, higher costs for coordination and control; risk of an ill-informed or subversive board member causing harm to the organization.
- Consequence if Lacking: Organizational group think and poor independent thought.
- Examples: Major shareholders, non-employee rule, trade union membership on the board.
- Description: (COSO Principle 2) The board of directors, or equivalent, demonstrates independence from management and exercises oversight of the development and performance of internal control.
- Establish structures, reporting lines, authorities and responsibilities.
- Description: (COSO Principle 3) Management establishes, with board oversight, structures, reporting lines, and appropriate authorities
and responsibilities in the pursuit of objectives.- A hard control which can be directly measured.
- Cost to Implement: Moderate, this HR function can be time-consuming to develop and more challenging to maintain. May not be reflective of more team based or informal organizations.
- Consequence if Lacking: Understanding individual accountability and a reporting relationship to the chain of command.
- Examples: Organization charts, job descriptions, designated supervisors.
- Description: (COSO Principle 3) Management establishes, with board oversight, structures, reporting lines, and appropriate authorities
- Commitment to a Competent Workforce.
- Description: (COSO Principle 4) The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
- A soft control that can be indirectly measured.
- Cost to Implement: Moderate particularly for semi-skilled, skilled and rare skills and resources.
- Consequence if Lacking: Organizational culture eats strategy for lunch.
- Examples: Full life-cycle hiring and employee management. Suitable compensation, benefits, work environment, culture, leadership, etc.
- Description: (COSO Principle 4) The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
- Hold People Accountable.
- Description: (COSO Principle 5) The organization holds individuals
accountable for their internal control responsibilities in the pursuit of objectives.- A soft control that can be indirectly measured.
- Cost to Implement: Low to Moderate, requires good articulation of accountability and responsibility; requires structures to manage accountability.
- Consequence if Lacking: Attribution of benefits and consequences of failing to achieve an objective.
- Examples: Job descriptions, tasks management, performance measurement systems for staff/contractors.
- Description: (COSO Principle 5) The organization holds individuals
- Specify Objectives.
- Description: (COSO Principle 6) The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
- A hard control which can be directly measured.
- Cost to Implement: Low, requires good planning, communication, ability to translate vision into action and flexibility to manage tactics while achieving objectives.
- Consequence if Lacking: The organization is adrift without a clear over-riding purpose or vision.
- Examples: Mission and vision statements, budgets (annual, rolling, etc.), business plans, quarterly objectives.
- Top-level reviews of actual performance. Management tracks major entity achievements and compares these to the plans, goals, budgets and objectives set by the entity. Reviews may be done at an organizational, functional or activity level.
- Description: (COSO Principle 6) The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
- Selects and develops general controls over technology
- Description: (COSO Principle 11) The organization selects and develops general control activities over technology to support the achievement of objectives. Actions include determining dependency between the use of technology in business process and technology general controls, technology infrastructure control activities, security management process control activities and technology acquisition, development, and maintenance
process control activities- A hard control which can be directly measured.
- Cost to Implement: Moderate, IT governance can be a frustrating and challenging activity particularly if the organization lacks management discipline and many portions of the organization are used to ‘on-demand’ IT service.
- Consequence if Lacking: resources are squandered, creation of duplicate systems or the loss of interoperability due to differing standards.
- Examples: COBIT, ITIL, Technology Business Management.
- Description: (COSO Principle 11) The organization selects and develops general control activities over technology to support the achievement of objectives. Actions include determining dependency between the use of technology in business process and technology general controls, technology infrastructure control activities, security management process control activities and technology acquisition, development, and maintenance
- Manage, Monitor, Review, Revise and Retire Controls
- Description: (COSO Principle 0) One additional principle has been added, Principle 0. This principle is that the organization has the means to review, revise and retire no longer relevant controls.
- A hard control which can be directly measured.
- Cost to Implement: Low but requires management discipline to allocate the time, talent and treasure to accomplish.
- Consequence if Lacking: Zombie controls that no longer have a purpose, are deadwood or worse cause harm.
- Examples: Central to this principle is a governance process and ideally each control will sunset or expire without an active management intervention.
- Description: (COSO Principle 0) One additional principle has been added, Principle 0. This principle is that the organization has the means to review, revise and retire no longer relevant controls.
Detailed Control Descriptions
- Authorization Limits.
- Description: Reasonable assurance that all transactions are within the limits set by policy or that exceptions to policy have been granted by the appropriate officials.
- A hard control which can be directly measured.
- Cost to Implement: Low
- Consequence if Lacking: Those who do not have delegated authority may approve transactions. For example a rogue trader.
- Examples: Delegation of authority and signing limits.
- Description: Reasonable assurance that all transactions are within the limits set by policy or that exceptions to policy have been granted by the appropriate officials.
- Review and approval.
- Description:Transactions have been reviewed for accuracy, authorization limits and completeness by appropriate personnel.
- A hard control which can be directly measured.
- Cost to Implement: Moderate mostly because of the manual nature of the control, low if automated. Inspection is one of the most expensive forms of quality control.
- Consequence if Lacking: Potential for new, unusual or common errors to be made.
- Examples: Signing and review by a supervisor, inspection on a production line. Verification, automated inspection, sampling.
- Description:Transactions have been reviewed for accuracy, authorization limits and completeness by appropriate personnel.
- Manage or Eliminate Related Party Transactions.
- Description: a transaction between non-arms-length parties for example a board member who is also engaged as a consultant. Require that a written conflict of interest and code of ethics policy is in place and that it is updated annually. Require that related party transactions be disclosed and be approved by the Board.
- A hard control which can be directly measured.
- Cost to Implement: Low, requires a clear policy and then implementation and compliance against it.
- Consequence if Lacking: Beyond the unlikely risk of collusion or fraud, the biggest consequence is a perception which is unfair (and introduces risk) to both the organization and the individuals involved.
- Examples: Discourage the hiring of relatives and business transactions with Board members and employees.
- Description: a transaction between non-arms-length parties for example a board member who is also engaged as a consultant. Require that a written conflict of interest and code of ethics policy is in place and that it is updated annually. Require that related party transactions be disclosed and be approved by the Board.
- Manage Significant Asset, Project or Operational Change
- Description: Control significant changes to an asset, project or an operational process through a change process. Ideally the process balances the cost of compliance with the risk of not making a timely change.
- A hard control which can be directly measured.
- Cost to Implement: Low but requires management discipline to implement and sustain.
- Consequence if Lacking: Unapproved, malevolent or ill-informed changes are made which may damage and asset, cost resources or reduce future interoperability.
- Examples: Change control board for large projects.
- Description: Control significant changes to an asset, project or an operational process through a change process. Ideally the process balances the cost of compliance with the risk of not making a timely change.
- Reconciliation.
- Description: The accuracy of records through the periodic comparison of source documents to data recorded in accounting information systems.
- A hard control which can be directly measured.
- Cost to Implement: Moderate mostly because of the manual nature of the control, low if automated.
- Consequence if Lacking: A loss of a source of truth of the true value.
- Examples: Accounting working papers, cash-outs for sales, inventory counts.
- Trial Balances. Using a double-entry accounting system adds reliability by ensuring that the books are always balanced. Even so, it is still possible for errors to bring a double-entry system out of balance at any given time. Calculating daily or weekly trial balances can provide regular insight into the state of the system, allowing you to discover and investigate discrepancies as early as possible. [3]
- Periodic Reconciliations. Occasional accounting reconciliations can ensure that balances in your accounting system match up with balances in accounts held by other entities, including banks, suppliers and credit customers. Differences between these types of complementary accounts can reveal errors or discrepancies in your own accounts, or the errors may originate with the other entities. [3]
- Invoice Matching: Prior to payment, matching a supplier invoice to the receiving document (two-way) or to the receiving document as well as the purchase order/contract (three-way).
- Description: The accuracy of records through the periodic comparison of source documents to data recorded in accounting information systems.
- Segregation of duties.
- Description: Splitting responsibility for functions across two or more people to reduce the chance of collusion or error. [adapted from 3]
- A hard control which can be directly measured.
- Cost to Implement: Low to moderate, For small businesses with only a few accounting employees, sharing responsibilities between two or more people or requiring critical tasks to be reviewed by co-workers can serve the same purpose.
- Consequence if Lacking: The further duties are separated, the less chance any single employee has of committing fraudulent acts.
- Examples: Bookkeeping, deposits, reporting and auditing are done by separate individuals or departments.
- Dual Signature of Payments: Signatories should be: Trustworthy, Patient and thorough enough to review documents properly, and Available so that payments are not held up. It is advisable to have 3 or 4 possible signatories known to the bank, e.g. some spare in case the main signatories are not available. It is common to have ‘A list’ and ‘B list’ signatories, where the A list are principal signatories who much sign first (usually staff), and the B list may only sign second (often Board members). Signatories should be regularly reviewed and the list updated when people leave the organisation.
- Description: Splitting responsibility for functions across two or more people to reduce the chance of collusion or error. [adapted from 3]
- Digital Security over Assets
- Description: Controlling access to different parts of an asset (e.g. an accounting system) can keep unauthorized users out of the system while providing a way to audit the usage of the system to identify the source of errors or discrepancies. Robust access tracking can also serve to deter attempts at fraudulent access in the first place [adapted from 3].
- A hard control which can be directly measured.
- Cost to Implement: Moderate, likely is an integral part of a purchased system, ongoing costs to maintain and sustain, significant staff turnover may also increase costs and risks.
- Consequence if Lacking: Ability to access assets or information without detection or a record.
- Examples: Passwords, lockouts and electronic access logs.
- Description: Controlling access to different parts of an asset (e.g. an accounting system) can keep unauthorized users out of the system while providing a way to audit the usage of the system to identify the source of errors or discrepancies. Robust access tracking can also serve to deter attempts at fraudulent access in the first place [adapted from 3].
- Physical Security over Assets.
- Description: Assurance that assets are safeguarded and protected from loss or damage due to accident, natural disaster, negligence or intentional acts of fraud, theft or abuse.
- A hard control which can be directly measured.
- Cost to Implement: Moderate, cost of plant, equipment, firewalls, etc.
- Consequence if Lacking: Theft or damage to assets.
- Examples: fences, access cards, tool/inventory cages, replacing workers with robots for warehouses, locked transportation containers, attractive asset policies.
- Description: Assurance that assets are safeguarded and protected from loss or damage due to accident, natural disaster, negligence or intentional acts of fraud, theft or abuse.
- Standardized Documentation.
- Description: Using standard document formats can make it easier to review past records when searching for the source of a discrepancy in the system. It also reduces error by providing staff with how to manage a process or system. [adapted from 3]
- A hard control which can be directly measured.
- Cost to Implement: Moderate to high depending upon the complexity, diversity and disbursement of the systems and people doing the work.
- Consequence if Lacking: A lack of standardization can cause items to be overlooked or misinterpreted in such a review.
- Examples: Standardizing documents used for financial transactions, such as invoices, internal materials requests, inventory receipts and travel expense reports, can help to maintain consistency in record keeping over time.
- Checklists: A pilot preparing for take off or an emergency room physician both use checklists. This is to ensure that nothing is missed and that the person does not make an error because of tunnel vision. At the same time, competence is necessary for the rare occasions when leaving the checklist is necessary.
- Description: Using standard document formats can make it easier to review past records when searching for the source of a discrepancy in the system. It also reduces error by providing staff with how to manage a process or system. [adapted from 3]
- Master Data Record Management.
- Description: Control over the ability to change master record information. Control includes a need, analysis, testing, implementation and evaluation phases. This is a variation of control over systems and assets.
- A hard control which can be directly measured.
- Cost to Implement: Low although requires management discipline to ensure consistency.
- Consequence if Lacking: master records may become corrupt, sub-optimal and impact reporting and analysis.
- Examples: Chart of accounts, bank account details, user access, cheque or invoice numbering.
- Vendors Bank Account Management. This is a traditional fraud in which the bank details are switch from the legitimate vendor to one managed by the fraudster. More difficult with electronic funds transfer and mature bank systems. Nevertheless the scam can happen: MacEwan University loses $11.8 million to scammers in phishing attack.
- Description: Control over the ability to change master record information. Control includes a need, analysis, testing, implementation and evaluation phases. This is a variation of control over systems and assets.
- Competitive processes for purchases, contracts and hiring staff
- Description: Require a fair, open and transparent process for any selection of a product or service for which there is a long-term or material ongoing obligation on the part of the organization.
- A hard control which can be directly measured.
- Cost to Implement: Low to moderate although such processes add time and complexity which may seem like useless bureaucracy for those used to a more informal (cowboy) process.
- Consequence if Lacking: Saddling the organization with an obligation that may not want or that is sub-optimal in terms relative to what the market place can provide.
- Examples: Procurement, selection of staff.
- Description: Require a fair, open and transparent process for any selection of a product or service for which there is a long-term or material ongoing obligation on the part of the organization.
- Confidentiality Agreement for Staff and Contractors
- Description: A legal document that individuals sign that requires them to keep all company and customer data confidential.
- A hard control which can be directly measured.
- Cost to Implement: Low although the enforceability of the such an agreement may be challenged if not clearly and comprehensively drafted.
- Consequence if Lacking: The purpose of this is to prevent information leakage.
- Examples: A healthcare employee signing such an agreement before being given access to a health system.
- Description: A legal document that individuals sign that requires them to keep all company and customer data confidential.
- Physical Audits.
- Description: Comparison of the physical existence of an asset as compared to its recorded numbers in a system. Used to detect and therefore estimate theft, spoilage and the quality of the recording system.
- A hard control which can be directly measured.
- Cost to Implement: Moderate, physical inventories are expensive to conduct and are themselves fraught with potential error.
- Consequence if Lacking: Physical counting can reveal well-hidden discrepancies in account balances by bypassing electronic records altogether.
- Examples: Physical audits include hand-counting cash and any physical assets tracked in the accounting system, such as inventory, materials and tools. Counting cash in sales outlets can be done daily or even several times per day. Larger projects, such as hand counting inventory, should be performed less frequently, perhaps on an annual or quarterly basis.
- Description: Comparison of the physical existence of an asset as compared to its recorded numbers in a system. Used to detect and therefore estimate theft, spoilage and the quality of the recording system.
- Implement Whistle Blower Protection and Processes.
- Description: The ability of staff, contractors, customers or members of the public to exposes any kind of information or activity that is deemed illegal, unethical, or not correct within an organization that is either private or public without having to face harsh or unreasonable consequences.
- A hard control which can be directly measured.
- Cost to Implement: Moderate, this requires at a minimum a policy and process of designating a 3rd party to receive the communication. Unfortunately this may result in malicious reporting as well which an organization will need to sort through so as to determine what is a legitimate concern, a vendetta or points in between.
- Consequence if Lacking: Individuals do not report and the result becomes more catastrophic.
- Examples: legislation, open door policies, hotlines, town hall meetings.
- Description: The ability of staff, contractors, customers or members of the public to exposes any kind of information or activity that is deemed illegal, unethical, or not correct within an organization that is either private or public without having to face harsh or unreasonable consequences.
- Management of Financial Statement Estimates
- Description: the process of developing assertions and estimates for financial statements by management [adapted from 4; para 25 and appendixes].
- A hard control which can be directly measured.
- Cost to Implement: Low but requires systematic tracking of expertise.
- Consequence if Lacking: audit costs or a qualification.
- Examples: Materiality Log.
- Description: the process of developing assertions and estimates for financial statements by management [adapted from 4; para 25 and appendixes].
- Control
- Description:
- A hard control which can be directly measured.
- A soft control that can be indirectly measured.
- A soft control which can be best indirectly measured.
- Cost to Implement:
- Consequence if Lacking:
- Examples:
- Description:
- GAO (US) Standards for Internal Control in the Federal Government https://www.gao.gov/assets/670/665712.pdf.
- Are Soft Controls Better Than Hard Controls?; www.internalauditor.me/article/are-soft-controls-better-than-hard-controls/
- What Are the Seven Internal Control Procedures in Accounting?, The Houston Chronicle.
- Canadian Auditing Standards.
- Internal control examples. https://www.humentum.org/free-resources/guide/internal-control-examples.
- State (of Washington) Administrative & Accounting Manual; Chapter 20 https://www.ofm.wa.gov/sites/default/files/public/legacy/policy/ch20.pdf.
- Top Ten Internal Controls to Prevent And Detect Fraud! https://www.omh.ny.gov/omhweb/resources/internal_control_top_ten.html
- University of Washington; Internal Controls: https://finance.uw.edu/fr/internal-controls
- ACCA; Technical articles; Internal controls: https://www.accaglobal.com/ca/en/student/exam-support-resources/fundamentals-exams-study-resources/f1/technical-articles/internal-controls.html
Organizational Biology 
Pingback: COSO Competitors | Organizational Biology & Other Thoughts
Pingback: IPOOG and Grant Management | Organizational Biology