Shot of a group of young business professionals having a meeting in boardroom

Article

Navigating the basics of internal controls

May 22, 2024 · Authored by Mumta Taneja, Katlyn Andrews

Whether you are diving into the world of internal controls for the first time or you’re a seasoned professional seeking a refresher, understanding the basics of internal controls is crucial in maintaining integrity and compliance within your organization. 

Learn more by tuning into our on-demand webinar to hear directly from Baker Tilly’s risk advisory specialists as they explain the essential components of internal controls, define its role in risk management and compliance and discuss how to establish robust processes to safeguard an organization’s operations. 

Play video

What is risk?

First understanding risk is critical to understanding internal controls. Risk can be defined in a few different ways:

The possibility of an event occurring that will impact the achievement of an organization’s mission and objectives
Possible events that could cause harm or loss
The possibility of an undesirable action taking place

Simply stated, risk is what can go wrong (or, alternatively, what needs to go right)?

Risk is typically measured in terms of potential impact to an organization and the likelihood that an adverse event will occur. Once risks are identified and ranked, organizations can then identify and implement controls to address these risks, beginning with those that are both highly likely to occur and would have a significant impact on the organization.

What is internal control?

Internal control is a process designed to manage risk and provide reasonable assurance that the organization will achieve its operational, reporting and compliance objectives. Internal controls are defined broadly to allow flexibility in its application and can be broadly applied to organizations of different size, industry and geography.

Five components of internal control

The Committee of Sponsoring Organizations (COSO) is a voluntary private-sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls and corporate governance. In 2013, it issued the current version of its Internal Control – Integrated Framework, the most widely used internal control framework for U.S.-based companies.

Mumta Taneja

Director

Related sections

Next up

PCI compliance in higher education: determining the security of sensitive payment card information

Discover more

Risk	Control description	Type of control
Cardholder makes purchases that are not in compliance with the procurement card policy and/or do not have a business purpose.	A procurement card policy exists, clearly outlines the appropriate and inappropriate use of the procurement card and is easily accessible to all cardholders and approvers.	Preventive
	A cardholder’s transactions are reviewed for reasonableness of purchase and allocation by an approver with visibility into the cardholder’s work and an understanding of the policy.	Detective
	If card misuse is observed, the procurement card administrator will issue a warning to the cardholder. If subsequent instances of misuse are observed, the procurement card administrator may suspend or cancel the card.	Corrective

Navigating the basics of internal controls

What is risk?

What is internal control?

Five components of internal control

Mumta Taneja

Related sections

PCI compliance in higher education: determining the security of sensitive payment card information

Types of control activities

Documenting risks and controls

Example of a simple RCM

Five key takeaways

Ready to get started on your risk management journey?