8.3 Describe Internal Controls within an Organization

Internal Control Systems

Internal controls are the policies, procedures, and processes an organization uses to safeguard its assets, produce reliable financial reports, and comply with laws and regulations. Understanding these controls matters because they form the backbone of trustworthy financial information, and auditors evaluate them before ever looking at the numbers themselves.

Elements of Internal Control Systems

The COSO framework identifies five interrelated components of internal control. Think of them as layers that build on each other.

Control Environment sets the foundation for everything else. It's the overall tone and culture of the organization.

• Tone at the top refers to how management demonstrates its commitment to integrity and ethical behavior. A written code of conduct is one example, but what leadership actually does matters more than what's written down.
• The board of directors (often through an audit committee) provides oversight to make sure controls are working and management is held accountable.

Risk Assessment is the process of identifying and analyzing threats that could prevent the organization from achieving its objectives.

• Risks can relate to financial reporting (misstatements, fraud), operations (inefficiency, asset loss), or compliance (violating laws or regulations).
• Once risks are identified, management decides how to respond: accept, avoid, reduce, or share each risk based on the organization's risk tolerance.

Control Activities are the specific policies and procedures that address the risks identified above.

• Segregation of duties ensures no single person controls all parts of a transaction (more on this below).
• Physical controls protect assets through locks, safes, security cameras, and restricted access areas.
• Information processing controls ensure data accuracy and completeness through techniques like input validation, automated checks, and account reconciliations.

Information and Communication ensures that relevant, quality information flows to the right people at the right time.

• Internally, this includes employee handbooks, training programs, and clear communication of policies and responsibilities.
• Externally, it includes financial statements and disclosures that inform stakeholders about the organization's control environment.

Monitoring evaluates whether internal controls continue to function effectively over time.

• Ongoing evaluations are built into daily operations, such as supervisory reviews and automated exception reports.
• Separate evaluations happen periodically through internal audits or external audits conducted by independent parties.
• When deficiencies are found, they get reported to management and the board so corrective action (remediation plans) can happen quickly.

Separation of Duties for Fraud Prevention

Separation of duties is one of the most important control activities. The core idea: no single employee should handle all three of these functions for the same transaction:

1. Authorization — approving the transaction (e.g., signing a purchase order or approving an expense report)
2. Recording — entering the transaction into the accounting records (journal entries, ledgers)
3. Custody — having physical access to the related asset (cash, inventory, checks)

When these duties are split among different people, fraud becomes much harder to pull off. A person who handles cash but can't alter the accounting records would need to collude with someone else to steal and cover it up. That requirement for collusion is exactly what makes separation of duties effective.

Beyond fraud prevention, splitting duties also catches honest mistakes. When multiple people touch a transaction, errors are more likely to surface during reconciliations and reviews.

Documentation for Error Reduction

Proper documentation means maintaining complete, accurate records that trace every transaction from start to finish.

Source documents are the original evidence that a transaction occurred. These include invoices, receipts, contracts, and purchase orders. Accounting records then summarize and classify those transactions in journals, ledgers, and ultimately the financial statements.

Together, these records create an audit trail, which is the path an auditor (or manager) can follow to verify any reported number. Two key techniques rely on this trail:

• Vouching — starting with a recorded amount and tracing it back to the source document to confirm it actually happened
• Tracing — starting with a source document and following it forward into the records to confirm it was captured

Documentation also supports review and approval processes through signatures and timestamps, making it clear who authorized what and when. When inconsistencies or discrepancies appear during reconciliations or variance analysis, good documentation makes it possible to investigate and resolve them. It also provides critical evidence if disputes or legal proceedings arise.

Internal Control Challenges for Not-for-Profit Organizations

Internal Controls: Nonprofits vs. For-Profits

Nonprofits face several challenges that for-profit organizations typically don't, making internal controls harder to implement even though they're just as necessary.

Limited resources create real constraints. With smaller staffs, it's difficult to properly segregate duties because employees often wear multiple hats. Budget limitations may also mean relying on manual processes or outdated systems instead of investing in technology and training.

Reliance on volunteers introduces additional risk. Volunteers may lack formal training in areas like data entry or cash handling, leading to errors. High turnover and irregular schedules make it harder to maintain continuity, accountability, and consistent oversight. Background checks and supervision become especially important here.

Absence of a profit motive can shift organizational focus. Nonprofits naturally prioritize mission achievement and program outcomes, which can cause internal controls and financial efficiency to take a back seat.

Unique revenue sources add complexity. Donations and grants often come with specific restrictions on how funds can be used and when they must be spent. Managing multiple funding sources while ensuring compliance with each grant agreement or donor's intent requires specialized tracking and reporting systems.

Higher public scrutiny raises the stakes. Donors, regulators, and the public expect nonprofits to demonstrate responsible stewardship of resources. Robust financial reporting and disclosure practices, such as IRS Form 990 filings and published annual reports, are essential for maintaining that trust.

Governance and Risk Management in Organizations

Strong governance structures provide the oversight needed for internal controls to work.

• The board of directors sets strategic direction and monitors organizational performance. Specialized committees, such as audit committees and risk committees, focus on specific areas of governance and control.
• Risk management processes help organizations systematically identify, assess, and respond to threats. An enterprise risk management (ERM) framework provides a structured, organization-wide approach rather than addressing risks in silos.
• Compliance with laws, regulations, and industry standards protects organizational integrity. This requires clear policies and procedures, regular employee training, and ongoing monitoring to embed a culture of compliance throughout the organization.