Internal controls that work in practice

The annual report process is over, and it produced a few eye-opening moments. Errors emerged that had not been recognised as risks. The question is not whether the auditor noticed them. The question is whether management has the full picture of which risks remain uncovered ‒ and whether the internal control system is functioning as intended.  

The answer to that is usually neither yes nor no.  

You have control activities across many areas, but not necessarily in the most critical ones, and the activities you do have may not always be performed consistently enough to make a real difference.  

This is the picture we frequently encounter when we review internal control systems or work in an interim role ‒ whether at controller or management level. That position gives a precise view of which control weaknesses have real consequences, and which resources are being spent on activities with no operational impact.   

And that is precisely what makes strengthening internal controls worth addressing ‒ not as a project that aims to fix everything at once, but as a structured approach to reinforcing the areas where it delivers the most value.  

The most widespread misconception is that internal control activities are primarily an audit matter ‒ something maintained in order to pass an audit. This is a misconception that does considerable damage, because it reduces the system to a compliance tool and thereby shifts responsibility for risk management away from management ‒ despite the fact that ensuring the company's internal controls is a formal management responsibility. 

The result is control activities that are design-effective ‒ correctly designed and based on a sound understanding of risk ‒ but lack operating effectiveness, because they are not performed as intended in practice.   

Yet both design effectiveness and operating effectiveness must be present for there to be effective risk coverage.  

The control owner performs the activity because it appears on a list, not because they engage with the risk that the activity is intended to mitigate.  

This rarely comes to light, because control activities are not systematically documented and therefore cannot be verified, and because the monitoring component is effectively absent. There is no negative feedback loop: management is unable to assess whether risk management is functioning as implemented, because no reporting is done on control status.  

When internal control systems gradually lose their relevance, the cause is almost always the same: the business changes, but the risk assessment and the associated control activities do not change at the same pace. New risks emerge, others disappear, and the relative materiality of current risks shifts. This is driven by changes in activities, organisational structure, the system landscape or the regulatory environment ‒ and rarely by a lack of competence, but rather by resource constraints and informal update processes.  

We frequently see companies maintaining redundant control activities, because the risk assessment has not been regularly revisited. Conversely, new and material risks remain uncovered ‒ not because anyone has neglected their work, but because no one has had time for the systematic review.  

There are typically five signs that an internal control system is becoming a formal exercise rather than active practice:  

Control activities are performed, but no one reviews the output, and documentation is only updated in the weeks leading up to an audit. Control owners can explain the procedure, but not the purpose, and exceptions are logged but do not trigger follow-up. And the clearest sign ‒ no one raises questions when a control activity has not been performed, indicating that monitoring activities are effectively absent and that no one feels a sense of ownership.  

A control system that fails to keep pace with the business creates false assurance, and the effect is inadequate risk coverage and the misallocation of resources on immaterial risks.  

This might, for example, look like this:  

A company discovered, in the course of a structured review of its internal control system, that a systematic error in master data meant it had been invoicing on an incorrect basis for years.    

The external audit had not identified the issue, which is not surprising – auditors work within a materiality threshold designed for external reporting and perform their work on a sample basis, meaning that the absence of auditor comments is no guarantee that control weaknesses do not exist.   

By redesigning the control activities in the master data and invoicing process – with clear ownership, a preventive system control and a periodic reconciliation – the risk was covered on a going-forward basis.  

The benefit was not compliance. It was operational efficiency and a reliable invoicing basis.  

The fraud risk dimension is also one of the values of a living internal control setup that is easily overlooked. Experience from forensic and fraud cases shows that most cases, with the benefit of hindsight, were enabled by obvious control weaknesses – not because anyone had neglected their work, but because the control design had not systematically addressed who could do what without being detected.   

The connection is underestimated, because fraud is often perceived as a matter of personal integrity – something you manage by hiring the right people. But that premise does not hold. Even employees of high integrity can, under certain personal circumstances, be driven to commit fraud if the opportunity is present.  

Control activities must therefore be designed on the basis that opportunities for material irregularities are limited – regardless of who holds the role. The foundation is the same: segregation of duties, access management and control activities that are actually performed.  

The starting point is always an up-to-date risk assessment, rather than one that reflects the business as it looked when the control system was last reviewed. A structured risk assessment identifies the processes and activities with the greatest risk exposure and forms the basis for prioritising which control activities are truly key controls and which are redundant.  

This provides a prioritised picture that is far more action-oriented than a status overview – and it is the prerequisite for a resource-efficient approach, where effort is concentrated on the 20% of control activities that address 80% of the risk.  

2. There is a balance between preventive and detective control activities  

A control activity without a defined owner is not a control activity – it is an intention.   

Unclear ownership is the most common reason why internal control systems erode. Not because anyone actively opts out of them, but because no one feels a personal sense of responsibility when other tasks take priority.  

A clear RACI structure, embedded in processes and onboarding programmes, is the foundation that makes the control system resilient to staff turnover, reorganisations and reallocation of responsibilities. It is also the prerequisite for monitoring activities to function – someone must know that it is their responsibility to act when a control activity has not been performed or is not functioning as intended.  

4. The control environment: Tone sets the framework  

In COSO terms, the control environment – management's tone, governance and the organisation's risk awareness – is the foundation for all other components. This is reflected directly in practice: if management never asks about control status, neither will employees. 

What management most often gets wrong is delegating full responsibility to the finance department or even an internal audit function (for the few companies that are either legally required to have one or have chosen to establish one voluntarily) – thereby signalling that the internal control system is a technical matter. It is not. It is a management matter – and the organisation reads precisely what priority it is assigned. A control environment that is not supported by the right tone from management will consistently lose operational effectiveness over time – regardless of how well-documented the control activities are.  

A well-functioning internal control system is not primarily a compliance tool. It is a business instrument.   

It provides a more reliable basis for decision-making, reduces error correction and ensures operational efficiency in processes. In addition, it reduces vulnerability to control weaknesses, fraud, staff turnover and organisational changes.  

When a control activity fails ‒ and it will happen in any organisation at some point ‒ it is not a failure. It is information about precisely where a control weakness exists.   

Organisations that treat control failures as learning opportunities and systematically close weaknesses continuously build a stronger system, while organisations that record control failures without following up on them see the pattern repeat itself.  

This leads to the difference that in practice determines whether an internal control system holds ‒ the difference between having control activities and a control culture. Control activities are a matter of documentation and processes; control culture is a matter of what happens when no one is watching ‒ whether the control environment is embedded deeply enough in the organisation for activities to be performed because employees understand their purpose, and not simply because the audit is coming up in three months.  

That is not built by implementing a framework. It is built by making the internal control system visible in everyday operations, by discussing deviations, by acting on control weaknesses and by management consistently supporting the right tone ‒ not just once a year.