Most failures inside an organisation are not dramatic. A payment goes to the wrong account because one person could both create a supplier and approve a transfer to it. A figure in the board pack is wrong because nobody reconciled it. Internal controls are the unglamorous machinery that catches these things before they become headlines, and audit is the practice of checking that the machinery is real, not just written down.

The quick version

  • An internal control is any deliberate process, rule or check that gives reasonable assurance you'll hit your objectives, accurate reporting, reliable operations, compliance with the rules.
  • Controls come in two flavours: preventive (stop the bad thing happening, approvals, segregation of duties) and detective (catch it after, reconciliations, exception reports). You need both.
  • Audit is independent checking. Internal audit reports to the board and tests whether controls work; external audit gives outsiders assurance over the financial statements.
  • The trap is treating controls as a paperwork exercise. A control that exists on a policy page but nobody runs is worse than none, it creates false comfort.

The idea in depth: the five things every control system needs

The reference point almost every framework, regulator and auditor builds on is the COSO Internal Control–Integrated Framework, first published in 1992 and substantially refreshed in 2013 by the Committee of Sponsoring Organizations. Its central claim is that internal control is not a single thing you buy but a system of five components that have to be present and working together: the control environment (the tone, ethics and accountability set from the top), risk assessment (knowing what could go wrong), control activities (the approvals, reconciliations and segregation that actually do the work), information and communication (the right people getting the right facts), and monitoring (checking the controls themselves still function). The 2013 update broke these into 17 supporting principles so an organisation can evidence each one (COSO, Internal Control–Integrated Framework, 2013).

flowchart TD
  A(["Control environment
tone, ethics, accountability"]) --> B(["Risk assessment
what could go wrong?"])
  B --> C(["Control activities
approvals, reconciliations, SoD"])
  C --> D(["Information & communication
right facts, right people"])
  D --> E(["Monitoring
do the controls still work?"])
  E -.->|"feeds back"| A
COSO's five components, a system, not a checklist; monitoring loops back to keep the whole thing honest. Leaders Loop

The most useful idea in that list is the first one. Auditors learned long ago that the slickest control activities collapse if the control environment is rotten, if leaders cut corners, override approvals, or punish the person who raises a flag. So the move is to start at the top, not the spreadsheet: before you design a single new approval step, ask whether your own behaviour makes the existing ones meaningful. A CEO who routinely demands an "exception just this once" has already disabled the control, whatever the policy says.

This isn't an abstract worry. In the Association of Certified Fraud Examiners' Occupational Fraud 2024: Report to the Nations, a study of 1,921 real fraud cases across 138 countries, a lack of internal controls was the primary weakness in 32% of cases, and an override of existing controls accounted for a further 19%. Together, those two failures sit behind more than half of all the cases studied. The lesson is blunt: most fraud isn't sophisticated. It walks through a door someone left open, or that a senior person propped open.

Who owns what: the three lines

The second hard part is ownership. Controls fail in a predictable way, everyone assumes someone else is watching. The cleanest answer is the Three Lines Model, updated in 2020 by the Institute of Internal Auditors (it was previously the "three lines of defence"; the IIA dropped "defence" to stop people treating risk as purely something to fend off). It separates three jobs that should never be done by the same people: the first line, operational management who own the risk and run the day-to-day controls; the second line, risk and compliance functions that set policy and challenge the first line; and the third line, internal audit, which reports independently to the board and provides objective assurance that the first two are actually working (IIA, The Three Lines Model, 2020).

flowchart TD
  G(["Governing body / board
accountable to stakeholders"])
  G --> M(["Management"])
  M --> L1(["First line
own & run the controls"])
  M --> L2(["Second line
risk & compliance: set policy, challenge"])
  G --> L3(["Third line, internal audit
independent assurance"])
  L3 -.->|"assures"| L1
  L3 -.->|"assures"| L2
The IIA's Three Lines Model, internal audit reports to the board, not to the managers it audits, which is what makes its assurance worth anything. Leaders Loop

The practical move here is about independence, and it is cheap to get wrong. The moment internal audit reports to the finance director whose numbers it is meant to test, its assurance is theatre. So even in a small company that can't afford a dedicated audit team, the principle holds: whoever checks the controls should not be the person who runs them, and should be able to reach the board without going through the people they're reviewing. Separate the doing from the checking, and put a clear line between the checker and the top.

A control that lives on a policy page but nobody runs is worse than no control, it manufactures comfort while leaving the door open.

An honest limitation. Controls and audit are not free, and more is not always better. The clearest cautionary case is Sarbanes-Oxley Section 404, the US law passed after Enron and WorldCom that requires public-company management to assess, and external auditors to attest to, the effectiveness of internal control over financial reporting (Sarbanes-Oxley Act of 2002, §404). It demonstrably improved reporting reliability, and it became a byword for cost. A 2025 review by the US Government Accountability Office found compliance costs fall far more heavily, proportionally, on smaller companies than larger ones (GAO-25-107500, 2025). The point isn't that controls are bad; it's that controls have a cost, and a sensible system is risk-based, heavy assurance where the risk is real, a light touch where it isn't. COSO itself only promises "reasonable", not absolute, assurance. Piling controls onto low-risk processes buys you bureaucracy, not safety.

A worked example

Take a 40-person services firm, call it Harbourline, that has grown faster than its back office. (Illustrative figures and scenario throughout; this is a teaching example, not a real company.) One office manager sets up new suppliers, enters invoices, and runs the weekly payment batch. Nobody doubts her honesty, and that's exactly the problem: the control gap doesn't depend on her being dishonest, only on her being able to make a mistake, or being targeted by a phishing email asking to "update" a supplier's bank details.

Run it through the frameworks above. On COSO, this is a missing control activity, specifically segregation of duties, the principle that the person who can create a payee shouldn't also be the person who releases the payment. On the Three Lines, the firm has a first line (the office manager) but no independent check at all. The fix costs nothing but discipline: a second person, say the finance lead, approves any new or changed supplier bank detail before a payment can go to it (a preventive control), and the firm reconciles the payment run against approved invoices each month (a detective control that catches anything the first step missed).

flowchart LR
  A(["Office manager sets up
supplier + bank details"]) --> B{"Second person
approves the change?"}
  B -->|"No, single point of failure"| X(["Risk: misdirected payment,
fraud, error"])
  B -->|"Yes, segregation of duties"| C(["Payment released"])
  C --> D(["Monthly reconciliation
vs approved invoices"])
  D -->|"detective control"| E(["Exceptions investigated"])
One preventive control (a second approver) plus one detective control (reconciliation) closes the gap, no new headcount required. Leaders Loop

Notice what made the difference: not a policy document, but a change to who can do what, and a routine check that someone actually owns. That is internal control in miniature, design the step so the bad outcome is harder to reach, then verify the step is being run. Everything in COSO and the Three Lines is a scaled-up version of this small move.

Frequently asked questions

What's the difference between internal and external audit?

Internal audit is part of your organisation (or hired by it) and reports to the board or audit committee; its job is to test whether your controls and processes work across everything, operations, compliance, risk, not just finance. External audit is independent of you and exists mainly to give shareholders and regulators assurance that the financial statements are fairly stated. They overlap on financial controls but answer to different people for different reasons.

What does "segregation of duties" actually mean?

It means no single person controls a whole risky process end to end. The classic rule: whoever can authorise a transaction shouldn't also record it or hold the related assets. The person preparing the cheque shouldn't sign it; the person signing it shouldn't reconcile the bank account. It is the single most powerful preventive control, because it forces collusion rather than a lone slip or a lone bad actor, and in small teams where full separation is impossible, a compensating control (like a manager review) stands in for it.

We're small, do we really need formal controls?

You need the right controls, not a corporate manual. Smaller organisations are actually more exposed to certain frauds precisely because duties can't be fully separated, so the move is to be deliberate about the few processes that can hurt you most, money out, access to systems, the integrity of your reported numbers, and put a simple second-person check on each. Start with risk, not with a framework you copied from a listed company.

Aren't controls just bureaucracy that slows everyone down?

Bad ones are. The discipline is to make controls proportionate to risk: heavy assurance on the things that can sink you, a light touch on the things that can't. A control that adds a day of friction to a low-risk task is a tax with no benefit. The Sarbanes-Oxley experience is a standing reminder that control activity, ungoverned, drifts toward cost, so review your controls periodically and retire the ones that no longer earn their keep.

What's the relationship between controls and risk management?

Controls are how risk management gets done in practice. You identify and assess risks, decide which ones to treat, and then controls are one of the main ways you treat them. That's why the components fit together: risk assessment tells you where controls are needed, and audit tells you whether they're working. A control with no risk behind it is just a habit.

Related in the Toolkit

Controls don't exist in isolation, they sit downstream of how much risk your organisation has decided to accept (enterprise risk management & risk appetite), and they only point at the right places once you've done the work of identifying and assessing the risks themselves.

Where to go next