Steps to be Effective

The internal control process has five components:

    1. Internal Control Environment
    2. Risk Assessment
    3. Internal Control Activities
    4. Information and Communication
    5. Monitoring

Internal Control Environment

Internal controls are likely to function well if management believes that those controls are important and communicates that view to employees at all levels. If management views controls as unrelated to achieving its objectives, or even worse, as an obstacle, this attitude will also be communicated. Despite policies to the contrary, employees will then view internal controls as "red tape" to be "cut through" to get the job done. An effective internal control environment:

  • Sets the tone of an organization influencing the control consciousness of its people
  • Is an intangible factor that is the foundation for all other components of internal control, providing discipline and structure
  • Describes "organizational culture"
  • Includes a commitment to hire, train, and retain qualified staff
  • Encompasses both technical competence and ethical commitment

Risk Assessment

A risk is anything that endangers the achievement of an objective. Always ask: What can go wrong? What assets do we need to protect?

  • Risk assessment is the process used to identify, analyze, and manage the potential risks that could hinder or prevent an agency from achieving its objectives.
  • Risk increases during a time of change, for example, turnover in personnel, rapid growth, or establishment of new services.
  • Other potential high risk factors include complex programs or activities, cash receipts, direct third party beneficiaries, and prior problems.

Internal Control Activities

Organizations establish policies and procedures so that identified risks do not prevent the organization from reaching its objectives.

  • Clearly identified activities minimize risk and enhance effectiveness.
  • Internal control activities are nothing more than the policies, procedures, and organizational structure of an entity.
  • Controls can be either preventive, for example, requiring supervisory approval, or detective, for example, reconciling reports.
  • Avoid excessive controls, which are as harmful as excessive risk and result in increased Bureaucracy and reduced productivity.

Information and Communication

To be useful, information must be reliable and it must be communicated to those who need it. For example, supervisors must communicate duties and responsibilities to the employees that report to them and employees must be able to alert management to potential problems.

  • Information must be communicated both within the organization and to those outside, for example, vendors, recipients, and other constituents
  • Communication must be ongoing both within and between various levels and activities of the organization.


After implementing internal controls, organizations must monitor their effectiveness periodically to ensure that controls continue to be adequate and continue to function properly. Management must also revisit previously identified problems to ensure that they are corrected.