An organization’s internal controls are designed to safeguard assets by lowering risks. Compliance with internal controls plays an essential role in confirming that company goals are met, leading to the success and sustainability of the organization.

Ensuring that these controls remain effective is essential as they help to validate the integrity of financial and accounting information, promote responsibility, and prevent fraud.

While costs are associated with establishing and running an effective internal controls risk management program, the cost of not managing risks can be much higher.

Capital One Bank made headlines in 2020 when an operational risk management weakness in their systems led to a data breach, causing an $80 million fine and substantial losses. While not all risk management weaknesses make headlines, they can lead to operational inefficiencies, inaccurate financial reporting and litigation.

Internal Controls Risk Management Standards

In response to a series of bankruptcies and financial collapses in 2001 and 2002, including those of Enron and Worldcom, Congress enacted the Sarbanes-Oxley Act, or SOX, which requires companies to implement and maintain adequate controls on financial disclosure.

To help promote consistency across corporations subject to SOX regulations, many organizations leverage an internal controls framework published by the Committee of Sponsoring Organizations, or COSO, to establish their internal controls risk management procedures. First issued in 1992, the framework helps organizations assess and enhance their internal controls. COSO made a significant update in 2013 and provided new guidance in 2023. There are five pillars:

Control Environment

The first critical pillar of the COSO framework, the control environment, establishes that the culture and values of the organization are set by top management. Often referred to as “tone at the top,” the control environment influences how organizational goals are defined, how risks are identified and managed, and how controls are designed and implemented.

Risk Assessment

The second pillar of the COSO framework emphasizes the need for periodic and ongoing risk assessments. The first step in assessing risk is identifying the internal and external risks to the organization. Risks can come from many places, such as technology that is not properly implemented, employee misconduct or operational weaknesses. The identification of risks should be tied to goals that encompass the organization, such as strategy, operations, reporting and compliance. As risks are identified, the next step is to assess their potential likelihood and impact, which allows senior leadership to understand the severity of each risk and prioritize remediation efforts.

Control Activities

Once risks are identified and assessed, policies, procedures and practices should be established to prevent, detect and correct events or outcomes that can lead to any risks being realized. Preventative activities include the segregation of duties, physical control of assets and authorization procedures. Detection activities can be audits, exception reporting and identifying discrepancies. Lastly, corrective activities focus on identifying the root cause of identified issues and preventing them from recurring, such as implementing a new policy or procedure, providing training, or changing control activities.

Information and Communication

This next pillar of the COSO framework ensures that the proper communication is in place, facilitating decision-making and collaboration and promoting transparency throughout the organization. Information and communication principles include:

• Utilizing accurate and timely information and data to make informed decisions to manage risks effectively
• Communicating relevant information, including objectives, activities and responsibilities, for all internal control activities
• Communicating with external parties when necessary, including investors, regulators and customers

Increasingly, companies are broadly disclosing cyberattacks and data breaches to build trust and to meet legal and regulatory requirements.

Monitoring Activities

The last pillar, monitoring activities, is meant to evaluate the performance of the internal controls so senior leadership can identify areas to improve and understand what corrective actions to take to ensure that controls continue to be effective. Monitoring activities can include self-assessments, performance metrics analysis and internal audits.

Any deficiencies that are found should be part of your communication plan, ensuring that senior leadership is properly notified.

Internal Controls Risk Management Templates

Consider leveraging these templates to help your organization manage risks and strengthen internal controls.

Risk Management Plan

A central part of mitigating risk is maintaining a robust risk management plan. A risk management plan provides the framework for identifying, assessing and responding to risk. As risk management is an iterative process, the severity of risks may change, and new risks may emerge. A robust risk management plan will ensure that project managers monitor and track projects or other efforts that are mitigating and reducing risks.

Although the outline may vary, consider including the following sections:

1. Purpose of the plan
2. Roles and responsibilities
3. Risk identification
4. Risk analysis
5. Risk response
6. Risk monitoring and reporting
7. Budgeting and approval

Risk Assessment Matrix

A risk assessment matrix, also called a likelihood and impact risk matrix, is an internal controls risk management tool that visually depicts potential risks that could impact your organization.

As risks arise from several operational areas, including financial, operational, strategic and external, it can be difficult to effectively prioritize all risks without seeing them together in a single view. The risk assessment matrix achieves this by presenting all risks in one chart, color-coded by severity: red for the risks that may have the highest impact, yellow for those with a moderate impact, and green for potentially low-impact risks.

All risks are then presented on two axes that show both the likelihood of occurrence and the potential impact. Consider including determining factors, such as risks that are likely to occur, risks that have a greater than 75% chance of occurrence, or risks with a certain amount of high-impact monetary loss.

Internal Controls Assessment

An internal controls assessment, or questionnaire, can help internal departments in the organization assess the strengths and weaknesses of existing activities and controls. As it provides a structured approach to evaluating internal controls, auditors often use this tool.

Although the format and questions asked may vary, consider leveraging the COSO framework as your guide to check for COSO compliance within your organization. Consider validating the following:

8. Control Environment

• Reporting lines, authorities and responsibilities are clear.
• Competent employees are developed and retained.
• Independent oversight is provided.

9. Risk Assessment

• Clear objectives are established.
• Risks are associated with meeting objectives or goals.
• Changes to people, processes and technology are assessed.

10. Control Activities

• Technology controls are tested.
• Policy and procedural controls are checked.
• Manual controls are checked.

11. Information and Communication

• The organization leverages correct and timely data and information.
• The organization utilizes methods of internal and external communication

12. Monitoring

• Evaluations are conducted.
• Deficiencies are evaluated and outcomes are communicated.

Internal Controls Risk Management Best Practices

To ensure that your organization continuously has strong internal controls and effective risk management practices in place, consider the following best practices.

Publish clear and consistent risk management policies.

Developing clear and actionable policies will help identify all potential risks that may impact the organization, how they will be mitigated, and how they will be monitored.

When developing policies, ask yourself several questions:

13. Are roles and responsibilities clearly defined?
14. Are procedures in place that define how all risks are to be mitigated?
15. Are policy documents regularly reviewed and updated?
16. Are policies communicated to all employees?

Engage stakeholders.

Continuously involve all required stakeholders. These are not just decision-makers and should include employees, clients and shareholders. Encourage involvement by asking stakeholders about risks they see in the organization and how they feel these risks can be mitigated.

Although these people play different roles, getting opinions from different business aspects will only strengthen your risk management processes.

Create a strong risk culture.

A risk culture is a set of values, attitudes and beliefs that drive risk awareness and risk management throughout an organization. All strong risk cultures start at the top with the board and senior management directly communicating with employees, setting the tone for the organization.

Those at the top must also provide strategic direction and oversight. Establishing a steering committee can serve this function, as this committee can also play a key role in directing high-level activities and approving funding for projects that mitigate risks.

In addition to providing strategic direction, those at the top should ensure that communication is clear and that all employees are properly trained.

Ensure communication.

Creating awareness of organizational risks and plans to mitigate these risks is only done through formal communication with everyone in the organization. Communicate how employees can help to mitigate risks, even if their day-to-day activities do not pose an organizational risk. This involves teaching all employees how they can identify, assess, mitigate and monitor any new risks.

Lastly, consider sharing with all employees the same presentations that are reviewed with senior-level management or materials that are shared with the steering committee for full transparency.

Learn more about internal controls risk management by exploring these related resources on KnowledgeLeader:

• Topic: Internal Controls
• Assessing Risks and Internal Controls Guide
• Importance of Internal Controls for Cybersecurity