Skip to main content

Basics of Internal Controls

Understanding Internal Controls

Definition and Objectives of Internal Controls

The Internal Control Integrated Framework published by The Committee of Sponsoring Organizations (COSO) is the recognized standard for establishing internal controls. COSO defines internal control as:

“a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations
  • Reliability of Financial Reporting
  • Compliance with applicable laws and objectives”

The first objective deals with the entity’s achievement of basic business objectives. The second refers to the reliability of financial information (both internal and external) that is used by decision makers. The third deals with complying with laws, regulations, and policies.

Five Components of Internal Controls

Under the COSO model a system of internal controls is a process that is made up of five interrelated components. All are applicable to organizations of any size or type, but organizations can apply them in different ways. The five components are aimed at achieving one or more of the objectives listed above. The five components are:

Control Environment

The control environment is the “tone” of the organization and is the foundation for all other controls. Some of the factors that affect the control environment are the integrity, ethical values, morale, and competence of the entity’s employees; style of management; organizational structure; clear assignment of authorities, duties and responsibilities; the industry and business environment in which the organization operates; economic and regulatory events; and the attentiveness of governing bodies. One of the largest factors influencing the control environment in an organization is the “tone at the top”. This is a term that is used to define management’s leadership and commitment towards openness, honesty, integrity, and ethical behavior.

Risk Assessment

All organizations and levels within an organization face a myriad of operating risks. Risks affect the organization’s ability to survive, successfully compete, maintain financial strength and positive public image, and to maintain the quality of services and products. This component therefore, deals with the organizations ability to set clear operating goals and objectives, identify risks that could impede achievement of those objectives, and to mitigate exposure to those risks to acceptable levels.

Control Activities

These are policies and procedures that have been put in place to ensure that management’s directives are carried out. This is the component that most people consider when they think of “internal controls”. Examples of control activities include reviews of performance and exception reports, approvals and authorizations of transactions, proper segregation of duties, physical safeguards, maintaining proper documentation to support financial transactions, reconciliations, IT Access and Security Controls, and information system controls (logs, check totals, etc.) Control activities should be established so as to mitigate identified risks as well as to achieve one of the three objectives under the COSO framework.

Information and Communication

This component concerns the way in which information is communicated throughout the organization. Communication is essential for achieving all three of the objectives outlined in the COSO framework.


All internal control systems and processes change over time. Some controls continue to evolve. However, some may lose effectiveness because they are no longer performed, are not consistently applied, or are applied incorrectly. This may be the result of training, staff turnover, lack of management response and attention to violations of control, time or resource constraints, or any number of other reasons. Because of this, controls must be monitored. This is typically done in two ways, on an ongoing basis and on a periodic basis. Ongoing monitoring is typically done during regular operations. Separate monitoring is typically performed by auditors, peer reviewers, or through self-assessments.

Who is Responsible for Internal Controls?

All University employees are responsible for internal controls. At a very high level The State Board of Education and the State Controller have various controls that all Idaho Universities must adhere to. University Administrators have established controls that are specific to the operations of Boise State University. However, these controls are more general in nature and are designed to apply to all units of the University. Unit Managers (Deans, Directors, Department Chairs, Business Managers, etc.) are responsible for establishing controls within their areas that are specific to the operations of their unit and to ensure that State and University controls are adhered to. Finally, all employees are responsible for adhering to established controls. Employees are also responsible for identifying ways to improve overall controls in their areas.

Although internal control and internal audit are closely related, they are distinct from each other. Internal control is the systems, policies, procedures, and processes put in place by University management. Internal audit provides an objective, independent review of unit activities, internal controls, and University information systems to help the University evaluate and monitor the adequacy and effectiveness of internal controls.

Tone at the Top

What is the “Tone at the Top”?

“Tone at the Top” is a term that is used to define management’s leadership and commitment towards openness, honesty, integrity, and ethical behavior. It is the most important component of the control environment. The tone at the top is set by all levels of management and has a trickle-down effect on all employees of the University. If the tone set by management upholds honesty, integrity and ethics, employees are more likely to uphold those same values.

Lead By Example:

Setting the proper tone starts with managers at all levels leading by example and with integrity. Leaders should demonstrate through their own actions their commitment to honesty, ethical strength, reliability, and fairness. Management cannot act without these qualities and expect others in the University to behave differently.

Communicating and Promoting Ethics and Values:

Management must clearly communicate its ethics and values throughout the area they manage. These values could be communicated formally through written codes of conduct and policies, staff meetings, memos, etc or informally during day to day operations.


Another step management must take is to create a path for employees who are witnessing unethical behavior to be able to report such behavior. Employees are responsible to report such activity to management and should feel safe from retaliation. Managers should make their employees aware of the University Compliance Office and the Reporting Hotline.

Reward Integrity:

Management within the University should recognize employees who demonstrate honesty and integrity. Doing so will help communicate management’s commitment to this behavior and will encourage others to act in the same fashion. This will promote integrity within the University and have a positive influence on others.