275  7TH Ave  7th floor New York , NY 10001                                                                                                                dcullinanecpa@yahoo.com

​                                                                                                                                                                                                     Chelsea / Lower Manhattan​​

​Daniel Cullinane CPA                                   p 848-250-9587                                                                                                                                     

Internal Control SystemsThe professional risk management, internal audit and GRC community has given rise to the conception and publication of several systems of internal control, sometimes called internal control frameworks. Such publications are written guidelines and best practices. Their implementation is done in a largely manual manner by staff or professional service providers. They do not however include or specify any particular software tools.

Among the internal control systems that have been published are: The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Integrated Framework, Control Objectives for Information and Related Technology (COBIT), The Turnbull Guidance and Criteria of Control Board Guidance on Control (CoCo). These do not specify a qualitative or quantitative indication of how the organization’s internal performance affects its objectives and the organizations that choose to adopt them, adapt them to fit their own constraints and understanding.

Importance of an Internal Control SystemA system of internal control is an important mechanism of correct and responsible management in all kinds of organization. In a small organization, it can lend itself to manual executive control alone but the more complex the organization and the more employees and processes it has, the more the system needs to contain functionality that can help the management ensure internal controls are in place and working as intended.

The result of such functionality will be increased chances that processes and procedures are operating as intended and risk is being kept at tolerable levels. Accountability and compliance with regulations follow this state of affairs, as do increased sustainability potential of the organization and a healthier working environment. 

Key benefits of the internal control system include:

Treatment of risk
Achieving higher standards
Compliance with laws and regulations
Improved communication and procedures

Key Elements of an Internal Control SystemTo make internal control work as a system and to achieve the organization's objectives, we need a number of key components that interact in a way that advances those objectives. 

Control ObjectivesAny internal control system will command a cost in resources and to justify this cost there is a need for a higher objective, the achievement of which is advanced by the system. Such control objectives are varied in nature and will invariably be specific to each organization. Example control objectives include compliance to regulations, adherence to standards and improving quality. In some systems, reduction of risk might comprise a control objective in itself while in others risks may exist as a separate layer.

Examples of control objectives

Protect against financial loss following disaster
Prevent fraudulent activity by employees
Maintain high password security
Ensure DR capability

Internal ControlsInternal controls are distinctly different from internal control. Internal controls are the trees of the internal control system while internal control is the forest. The internal control system achieves internal control in the organization by putting in place internal controls. Internal controls are mechanisms, rules, safeguards and processes whose purpose is to positively influence activity in the organization in such a way as to advance the control objectives and reduce risks to those objectives.Internal controls are meant to help control various aspects of the organization's activity and provide reasonable assurance that this activity is in accordance with its control objectives. They add a degree of automatic management which otherwise would have to be done by mangers manually. Internal controls can dictate modes of operation, affect behavior, enforce best practices and more.

Examples of internal controls

Buy sufficient insurance cover
Check out references for new employees
Restrict times of working on the financial systems
Force password changes every 6 months
Do backups every day

Control MonitoringIn order that the internal control system may be evaluated, it must be monitored in some way. This monitoring will need to address 2 primary questions:

Are the internal controls that were put in place actually being implemented?
Are they effective as mechanisms to achieve control objectives?

Are the internal controls being implemented?This can expose a familiar failing in many risk management and internal control management systems. Resources are invested in identifying risks and control objectives and in formulating controls to mitigate or treat the risks. However, after verifying that the appropriate controls have been put in place, all too frequently, a system of continuous control monitoring is not maintained and well-intended controls are not actively upheld. This state of affairs is dangerous to the organization because risks that are considered as having been mitigated as a result of the controls in place might remain with an intolerable high probability or severity. 

What is required therefore is control monitoring activity, whereby spot checks are made of the controls that should be in place. The findings of the observations will indicate the 'state of health' of the organization's internal controls.

It follows that an effective means of executing these spot checks would require some form of scheduling so the monitoring tasks can be planned and reminders issued in good time to those who will carry them out.

Is the control effective?This is perhaps more difficult to answer but can be assisted by implementing a related monitoring task whose purpose is to evaluate either objectively or subjectively any change that has taken place due to the control being in place. This too needs a control plan or schedule. 

Both types of monitoring task referred to in the above 2 questions must involve an observation and the recording of the resulting findings. The integrity of the internal control system could be compromised at this point due to the subjectiveness of the observation and the conclusions reached in assessing the findings. A structured approach is one way to address this and maintain high integrity and consistency across different control auditors.

One such structured approach might typically contain the following elements:

A clear and understandable description of the required observation.
A predefined set of possible findings.
A predefined assessment of the effect each possible finding will have on the control objective.

The Internal Control System and Procedure Performance MonitoringA powerful additional benefit becomes possible when an effective and comprehensive system of internal control is put into place and that is procedure performance monitoring. This is a measure of how well various resources in the organization are following required policies and procedures. 

Resources can be human-based like departments and employees or object-based like buildings, forms and equipment.

Examples of monitoring performance

How well safety procedures are being followed in a department.
The degree by which data security mechanisms are being implemented in the organization.
Worker participation in mandatory training activities.
The conformity of purchase orders to company policy.

Internal Control System SummaryAn internal control system of any kind is a tool that provides management with an enhanced level of management control and insight into how their organization is working. It gets the organization working according to the values and quality laid down by management. Furthermore, it is a way of implementing best working practices, responsibility and accountability and to make these values an integral part of the corporate culture.

However, as a manual process based on written procedure, documents and spreadsheets, it is time consuming and inefficient. In comparison, an internal control system implemented in software adds structure and automation to an otherwise theory-based concept. It adds the processes that faith and good intentions alone will be hard-pressed to meet and therefore a computerized internal control system is an important and even essential tool in getting the organization's system of internal control working in an optimal way. Objective Controls is such a system.

Objective Controls as an Internal Control SystemObjective Controls is an internal control system implemented in software. It brings together objectives, risks and internal controls into the context of a management tool that will implement internal control, manage and treat risks and help the organization achieve its objectives. For more information, see Internal Controls Software. 




Internal controls go beyond safeguarding an organization from financial loss. They can also assist in maintaining reliable financial reporting and maximizing effective operations.

The best way to protect and ensure that your organization is operating efficiently is to have an internal control review performed on your operation.  The goal is two fold

1. To protect and safeguard your company from being victimized

2.To improve your processes to obtain greater efficiencies and become more effective at each level of the organization.

An internal control review can highlight weaknesses in the internal control structure or expose processes that could be strengthened to maximize efficiency. Detailed recommendations to mitigate risk or strengthen areas of weakness will be included in our report.

If you suspect fraud within your organization or need help safeguarding it, please call us 

Cullinane has performed internal control reviews at Johnson & Johnson Baby Products, Bell Laboraties, AEP Inductries Cosmetic Essence ect