Skip to Content

Are your internal controls up to par? Seven questions leaders must ask

May 23, 2023 Article 3 min read
Authors:
Jack Kristan Eric Conforti

Internal controls are critical to safeguarding the assets of any organization — and to overall performance. Without controls, you’re less likely to detect errors, fraud, and other common risks. Here’s how to ensure your internal controls are effective.

A group of business colleagues sitting at a long table discussing internal controls.

As much as we all would like to think that our businesses won’t experience financial reporting errors, cybersecurity breaches, embezzlement, or any number of other potentially catastrophic events, the reality is that they can — and do.

Not only are we seeing such events occur with greater frequency, we’re also seeing them occur with greater velocity. One minute, things are fine; the next minute, a server has been hacked — and, without access to necessary data, business comes to a halt. Whether the catastrophic event is a high-velocity cyberattack or an embezzlement that occurs over a decade, the problem often comes down to the same thing: a failure of internal controls.

It can be tempting to deprioritize reviewing internal controls in favor of projects that seem more urgent or have a clear ROI, but consider this: stronger internal controls open you up to growth. A finely tuned, stable internal control environment helps you better understand, and potentially leverage, emerging threats and allows you to more quickly identify and act on opportunities that would be a good fit for your business.

A finely tuned, stable internal control environment helps you better understand, and potentially leverage, emerging threats.

Ask your team these questions to start strengthening your internal controls. 

Questions to ask about your internal controls 

It’s never too early or late to start the conversation about strengthening or establishing internal controls. Begin by asking your accounting and finance team these questions:

  1. How, specifically, are we addressing the risks our organization faces, including cybersecurity, fraud, and financial reporting errors? What internal controls do we have in place? In more than 50% of fraud cases we see, the organization simply didn’t have a control in place to address the risk. 
  2. How recently have our internal controls and related policies and procedures been updated? Having an existing policy is good, but does it align with the way your business operates today?
  3. What controls do we have in place around accounting accuracy? There should be processes in place for monitoring write-offs, reconciling accounts, disbursing cash, and making journal entries. Do you have a designated financial review committee? Are you ensuring proper segregation of duties?
  4. What about our controls for engaging with vendors, service providers, and prospective clients — does our organization have consistent review practices in place that reflect our current operations? Practices that involve direct contact (i.e., phone calls) with known individuals at your vendors’ and clients’ organizations can often prevent issues related to cyber frauds.
  5. Do we have an effective, reliable process for gathering and analyzing data? It’s important to have the technology and processes to collect and export the data you need to perform analytics, or even perform a more robust continuous monitoring program.
  6. If our business is internationally active: Does our organization have strong controls in place to ensure we meet the provisions of the Foreign Corrupt Practices Act (FCPA)? In light of the Yates Memorandum in 2015, the U.S. Department of Justice stepped up enforcement and actions against organizations that violate FCPA. It’s important to ensure your foreign operations are well-versed in what is acceptable and what’s not.
  7. How are we training our staff? Are our employees aware of the risks our organization faces and how to detect or prevent them? As examples, have staff been trained on how to identify a suspicious phishing email or a fraudulent request from a so-called vendor to reroute wire transfer payments to a new bank account?

The answers to these questions will help you identify areas of weakness that could benefit from new or stronger controls.

High-performing organizations

Unfortunately, it’s not uncommon for business leaders to consider controls a hindrance, a drag on efficiency and hasty decision-making. This mindset represents a missed opportunity. A strong structure of checks and balances enables operational excellence. Businesses with good internal controls become more systematized and reliable. What’s more, an informed approach to strengthening your internal controls can help create a foundation to spur growth, innovation, and profitability.

An informed approach to strengthening your internal controls can help create a foundation to spur growth, innovation, and profitability.

Bottom line: Strong controls demonstrate that your organization has carefully thought through all of its activities and processes. And, as a result, internal controls guide you to make better business decisions that align with what you’re trying to accomplish.


Healthy business risk starts with proper segregation of duties. 

Related Thinking

Two business professionals in casual clothing using a handheld tablet device together while standing.
June 18, 2024

Cybersecurity essentials for franchises: Prevent, respond, comply

Article 7 min read
Person holding telescope
May 28, 2024

How to spot a fraudster: Red flags that suggest occupational fraud

Article 4 min read
Two forensic accountants standing in a modern office and discussing how to identify and report fraud.
April 12, 2024

Don’t be a victim: How to empower your employees to identify and report fraud

Article 4 min read