Section 1 - Fundamental Concepts of Internal Control

Definition of Internal Control

OV1.01 Internal control is a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved (see fig. 2). These objectives and related risks can be broadly classified into one or more of the following three categories:

  • Operations - Effectiveness and efficiency of operations
  • Reporting - Reliability of reporting for internal and external use
  • Compliance - Compliance with applicable laws and regulations

Figure 2: Achieving Objectives through Internal Control

OV1.02 These are distinct but overlapping categories. A particular objective can fall under more than one category, can address different needs, and may be the direct responsibility of different individuals.

OV1.03 Internal control comprises the plans, methods, policies, and procedures used to fulfill the mission, strategic plan, goals, and objectives of the entity. Internal control serves as the first line of defense in safeguarding assets. In short, internal control helps managers achieve desired results through effective stewardship of public resources.

Definition of an Internal Control System

OV1.04 An internal control system is a continuous built-in component of operations, effected by people, that provides reasonable assurance, not absolute assurance, that an entity’s objectives will be achieved.

OV1.05 Internal control is not one event, but a series of actions that occur throughout an entity’s operations. Internal control is recognized as an integral part of the operational processes management uses to guide its operations rather than as a separate system within an entity. In this sense, internal control is built into the entity as a part of the organizational structure to help managers achieve the entity’s objectives on an ongoing basis.

OV1.06 People are what make internal control work. Management is responsible for an effective internal control system. As part of this responsibility, management sets the entity’s objectives, implements controls, and evaluates the internal control system. However, personnel throughout an entity play important roles in implementing and operating an effective internal control system.

OV1.07 An effective internal control system increases the likelihood that an entity will achieve its objectives. However, no matter how well designed, implemented, or operated, an internal control system cannot provide absolute assurance that all of an organization’s objectives will be met. Factors outside the control or influence of management can affect the entity’s ability to achieve all of its objectives. For example, a natural disaster can affect an organization’s ability to achieve its objectives. Therefore, once in place, effective internal control provides reasonable, not absolute, assurance that an organization will achieve its objectives.

  1. COSO Framework
  2. Green Book PDF
  3. GAO Green Book Site