Internal Controls Management

Effective internal controls begin with comprehensive risk assessment that identifies, analyzes, and prioritizes risks across all business processes. Our risk assessment services examine financial reporting risks, operational risks, compliance risks, and strategic risks that could impact your business. We evaluate your control environment—the attitudes, abilities, and awareness of management and employees regarding internal control—to understand the foundation on which controls are built.

We identify inherent risks (risks existing before considering controls) such as cash misappropriation, inventory theft, fraudulent financial reporting, or unauthorized purchases. Control risk assessment evaluates whether existing controls can effectively prevent or detect material misstatements. Residual risk represents the risk remaining after controls—this is what management must accept or mitigate through additional controls. Our risk assessment prioritizes control improvements based on significance, focusing resources on high-risk areas that could have material impact on financial statements or operations.

We also evaluate industry-specific risks. Construction companies face risks related to project cost overruns, subcontractor billing, and change orders. Technology companies have revenue recognition risks, intellectual property risks, and cybersecurity risks. Retail businesses face inventory shrinkage, cash handling, and point-of-sale fraud risks. Healthcare providers encounter billing compliance risks, privacy risks, and regulatory risks. Our industry expertise ensures we identify and address the risks most relevant to your business. Risk assessment is not a one-time exercise—we help businesses establish ongoing risk monitoring processes that identify emerging risks as the business and environment change.

We develop control frameworks using the COSO Internal Control—Integrated Framework, the globally recognized standard for internal control design and evaluation. In Canada, we incorporate Criteria of Control Board (COCO) guidance, which provides principles-based criteria particularly relevant to Canadian businesses. Our framework addresses the five integrated components of internal control: Control Environment (sets the tone for the organization, influencing control consciousness), Risk Assessment (the process of identifying and analyzing risks), Control Activities (the policies and procedures that help ensure management directives are carried out), Information and Communication (systems that support the internal control system), and Monitoring (processes that assess the quality of internal control performance over time).

Control implementation involves designing specific control activities for each significant risk. Preventive controls aim to prevent errors or fraud before they occur (authorization requirements, segregation of duties, system edit checks). Detective controls identify errors or fraud that have already occurred (reconciliations, reviews, analytics, exception reports). Corrective controls remedy problems identified by detective controls (adjustment procedures, process improvements). We design cost-effective combinations of control types that provide appropriate protection without excessive bureaucracy.

Implementation includes process documentation through flowcharts and narratives that show how controls fit into business processes. We establish control responsibilities—specifying who performs each control, how frequently, and what documentation is required. Training ensures employees understand control responsibilities and the reasons behind them. We implement controls in ways that support rather than hinder operations—well-designed controls should streamline processes by reducing errors and rework while providing protection. Our implementation approach balances thoroughness with pragmatism, implementing controls appropriate to your business size and complexity.

Every business requires controls across core financial and operational processes. Revenue cycle controls begin with customer credit approval and sales order authorization. Shipping documentation should match sales orders, and billing should verify that goods or services were provided before invoicing. Accounts receivable controls include reconciliation of subsidiary ledgers to the general ledger, aging review, and collection follow-up. Our revenue cycle controls ensure complete, accurate revenue recording and timely cash collection.

Expenditure cycle controls include purchase order approval, vendor setup and verification procedures, three-way matching comparing purchase orders, receiving reports, and invoices before payment, and payment authorization based on approval limits. We implement segregation of duties ensuring no single person controls purchasing, receiving, and payment. Our controls also address employee expense reimbursement through verification policies, approval requirements, and spending limits.

Cash management controls include segregation of duties between cash handling and record-keeping, regular bank reconciliations performed by someone who doesn't handle cash or authorize payments, access controls to bank accounts (dual signatures for larger amounts, secure access to online banking), and physical cash controls including safes, cash registers with audit trails, and regular cash counts. Payroll controls include segregation between HR (hiring, pay rates, terminations) and finance (payroll processing, distribution), timekeeping approval procedures, and payroll distribution review.

Occupational fraud costs organizations an average of 5% of revenue annually, yet many frauds could be prevented with basic internal controls. Our fraud prevention focus addresses the three elements of the fraud triangle—opportunity, motivation, and rationalization—primarily by reducing opportunity. Segregation of duties remains the most effective fraud prevention control, ensuring no single person controls all aspects of a transaction. For example, the person who approves payables shouldn't be able to print checks or reconcile bank accounts. The person who can create vendors shouldn't be able to approve payments to those vendors.

Authorization controls establish approval authority for transactions based on amount, type, and role. Physical controls restrict access to assets, inventory, cash, and sensitive information. Document controls require supporting documentation for all transactions, with verification that documentation is authentic, accurate, and appropriate. Reconciliation controls compare records to independent sources—bank statements to accounting records, physical inventory counts to perpetual records, customer confirmations to accounts receivable—identifying discrepancies that may indicate fraud.

Review controls include management review of financial reports looking for unusual items, variance analysis comparing actual to budget or prior periods, and exception reports highlighting transactions outside normal parameters. We implement fraud detection analytics that flag suspicious patterns—round dollar amounts, payments just below approval thresholds, weekend or holiday transactions, vendors with similar addresses to employees. Information technology controls include password protection, access logs showing who accessed systems and what they did, and restrictions on what users can do based on their roles. Our fraud prevention approach combines strong controls with ethical culture development, emphasizing tone at the top, codes of conduct, and whistleblower mechanisms.

Internal controls deteriorate over time if not monitored—processes change, employees leave, new risks emerge, and controls that were once adequate may become insufficient. Our control monitoring services include ongoing monitoring built into regular business processes and separate evaluations through periodic internal audit activities. Ongoing monitoring includes management review processes, regular reconciliations, variance analysis, and exception reporting that provide continuous feedback on control effectiveness.

We implement Key Control Indicators (KCIs) that measure control effectiveness quantitatively—journal entry error rates, reconciliation completion timeliness, exception report volumes, override rates for automated controls, control testing failure rates. These metrics provide early warning of control deterioration. We establish control self-assessment processes where business process owners periodically evaluate their controls, answer control questionnaires, and certify control effectiveness. This distributes control responsibility across the organization while maintaining oversight.

Periodic separate evaluations include internal audit reviews that test control design and operating effectiveness, follow up on previously identified control issues, and assess new or changed processes. Our monitoring approach scales to business size and complexity—smaller businesses may need annual control reviews, while larger enterprises require continuous monitoring programs with automated testing and analytics. We help businesses establish remediation processes that address control deficiencies promptly, tracking corrective actions to completion. Continuous improvement ensures controls evolve as the business changes, maintaining appropriate protection as new risks emerge.