Internal controls are the policies, procedures and checks that a company puts in place to protect its assets, produce reliable financial statements and comply with laws and regulations. When an auditor evaluates your internal controls, they’re assessing whether those systems actually work – not just whether they exist on paper.
Strong internal controls reduce the risk of errors and fraud in your financial reporting. Weak ones increase it. Your auditor’s assessment of your internal control environment directly affects how much testing they do, what they focus on, and ultimately how much your audit costs.
What are the 5 internal controls in auditing?
The COSO framework, which UK auditors widely reference, identifies five components of an effective internal control system:
1. Control environment
The foundation. This is the tone set by management and the board – their attitude towards governance, ethics and accountability. A company where the directors take financial reporting seriously will have a stronger control environment than one where compliance is treated as a box-ticking exercise. The auditor assesses the control environment through discussions with management, review of governance structures, and observation of how the business operates day-to-day.
2. Risk assessment
How the company identifies and responds to risks that could affect its financial statements. This includes risks from new regulations, changes in the business model, new IT systems, staff turnover in the finance team, and market conditions. Companies that formally assess their risks and adjust their controls accordingly tend to have fewer audit issues.
3. Control activities
The specific procedures that enforce management’s directives. These are the controls your auditor will actually test. Common control activities include:
- Authorisation controls. Requiring approval before transactions are processed – purchase orders signed off by a budget holder, payments authorised by a director.
- Reconciliation controls. Regular comparison of internal records against external sources – bank reconciliations, supplier statement reconciliations, stock counts.
- Segregation of duties. Separating incompatible functions so no single person can initiate, approve and record a transaction. The classic example: the person who raises purchase orders shouldn’t also approve them or pay them.
- Physical controls. Safeguarding assets through restricted access, security systems, inventory counts and asset registers.
- IT controls. Access management, password policies, change management procedures for accounting systems, and automated controls built into software.
4. Information and communication
How financial information flows through the organisation. The accounting system needs to capture all transactions completely and accurately, and management needs timely access to financial data for decision-making. The auditor looks at whether the information systems produce reliable financial reports and whether staff understand their roles in the control process.
5. Monitoring activities
How the company checks that its controls are working. This might include internal audit functions, management review of exception reports, or periodic self-assessments. Without monitoring, controls deteriorate over time as staff find workarounds or circumstances change.
How auditors test internal controls
Under ISA (UK) 315, the auditor must obtain an understanding of the entity’s internal controls as part of identifying and assessing the risks of material misstatement. But understanding controls isn’t the same as relying on them.
Understanding vs reliance
The auditor always obtains an understanding of the control environment and key controls relevant to the audit. But they only test controls in detail (and rely on them to reduce other testing) if:
- They plan to rely on controls to reduce the extent of substantive testing
- Substantive procedures alone can’t provide sufficient audit evidence
- The controls appear to be well-designed and likely to be effective
For many smaller companies, the auditor takes a fully substantive approach – meaning they test the numbers directly without relying on controls. This is common where segregation of duties is limited due to the size of the finance team.
Testing procedures
When the auditor does test controls, they use a combination of:
- Inquiry. Asking staff how controls operate in practice
- Observation. Watching the control being performed
- Inspection. Examining evidence that the control operated – signatures, system logs, reconciliation files
- Re-performance. The auditor performs the control themselves to confirm it produces the right result
Common internal control weaknesses
These are the issues we see most frequently when auditing UK companies:
- No segregation of duties in the finance team. In companies with two or three accounts staff, one person often handles the entire purchase-to-payment cycle. The auditor can’t rely on controls in this situation and will perform more detailed substantive testing.
- Passwords shared or unchanged. System access controls only work if each user has a unique login and access is reviewed regularly. Shared logins destroy the audit trail.
- Bank reconciliations not reviewed. Preparing a bank reconciliation is one control. Having someone else review it is another. Many companies do the first but skip the second.
- No formal approval process for journal entries. Manual journals are a key focus for fraud testing under ISA (UK) 240. If anyone in the finance team can post a journal without review, the auditor will spend significant time testing them.
- Outdated or undocumented policies. A procurement policy that was written five years ago and sits in a drawer isn’t an effective control. Controls need to reflect current processes and be understood by the people who operate them.
Internal controls for different company sizes
Small companies (under 50 employees)
Full segregation of duties is often impractical. Compensating controls become important: director review of bank statements, surprise checks on petty cash, owner-manager oversight of major transactions. The auditor understands these limitations but still expects to see some form of oversight.
Medium companies (50-250 employees)
At this size, there’s no excuse for missing basic controls. The finance team should be large enough for proper segregation of duties. The auditor expects documented policies, regular reconciliations, formal authorisation limits, and management review of financial reports.
Larger companies
Companies with an internal audit function and an audit committee should have a mature control environment. The external auditor will co-ordinate with the internal audit team under ISA (UK) 610 and may rely on some of their work. The audit committee provides independent oversight of financial reporting and the effectiveness of internal controls.
How to strengthen your internal controls before an audit
- Map your key processes. Document how transactions flow from initiation to recording. Identify where controls exist and where there are gaps.
- Address last year’s findings. If the auditor flagged control weaknesses last year and you haven’t fixed them, expect the same findings again – plus questions about why nothing changed.
- Test your own controls. Don’t wait for the auditor. Pick a sample of purchase orders, journals or payroll entries and check that controls operated as intended.
- Train your team. Controls only work if the people operating them understand what they’re doing and why. A quick refresher before the audit starts can prevent common errors.
Related reading
- The Audit Process: A Step-by-Step Overview
- What Is an Audit Trail?
- Audit Adjustments Explained
- Material Misstatement in Audit
How Audit Group can help
We assess your internal controls as part of every statutory audit and provide practical recommendations for improvement. Our management letter highlights the specific control weaknesses we’ve found and suggests cost-effective solutions that work for your size of business. Request a proposal to discuss your audit requirements.
