Diligent
Diligent
PartnerCompanySupport
Solutions
expand_more
Products
expand_more
Industries
expand_more
Resources
expand_more
Diligent AI
More
Virtual Summit Seriesopen_in_new
Cyber Risk Virtual Summitopen_in_new
Modern Governance 100open_in_new
Diligent Elevateopen_in_new
(formerly Modern Governance Summit)
Diligent Instituteopen_in_new
Blog
/
Audit & Analytics
Kezia Farnham Image
Kezia Farnham
Senior Manager

Understanding internal controls: Definition, types and examples

August 11, 2025
0 min read
A chief audit executive considering the importance of internal controls.

Internal controls are a process that helps ensure a company’s system is secure, reliable and compliant with relevant regulations. Though controls like requiring a username and password or putting purchasing limits on company credit cards may seem simple, the stakes are high.

One-third of all fraud committed in 2020 resulted from weaknesses in internal controls. The SEC also takes internal controls seriously, having monitored and charged organizations that don’t resolve internal control failures.

This article will help you strengthen your system and remain in compliance by explaining:

  • What internal controls are
  • Why internal controls are important
  • The three types of internal controls
  • Examples of internal controls in an organization
  • Key internal control frameworks
  • Adapting internal controls to new regulatory landscapes
  • Internal controls in smaller businesses
  • Recent control failures
  • Best practices for managing internal controls
  • Emerging technologies streamlining internal control workflows
  • Additional resources on implementing and maintaining controls

What are internal controls?

Internal controls are essential for businesses to ensure that their systems are secure. Controls have different components and are usually rooted in an organization’s systems. Employees may engage with a control structure daily — like inputting credentials to unlock a point of sale — without realizing they are following an intentional security protocol.

But whether employees know it or not, these controls prevent breaches, fight back against fraud and ensure that only authorized users can access sensitive systems and information.

Unlock automated control management

Streamline your GRC with insights from OCEG's infographic on internal control management. Enhance visibility and decision-making with automated solutions.

Download now

What is the purpose of internal controls?

The primary purpose of internal controls is to secure a business’s information and assets. An internal controls system minimizes risk and promotes compliance as a business pursues its objectives.

They’re also a critical form of documentation to assure the board and other key stakeholders that:

  • The company’s information is reliable and credible
  • The organization complies with relevant laws and regulations
  • The company’s assets are secure from fraud or breach
  • The company put resources to good use
  • Operations and programs are functioning as intended

Why are internal controls important?

Internal controls are important because they protect an organization’s systems, data and assets. As significant as security is, the importance of strong internal controls is even further-reaching than that.

An effective framework for internal controls can help organizations:

  1. Implement processes: When internal controls are in place, employees know the processes and procedures they should follow. This strengthens the company because employees understand their expectations and can securely engage with systems and data.
  2. Reduce fraud: A key tenet of internal controls is segregating duties, meaning the person undertaking an action isn’t also the person approving it. For example, an employee purchasing new laptops for the sales department shouldn’t be the same employee who approves the purchase order. This ensures that all actions are meaningful and necessary and reduces fraud.
  3. Improve financial reporting: Financial statements can be difficult to produce if the organization’s transactions aren’t regularly available. Having controls around how and when employees should report transactions paves the way for more accurate financial statements, enabling leadership to make more informed decisions involving the company’s finances.
  4. Identify errors: Mistakes happen. It’s all too easy to transpose digits or enter a figure on the wrong line. The purpose of internal controls like automation is to help organizations catch and fix those errors before they cause costly reputational damage.

Clear view of internal controls

See how GRC automation simplifies internal controls management in an easy-to-digest infographic created by OCEG and sponsored by Diligent.

Download the infographic

3 types of internal controls

There are many different internal controls, but they typically fall into three different categories. All organizations should aim to have controls that align with these internal control types:

  1. Preventative controls: This control group encompasses any internal control that prevents risky actions from occurring, such as application controls.
  2. Corrective controls: These are the controls that come into play after the system detects an issue or error.
  3. Detective controls: Also called mitigating controls, these are the actions and processes that sound the alert if an error occurs. These controls are an important way to stop breaches before they lead to more costly damage.

Examples of internal controls

Every organization may need slightly different internal controls to ensure the security of its systems and data. However, some internal controls are fairly common regardless of the organization and industry.

Some common examples of internal controls are:

Transaction authorization: A preventative control

Most organizations have employees who will make purchases on the organization’s behalf. A common preventative control for this situation is to have a process for authorizing that transaction.

For example, a technology company has recently hired three new website developers. The website development manager needs to purchase a laptop and monitor for each developer. To do that, they’ll have to follow several controls. The process might look like this:

  1. The manager submits a purchase order to the accounting department
  2. The accounting department approves the purchase order
  3. The manager uses the purchase order to buy the approved equipment
  4. The manager gives a receipt to the accounting department

Reconciliation: A detective control

In the above scenario, the organization likely has multiple departments making various monthly purchases.

At the end of the month, an accountant or accounting department should reconcile all those transactions — an important internal control to detect transactions that are either fraudulent or do not comply with business policies or industry regulations.

A reconciliation internal control might require the accounting team to:

  • Issue approvals for certain transactions
  • Collect receipts or expense reports for all spending or both
  • Check transactions against those receipts
  • Report to senior leadership if any transactions don’t match receipts

Internal controls frameworks

Beyond the controls themselves is a robust internal controls framework. Implementing one is essential to reducing risk, maintaining regulatory compliance and strengthening operational efficiency. Below are six widely recognized internal control and governance frameworks that help businesses safeguard assets, ensure data integrity and meet compliance obligations:

Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Controls Framework

The COSO Internal Control-Integrated Framework is one of the most commonly used frameworks for designing, implementing and evaluating internal controls. COSO helps organizations achieve objectives across three categories: operations, reporting, and compliance. It’s particularly critical for companies required to comply with the Sarbanes-Oxley Act (SOX).

Control Objectives for Information and Related Technologies (COBIT)

Developed by ISACA, COBIT is a comprehensive IT governance and management framework that helps organizations align their IT strategy with business goals. It’s especially useful in auditing IT systems, managing risks and ensuring control over data and technology processes.

International Organization for Standardization (ISO)

The ISO family of standards includes several standards relevant to internal controls and compliance. Key examples include ISO 27001 for information security management systems (ISMS) and ISO 9001 for quality management. These globally recognized standards help businesses manage operational risks, demonstrate due diligence, and ensure regulatory compliance across industries.

National Institute of Standards and Technology (NIST)

NIST provides trusted guidance for cybersecurity, privacy and risk management, especially for organizations in the public sector or working with U.S. federal agencies. The NIST Cybersecurity Framework (CSF) and NIST SP 800-53 are key resources for implementing technical controls, protecting critical infrastructure and complying with federal regulations.

Center for Internet Security (CIS) Controls

The CIS Controls are a set of prioritized cybersecurity best practices designed to help organizations reduce their exposure to common cyber threats. Especially useful for small to mid-sized businesses, CIS offers a practical, implementable roadmap for strenghtening internal controls over digital assets and IT systems.

Payment Card Industry Data Security Standard (PCI DSS)

Required for all organizations that process, store or transmit credit card data, PCI DSS sets technical and operational requirements for securing payment card data. This framework is critical for protecting customer information, reducing the risk of data breaches and maintaining trust in e-commerce and retail operations.

Adapting internal controls to new regulatory landscapes

Global organizations must continuously evolve their internal control frameworks to stay compliant and resilient. Recent developments across key regulatory environments reveal a clear trend: increasing board accountability, greater transparency and integration of non-financial controls.

  1. Sarbanes-Oxley Act (SOX) in the U.S.: The SOX Act continues to evolve. A recent U.S. Supreme Court decision expanded whistleblower protections by lowering the burden of proof, making it easier for employees to raise concerns without retaliation. Meanwhile, the SEC has introduced new rules requiring public companies to disclose material cybersecurity incidents within four business days. These changes underscore a broader trend: organizations must now integrate cybersecurity and ESG-related controls directly into their internal control over financial reporting (ICFR) frameworks to remain SOX compliant.
  2. UK Corporate Governance Code: This regulation has also undergone significant reform. Provision 29, taking effect for financial years beginning on or after January 1, 2026, will require boards to issue a formal declaration of the effectiveness of material internal controls, covering not just financial but also operational, compliance and reporting risks. These go beyond typical annual attestations, placing renewed focus on board-level accountability. Additionally, a new outcomes-based reporting principle requires companies to explain how board decisions support long-term strategy and stakeholder value, shifting the emphasis toward strategic narrative reporting.
  3. Japan’s J-SOX: An adaptation of SOX, this framework continues to prioritize ICFR while also embedding broader IT and operational controls. Unlike its U.S. counterpart, J-SOX places greater emphasis on group-level governance, which means multinational organizations with Japanese subsidiaries must harmonize their internal control systems across geographies. J-SOX control assessments also tend to be more entity-level and risk-based.
  4. Other jurisdictions: Many regulators are increasingly expecting companies to embed risk management and internal controls into their culture. For example, European Union directives are pushing for tighter oversight of sustainability reporting, while countries like Singapore and Canada are revisiting internal audit mandates in light of cybersecurity and data privacy concerns.

What these changes mean for multinational enterprises

For organizations operating across borders, adapting to new internal control requirements is no longer optional. Businesses must ensure that control frameworks are both locally responsive and globally aligned, supported by robust governance, real-time risk monitoring and integrated reporting mechanisms. This includes mapping controls to overlapping standards like SOX, the UK Code and J-SOX; investing in governance, risk and compliance (GRC) technology; and ensuring that board members and executives are equipped to certify control effectiveness across regions.

By proactively aligning with global standards, organizations can reduce regulatory risk, build stakeholder trust and position themselves for long-term, sustainable growth.

Internal controls in small and mid-sized businesses (SMBs)

Internal controls can be complex, but they’re nonetheless an essential tool for SMBs to prevent fraud and errors and build operational resilience, financial accuracy and investor confidence. While large corporations often have full compliance departments, SMBs must take a lean but strategic approach to internal control implementation.

Even without a large team, SMBs can establish meaningful controls like:

  • Segregation of duties: Avoiding situations where one person handles a transaction from start to finish.
  • Authorization of controls: Requiring managerial approval for key transactions.
  • Account reconciliations: Performing regular checks to ensure books match bank statements.
  • IT and access controls: Limiting system access based on role or responsibility.
  • Inventory and asset tracking: Monitoring physical and digital assets for discrepancies.

Technology can also make internal control implementation easier and more scalable, particularly right-sized GRC tools tailored for small businesses.

Audit analytics, your way

Get a complete roadmap to audit analytics technology with specific questions you should ask about must-have features.

Download the buyer's guide

Recent control failures

Several high-profile enforcement actions in recent years highlight the importance of robust internal controls. Each of these cases underscore how control failures of all kinds can lead to significant financial and reputational consequences.

  • An enterprise in the online gambling industry: In 2024, the UK’s Financial Conduct Authority (FCA) fined this company£582,120 for serious breaches of anti-money laundering (AML) and social responsibility rules. The regulator found that they failed to properly assess customer risk, implement effective transaction monitoring or intervene when users exhibited signs of problem gambling, highlighting gaps in both financial controls and customer protection frameworks.
  • An enterprise in the printing and publishing industry: The SEC charged this company over $2.1 million after a 2021 cybersecurity attack exposed sensitive nonpublic information about the company’s clients. The investigation revealed that they lacked effective disclosure controls and procedures to manage cybersecurity risk, including failing to escalate security incidents to senior leadership in a timely manner. The case underscores the increasing scrutiny on internal controls related to information security and incident reporting.
  • A firm in the financial services industry: Following the company’s collapse, the UK’s Financial Reporting Council (FRC) sanctioned audit firms that failed to detect material misstatements and irregularities during their audits. The firms were found to have conducted insufficient testing of internal controls and relied too heavily on management assurances — failures that contributed to one of the UK’s most significant retail investor scandals.
  • An enterprise in the reinsurance industry.: The Prudential Regulation Authority fined this company nearly £1.8 million for systemic governance failures, including a lack of board oversight, weak internal control functions and inaccurate regulatory reporting. These issues reflected a breakdown in the insurer’s overall risk management framework and highlighted the importance of aligning internal controls with regulatory expectations.
  • An enterprise in the financial brokerage industry: The FCA fined this company £1,087,300 for submitting over 920,000 incorrect transaction reports, close to 100% of the transactions the firm handled over a five-year period. The firm lacked adequate systems to ensure the completeness and accuracy of its transaction reporting, a core requirement under the European Market Infrastructure Regulation (EMIR) and MiFID II. The case illustrates how long-term control weaknesses in data governance can accumulate into serious compliance breaches.

Best practices for managing internal controls

Effective internal control management is critical for sidestepping failures like those outlined above. Whether your organization is scaling quickly or operating across multiple jurisdictions, the following best practices will help you design, implement and monitor strong internal control systems.

  1. Establish a risk-based control framework: Not all risks are equal. Use a risk assessment process to identify your organization’s most critical vulnerabilities — financial misstatements, fraud, cybersecurity threats or compliance failures — and align controls to those risks. Frameworks like COSO or NIST can guide this process.
  2. Define clear roles and responsibilities: Effective internal controls rely on the segregation of duties and clarity regarding who owns each process. Assign roles for control design, execution, monitoring and remediation. Ensure executive leadership and audit committees are involved in oversight.
  3. Automate where possible: Use technology to reduce manual errors, increase consistency and improve efficiency. Examples include automated approval workflows, system-enforced access controls and reconciliation and exception alerts. This is especially important in areas like financial reporting, procurement and cybersecurity.
  4. Document policies and procedures thoroughly: Well-documented internal control policies serve as both a training tool and a compliance requirement. Ensure that control activities, review cycles, escalation steps and audit trails are clearly written and accessible.
  5. Conduct regular control testing and monitoring: Controls are only effective if they’re consistently applied. Conduct periodic internal audits or control testing to verify design effectiveness, confirm operating effectiveness or identify gaps or process deviations. Use real-time dashboards where possible for continuous monitoring.
  6. Train employees and reinforce ethical culture: Internal controls are most effective when supported by an organizational culture of integrity. Provide ongoing training on control procedures, ethical conduct, fraud awareness and reporting mechanisms.
  7. Use technology to scale and strengthen controls: Modern technology solutions like Diligent Internal Controls Management enable real-time monitoring, centralized documentation and improved audit readiness. These tools are especially valuable for multi-entity organizations and remote teams managing distributed control environments.

Internal controls, simplified

Get a complete list of areas to prioritize in your search, from rapid risk detection to robust security.

Download the guide

Emerging technologies in internal controls

As internal control environments grow more complex, best practices alone aren’t enough. Emerging technologies have begun to reshape how organizations monitor risk, ensure compliance and respond in real time. These tools not only enhance control effectiveness but also free up teams for more strategy.

  1. Automation: Process automation continues to streamline repetitive control activities like reconciliations, approvals and access provisioning. From reducing manual errors to accelerating audit readiness, automation is now foundational to modern control systems. Read our full blog on internal control automation to learn more.
  2. AI-driven monitoring: Artificial intelligence is now enabling continuous control monitoring by analyzing large volumes of transactions in real time to detect anomalies, fraud indicators or control failures. AI-powered tools can flag suspicious activity, enforce thresholds and even suggest control improvements based on historical patterns.
  3. Data analytics: Advanced analytics help organizations move from reactive to proactive control management. By aggregating and analyzing data from across business functions, internal audit teams can identify control gaps earlier, uncover hidden risk trends, prioritize high-impact remediation and visualize control performance.
  4. Integration with broader GRC platforms: Internal controls are no longer siloed. Rather, they’re increasingly pivotal to enterprise-wide GRC platforms. Integrating the two improves visibility, centralizes control documentation and connects compliance efforts across IT, finance, operations and legal functions.

Why Diligent Internal Controls Management and ACL Analytics are, together, the key to strengthening modern internal controls

Technology can force organizations into a corner, having to choose between strong governance and deep analytics. With Diligent, you can have both. Diligent Internal Controls Management brings breadth to your internal control oversight and compliance, while ACL Analytics is the ideal companion for in-depth risk coverage and continuous improvement.

These tools, together, go both broad and deep, bringing you an internal controls function that doesn’t just check boxes but actually mitigates risk, enables proactive decision-making and drives measurable business value.

Internal Controls Management systematizes your controls from end to end through:

  • Streamlined documentation and workflows: Centralize all control activities, consistently assigning, tracking and escalating tasks all within a single platform.
  • Task automation: Eliminate manual steps in control testing, reporting amnd approval processes and win back time for more strategic compliance and audit activities.
  • Regulatory compliance support: Align your controls with key frameworks like COSO, SOX and UK SOX, with built-in features for attestations, ownership and audit trails.

While your internal control processes run seamlessly, ACL Analytics takes a closer look at:

  • Controls monitoring: Automate control testing across entire datasets — not just samples — strengthening both detective and preventative controls.
  • Advanced data analytics: Quickly identify exceptions, anomalies or patterns that indicate control weaknesses or emerging risks.
  • Controls coverage: Diligent’s ACL tool cuts audit/controls reporting time by 20-30% while achieving 100% controls coverage. This can lead to over $1.3 million in productivity gains and reduced audit/control risk.

Ready for seamless, strategic internal controls workflows? Discover Diligent Internal Controls Management and ACL Analytics — and request a demo today.

FAQs

What are internal controls in accounting?

Internal controls in accounting are the processes, policies and procedures designed to protect a company’s financial information, ensure the accuracy of accounting records and comply with laws and regulations. These controls help prevent fraud, detect errors and maintain the integrity of financial statements. Examples include reconciling bank accounts, counting cash, restricting access to accounting systems and requiring multiple approvals for large payments. By implementing strong internal controls, companies reduce the risk of misstatements, financial loss and non-compliance with standards such as Generally Accepted Accounting Principles (GAAP) or International Financial Reporting Standards (IFRS).

What are some internal controls for inventory?

Internal controls for inventory are measures that ensure stock is accurately recorded, safeguarded against theft or damage and managed efficiently. Common examples include:

  • Physical counts: Performing regular cycle counts or annual physical inventories to reconcile with accounting records.
  • Segregation of duties: Assigning different people to ordering, receiving, and recording inventory to prevent fraud.
  • Inventory management systems: Using barcodes, RFID tags and real-time tracking software.
  • Access restrictions: Limiting warehouse or storage access to authorized personnel only.
  • Reorder thresholds: Setting automated alerts to prevent stockouts or overstocking.

Which type of company is required to maintain internal accounting controls according to the FCPA?

Under the Foreign Corrupt Practices Act (FCPA), publicly traded companies in the United States — including foreign companies listed on U.S. stock exchanges — are required to maintain internal accounting controls. These controls must provide reasonable assurance that transactions are executed with proper authorization, assets are safeguarded, and financial records accurately reflect the company’s activities. The goal is to prevent bribery, corruption and fraudulent financial reporting. Even privately held companies doing business internationally may adopt similar controls to reduce legal and reputational risks.

Who has final responsibility for internal controls?

The board of directors has ultimate responsibility for ensuring effective internal controls, but operational responsibility is shared with senior management. Management, particularly the CEO and CFO, is responsible for designing, implementing and monitoring the system of controls. The board, often through the audit committee, oversees this process to ensure compliance with laws, regulations and ethical standards. External auditors and internal audit teams play a supporting role by evaluating the controls’ effectiveness, but accountability ultimately rests with leadership.

What is a significant deficiency in internal control?

A significant deficiency in internal control is a flaw or weakness that, while not as severe as a “material weakness,” is important enough to be reported to a company’s audit committee and management. It indicates that there is a reasonable possibility that a company’s internal controls may fail to prevent or detect errors or fraud in financial reporting. For example, a lack of segregation of duties in payroll processing could allow an employee to both enter and approve payroll changes, creating a risk of unauthorized payments. Identifying and correcting significant deficiencies promptly is essential to maintaining reliable financial reporting.

What is the concept behind the separation of duties in establishing internal controls?

Separation of duties (also called segregation of duties) is the internal control principle that no single individual should control all aspects of a financial transaction. The idea is to divide responsibilities so that one person’s work serves as a check on another’s. For example, in accounts payable, one employee might approve vendor invoices, another might process the payments and a third might reconcile the bank account. This reduces the risk of errors, fraud and misappropriation of assets. In modern systems, technology can enforce the separation of duties by restricting user permissions.

Why is an external audit included among internal controls?

An external audit is considered part of an organization’s internal control framework because it provides an independent, third-party assessment of the company’s financial statements and internal control effectiveness. External auditors review accounting records, test control processes and verify that financial reports comply with applicable standards such as GAAP or IFRS. Their findings help management and the board identify weaknesses, ensure compliance with regulations like the Sarbanes-Oxley Act (SOX) and improve transparency for investors and stakeholders. While internal controls are primarily an internal responsibility, external audits enhance credibility and accountability.

Related resources

13 reasons why internal controls are important

Internal controls play a vital role in ensuring the security of an organization’s systems and assets. Discover more reasons why they are important.

5 components of internal controls: What they are and why they’re important

Discover the five components of a successful internal controls framework and how they contribute to a more effective accounting system.

The 7-step process to master the implementation of controls

Internal controls are vital for business security but executing them can be complex. You can use this article as a roadmap during your implementation of controls.

29 key internal controls for small businesses

Internal controls are commonly spoken about in the context of large companies, but they are equally vital for small businesses. Discover 29 internal controls for small businesses.

Diligent
security

Your Data Matters

At our core, transparency is key. We prioritize your privacy by providing clear information about your rights and facilitating their exercise. You're in control, with the option to manage your preferences and the extent of information shared with us and our partners.
© 2025 Diligent Corporation. All rights reserved.