By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Internal controls are policies, procedures, and systems designed to ensure accuracy, efficiency, and compliance in an organization’s operations. Businesses use them to prevent fraud, reduce errors, and safeguard assets—whether financial, physical, or digital.
You’d implement internal controls to protect revenue, meet regulatory requirements (e.g., SOX, GDPR), and improve decision-making by ensuring reliable data.
Without internal controls, businesses face: - Financial losses (fraud, theft, or accounting errors).- Legal penalties (non-compliance with laws like Sarbanes-Oxley).- Operational chaos (inefficient processes, duplicate work, or security breaches).- Reputation damage (loss of customer trust due to mismanagement).
Strong internal controls reduce risk, improve accountability, and streamline workflows—critical for startups scaling or enterprises maintaining trust.
The Committee of Sponsoring Organizations (COSO) defines internal controls via five pillars:
Key insight: Preventive controls are cheaper long-term; detective controls are a safety net.
No single person should control all aspects of a critical process. Split responsibilities to reduce fraud risk.
Red flag: If one employee handles authorization, custody, and recording of assets, fraud risk skyrockets.
Define who can do what and how much they can approve.
Pro tip: Use role-based access control (RBAC) in software to automate this.
Regularly compare records to spot discrepancies.
Internal controls are not a single tool but a layered system integrated into workflows. Here’s how they fit together:
Simple Diagram (Text-Based):
[Business Process] → [Risk] → [Control] → [Tool/Procedure] → [Monitoring] Example: Payroll → Ghost employees → Segregation of duties → HR enters data, Finance pays → Quarterly audits
Scenario: A 10-person e-commerce store wants to prevent expense fraud.
Goal: Enforce manager approval for expenses over $100.
plaintext =IF(AND(B2 > 100, ISBLANK(C2)), "NEEDS APPROVAL", "")
javascript function checkApprovals() { const sheet = SpreadsheetApp.getActiveSpreadsheet().getSheetByName("Expenses"); const data = sheet.getDataRange().getValues(); data.forEach((row, i) => { if (row[1] > 100 && !row[2]) { // Amount > 100 and no approval MailApp.sendEmail("[email protected]", "Expense Needs Approval", `Expense of $${row[1]} by ${row[0]} requires approval.`); } }); }
Prioritize controls for: - Cash handling (e.g., petty cash, bank reconciliations).- Payroll (e.g., ghost employees, overtime fraud).- Inventory (e.g., theft, spoilage).
Problem: A clothing store loses 5% of inventory to employee theft.Controls Implemented:- Preventive: Require manager approval for all voided sales.- Detective: Weekly inventory counts; cameras in stockrooms.- Segregation: Cashiers can’t access inventory storage.Outcome: Theft drops to 1%.
Problem: Employees submit fake receipts for "software subscriptions." Controls Implemented:- Preventive: Expensify enforces receipt uploads and flags duplicates.- Detective: Finance audits 10% of expenses monthly.- Approval: Manager must approve all expenses > $50.Outcome: Fraudulent submissions drop by 90%.
Problem: A factory discovers "ghost employees" on payroll.Controls Implemented:- Segregation: HR adds employees, Finance processes payroll, Manager approves timesheets.- Detective: Quarterly audits compare payroll to HR records.- Preventive: Direct deposit only (no cash payments).Outcome: Ghost employees eliminated.
A company lets the same employee approve invoices, write checks, and reconcile bank statements. Which internal control principle is violated?
A) Risk assessment B) Segregation of duties C) Control environment D) Monitoring
Correct Answer: B) Segregation of dutiesExplanation: Segregation of duties splits critical tasks to reduce fraud risk. Here, one person controls authorization, custody, and recording—a major red flag.Why the Distractors Are Tempting:- A) Risk assessment is about identifying risks, not splitting roles.- C) Control environment is about leadership’s tone, not task assignments.- D) Monitoring is about reviewing controls, not designing them.
A retail store wants to prevent employee theft of cash. Which control is most effective?
A) Installing security cameras B) Requiring two employees to count cash at shift changes C) Conducting surprise audits D) Training employees on ethics
Correct Answer: B) Requiring two employees to count cash at shift changesExplanation: This is a preventive control that stops theft by ensuring no single employee handles cash alone. Cameras and audits are detective, and training is soft (less reliable).Why the Distractors Are Tempting:- A) Cameras deter theft but don’t physically prevent it.- C) Audits catch theft after it happens.- D) Training is important but not a direct control.
A company’s monthly bank reconciliation reveals a $5,000 discrepancy. What should the accounting team do first?
A) Assume it’s a timing difference and ignore it B) Investigate the discrepancy immediately C) Adjust the books to match the bank statement D) Report it to the police
Correct Answer: B) Investigate the discrepancy immediatelyExplanation: Reconciliations are detective controls—the goal is to find and fix errors or fraud. Ignoring or adjusting books without investigation defeats the purpose.Why the Distractors Are Tempting:- A) Timing differences (e.g., pending transactions) are common, but $5,000 is too large to ignore.- C) Adjusting books without investigation could hide fraud.- D) Reporting to police is premature—first, verify if it’s an error.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.