Email Adam Email
Jul 15, 2016

Internal Control – How Sweet It Is

Sponsored Content provided by Adam Shay - Director of VCFO Services, Red Bike Advisors

This Insights was contributed by Richard Pasquantonio, CPA/CFF, CFE, CDFA (N.C. License Number 33577), an associate at Adam Shay CPA, PLLC.
Internal control, as defined in accounting and auditing, is a process for assuring achievement of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies.
Now this part of the article is going to get a little technical, but if you bear with me, there is a real-world example that follows.
In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a model for evaluating internal controls. This model has been adopted as the generally accepted framework for internal control and is widely recognized as the definitive standard against which organizations measure the effectiveness of their systems of internal control. 
COSO defines internal controls with more of an emphasis on management. COSO states that, “Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”
COSO defines four components that make up its framework and emphasize the measures, the direction and quality of information, and communication that flows between the components:

  • Control Environment is the tone at the top.
  • Risk Assessment is an ongoing evaluation by management as an organization changes and becomes more complex.
  • Control Activities are the actions supported by policies to address known risks.
  • Monitoring is a process that assesses the quality of the system's performance over time.
What does this mean and more importantly, how do I use internal controls as a tool for running my business as it grows in revenue and complexity?
First, some basic tenets of internal controls need to be established. Fundamentally, internal controls are designed to mitigate risk in five basic areas of a business:
  • Strategic risk can prevent an organization from accomplishing its objectives or goals.
  • Financial risk can result in a negative financial impact to the organization (fraud, waste and abuse).
  • Regulatory/Compliance risk can expose the organization to fines and penalties from a regulatory agency due to non-compliance with laws and regulations.
  • Reputational risk can expose the organization to negative publicity.
  • Operational risk can prevent the organization from operating in the most effective and efficient manner or be disruptive to other operations.
The following conditions that increase these risks outline a basic framework for implementing effective controls:
  • Lack of segregation of duties
  • Too much trust
    - Approval of documents without review
    - Lack of verification of transactions after they have been entered in the system
    - Lack of reconciliations
  • No follow-up when things appear “questionable” or “not reasonable”
  • Lack of control over cash
  • Lack of control over purchasing
  • Lack of knowledge of policies and procedures
Once you have defined the organization’s risk profile, then you can implement the control activities to specifically address those risks. There are different control activities in your internal control toolbox:
  • Directive - Corporate policy, spending limits, IT configurations
  • Preventive - Training, permissions, passwords, oversight procedures
  • Detective - Reconciliations, review of payroll reports
  • Corrective - Changing IT access when roles change
  • Recovery - Creating and maintaining system backups
There are also automated controls used in an IT system which is beyond the scope of this article.
Let's try a real world example. 
The weekend: Father's Day. As is our custom, I was positioned behind my Char-Griller Super Pro 29-inch Barrel Charcoal Grill complete with side fire box offset smoker. I may have had a local craft beer, wrapped up in a Cucalorus 21 Freaker. This day was good.
My son, Luciano, age 1, had just lain down for a nap while my wife, Michele, and 3-year-old daughter, Violet, are at the picnic table setting up for an intense game of Candy Land. Violet asked me if I was going to play with her and mommy. I responded affirmatively, but stated that I would need some help since I was cooking dinner. Violet quickly volunteered to help. Michele, without solicitation, weighs in, “I will watch her.”
My daughter Violet is a determined child. She hasn't been with the organization a long time. My experience has been that without close supervision, she really can't be trusted. Michele, on the other hand, is my partner in all of this. She got in on the ground floor and has been equally responsible for building this great enterprise, our family. That being said, after 15 years of board game shenanigans (Read: my wife cheats at Yahtzee), my confidence in her as it relates to this matter may be misplaced.
Candy Land is a simple racing game that requires no reading and minimal counting skills. There is no strategy involved; players are never required to make choices, just follow directions.  You pick a card. It contains a color or a shape, and you move your game piece to the corresponding space on the game's board. It is basically double entry accounting; a CPA’s dream come true.
As I was seasoning the grill, I was charged with placing a system of checks and balances to safeguard my chances of reaching King Candy at the Candy Castle. I needed desperately to establish some internal controls.
My first step was to establish a directive control. I read the directions to the game aloud so that we all understood the rules.
Second, I needed a good preventive control. I gave Violet the responsibility of selecting my card, but I put Michele in charge of moving my game piece around the board. This should be an adequate segregation of duties providing me a limited degree of assurance that I will receive my turn and have my piece moved fairly.
But what about collusion? A package of fruit snacks would put Violet at odds with her ethics.
The answer: a strong detective control. I asked that each player retain the cards from each round of play and keep their respective stacks in front of them. This control allowed me to determine if I was given an equal number of turns. It also allowed me to double check if I was given adequate credit in the form of moves around the game board as well as the capability of determining the other players’ accuracy.
Fortunately, there was no need for any corrective controls.
Unfortunately, there were no recovery controls ... so when Luciano woke up and Michele went inside to get him, the game and all the pieces were pushed aside and replaced with Play-Doh.
I hope that this article gave you a better understanding of how internal controls work to protect your business and that you enjoyed a fun application of the COSO framework.
Richard Pasquantonio, CPA/CFF, CFE, CDFA (N.C. License Number 33577), is an associate at Adam Shay CPA, PLLC. He focuses on forensic accounting, fraud prevention and detection, and tax controversy resolution. He is also an AICPA CFF Champion. The purpose of the CFF Champion program is to inform the professional community about the vital role of forensic accounting professionals, the knowledge required to become a CFF, and the benefits of the CFF credential. For more information, visit or email him at [email protected]. Pasquantonio can also be reached by phone at (910) 256-3456.
Adam Shay, CPA (N.C. License Number 35961), MBA, is managing partner of Adam Shay CPA, PLLC. He focuses on minimizing taxes and improving the financial results of entrepreneurs, and is actively involved in supporting the Wilmington entrepreneurial and startup community. For more information, visit or email him at [email protected]. He can also be reached by phone at (910) 256-3456.

Other Posts from Adam Shay

Redbikeadvisors block[55]
Ico insights



Unlocking Potential: The Power of Business Peer Groups

John Monahan - Vistage
2022052 75 142344351

Bridging Futures: The Case for Toll Funding in Wilmington’s Cape Fear Memorial Bridge Revamp

Natalie English - Wilmington Chamber of Commerce
Untitleddesign2 9202334730

New Scotts Hill Medical Center to be a One-Stop Destination for Many Health Care Needs

Novant Health - New Hanover Regional Medical Center Novant Health

Trending News

Wilmington Startup Gains Endorsement Through Spokesperson, Potential Investors

Audrey Elsberry - Feb 26, 2024

Rezoning Proposed For Carolina Beach Land, Including Seawitch Site

Emma Dill - Feb 26, 2024

Sullivan Promoted To Marketing Director At Thomas Construction

Staff Reports - Feb 27, 2024

Sikes Honored As Top Franchisee

Staff Reports - Feb 27, 2024

Wilmington's Venture Capital Spending Declines Sharply In 2023

Audrey Elsberry - Feb 27, 2024

In The Current Issue

MADE: IKA Works Inc. Equips Labs

IKA Works Inc. manufactures products used by universities, biotech companies and more....

Trouble Brewing: How A Social Media Post Bubbled Over For A Wilmington Brewery

Social media can influence which local breweries are favored among patrons and restaurants. This dynamic played out recently with an online...

Locals Cook Up Kitchen Concepts

Local chefs and restaurant industry owners are setting up shared kitchens, some with an entrepreneurial drive....

Book On Business

The 2024 WilmingtonBiz: Book on Business is an annual publication showcasing the Wilmington region as a center of business.

Order Your Copy Today!



2023 Power Breakfast: Major Developments