Control
This page introduces the concept of control. It explains some of the terms and points to a wider range of resources to help your research. This includes documents published by the Institute in relation to control and internal audit assurance.
Use the links below to navigate between sections of information on this page:
Purpose of control
Definition of control
Internal or control environment
Control processes
Control models and guidance
Control assurance
Control resources
Purpose of control
Often we forget to ask ourselves the purpose of control. Instead, we just take it for granted that control is something that exists and is good. People talk about control objectives, implying that the purpose of control is to achieve those objectives. In the UK and Ireland, however, we tend to see control as deriving its purpose and value from the management of risk. Controls are there if there is a risk to be managed and there is no point having a control if there is no risk to manage. This view is compatible with the Turnbull guidance, see below.
Definition of control
Control is a broad concept that means different things to different people. The IIA definition explains it in concise terms as “Any action taken by management, the board and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organises and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.” Page 41 Glossary to the booklet: Definition of Internal Auditing, Code of Ethics, International Standards for the Professional Practice of Internal Auditing.
Control environment
The control environment refers to the way the board and senior management set the tone of the organisation. It is part of the culture of the organisation, influencing how risk is viewed and the control consciousness of the people. It is an expression of the ‘way things are done’. Every organisation operates differently, which is revealed through organisational ethics, values, structure, reporting lines, authority, rules and the documentation of policy.
Control processes
The IIA definition of control processes is “the policies, procedures and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerances established by the risk management process”.
These are the daily routines, checks and balances that make the organisation function. It is not possible to describe them all but here are two alternatives ways of categorising controls with some examples.
To learn about the nature of control and the format of control reports the Institute has published two Professional Briefing Notes (PBNs): PBN 06 Internal Control and PBN 08 Reporting on Internal Control.
Control models and guidance
There are control models and guidance that can help management understand the interrelationship between governance, risk management and control. They can also be used as a reference point to review and refine the control environment of the organisation. There is no right or wrong approach to looking at control it is more a case of developing a control environment that suits your organisation. Control is a means to an end, not an end in itself.
- Executive Summary, Internal Control: Integrated Framework - Committee of Sponsoring Organisations of the Treadway Commission (COSO 1992)
- Internal Control: Guidance for Directors on the Combined Code (Turnbull Report 1999, updated 2005)
- Extract from Guidance on Control published by the Canadian Institute of Chartered Accountants
- Introduction to Guidance on Monitoring Control Systems (COSO 2009)
COSO explains there are a number of components that need to work together within a control framework to help the organisation achieve its objectives.
An organisation where all the components are working well and are embedded is more likely to achieve its objectives and have a strong and sustainable future.
It is therefore relevant to all managers from executive director downwards, as well as risk managers and internal auditors.
Control assurance
Internal audit’s responsibility in respect of control is set out in the International Standards. Performance Standard 2130 says “The internal audit activity must assist the organisation in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.” The purpose of internal audit’s evaluation of control is to provide the board and management with assurance on the adequacy and effectiveness of control so that they have an understanding of how the organisation is managing its risk and how likely it is going to achieve its objectives.
Further detail on the focus of this assurance and the practical approach to evaluating control processes can be found in the 2130 Control series of the Performance Standards and the 2130 Practice Advisories.
In April 2011 IIA Global published a practice guide entitled 'Auditing the Control Environment'. It provides a comprehensive description of how the control environment is strucured and offers practical considerations for an internal audit. All practice guides are available in the Practice Guides section of our website
Control resources
Control resources are available within our Resource Library. By choosing ‘internal control’ from the list of principal keywords you can obtain IIA guidance, consultation responses and magazine articles related to control. If you feel we can make useful additions to this page please contact our Technical Manager, Chris.Baker@iia.org.uk