The essential guide to internal audit and controls

Key Takeaway: Internal controls are the day-to-day system that mitigates risk; internal audit is the independent function that evaluates whether that system works. The 2024 IIA Global Standards, PCAOB AS 1105 amendments (effective FY2025+), and COSO's February 2026 GenAI guidance have expanded what auditors must test. KPMG benchmarks show SOX costs up 44% to $2.3M as automation slipped to 17%.

Internal controls are everyone's job — and that is both the strength and the weakness of any control environment. Every employee plays a role in safeguarding assets, ensuring complete and accurate records, complying with laws and regulations, and helping the business meet its objectives by managing risk. Senior management and the internal audit function own the responsibility to set that tone and provide independent, objective assurance over the design and effectiveness of controls.

What are internal controls?

An organization's internal controls are the policies, procedures, and processes designed to safeguard assets and minimize risk — including the risk of fraud, corruption, waste, and abuse. Internal control compliance provides reasonable assurance that company objectives are met efficiently and effectively. Internal controls are the process designed to accomplish a goal; compliance is the successful execution of that control.

An internal control audit is the process of reviewing and evaluating an organization's internal control systems to confirm they are functioning effectively to prevent fraud, errors, and noncompliance.

A good example is password protection. The controls might require a password and enforce complexity rules (character minimums, session length, timeout on failed attempts). Compliance is configuring applications to meet those rules and ensuring they cannot be adjusted without proper approval and justification.

Internal controls provide a framework for accountability, integrity, and transparency. The most widely recognized framework is published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), a private-sector organization dedicated to governance and internal controls guidance.

The 5 components of internal control and their limitations

The five main components of an internal control system under the COSO Internal Control — Integrated Framework are:

1. Control environment: Sets the tone at the top and includes the policies, procedures, standards, processes, and ethical values established by senior management and the board.
2. Risk assessment: Every organization has business objectives, related risks that can prevent meeting them, and controls in place to mitigate those risks. A risk assessment determines the impact and likelihood of those risks and shapes which controls are needed to reach an acceptable level of residual risk.
3. Control activities: The specific actions management takes to enact the policies and procedures set in the control environment. For example, a policy may grant system access on a least-privilege basis; the control activity is assigning access by role and requiring periodic manager review.
4. Information and communication: Controls only work if employees know how and when to perform them and what to do if an issue is identified. This component ensures relevant information flows through the organization and to external stakeholders on time.
5. Monitoring: Ongoing assessment of the design and effectiveness of internal controls. Monitoring is performed by management, compliance functions, and internal auditors to provide assurance that controls are operating effectively.

While a sound program based on the COSO framework mitigates risk, three internal control limitations apply to every environment: collusion, human error, and unexpected issues.

Limitation 1: Collusion

Segregation of duties is a baseline component of any successful internal control program because it prevents a single employee from completing a process end-to-end. Collusion occurs when individuals work together to circumvent segregation-of-duties controls and commit fraud. It is not always possible to fully segregate duties, which can increase the opportunity for collusion.

Auditors need a solid understanding of all financially significant processes, including how control responsibilities shift with new hires, transfers, and terminations, so monitoring controls remain effective. A material misstatement caused by fraud can leave a lasting mark on a company's brand and reputation.

Limitation 2: Human error

The effectiveness of any control program is bounded by the fact that people are not perfect. Examples of human error that can impact internal controls include innocent mistakes due to fatigue or distraction, misunderstood instructions, and decisions made with limited information.

Common mitigations include automating controls where possible and implementing integrated technology that gives stakeholders greater visibility into audit, risk, and compliance activities to support better decisions. According to 2025 SOX benchmarks, automated controls now represent only 17% of total controls — down from 21% in FY2022 — even as in-scope systems have grown 135%, underscoring the urgent need to reverse this trend.

Limitation 3: Unexpected issues

Unexpected issues capture the unforeseen circumstances that can impact a business — no organization can anticipate every risk while simultaneously implementing controls against it. Some practitioners argue that a strong internal controls program does not only mitigate risk but allows an organization to use risk knowledge as a competitive advantage and take on more risk where appropriate.

Organizations that implement connected risk technology to perform dynamic risk assessments and monitor risk in real time are better positioned to identify and address unexpected issues before they escalate. This is particularly relevant as AI adoption accelerates — COSO released dedicated COSO GenAI guidance in February 2026 adapting its five-component framework specifically to address generative AI risks, giving internal auditors a structured methodology for an entirely new class of unexpected control failures.

What are the types of internal controls?

While there are inherent limitations to any control program, implementing the right mix of control types helps the company meet its objectives while minimizing undesirable events. The two primary types of internal controls are preventive and detective, and many frameworks expand the taxonomy to four by adding directive and corrective controls.

Preventive controls reduce the need to detect mistakes after the fact, but detective controls are still needed to catch issues that slip through before they become significant.

Preventive internal controls

Preventive controls are designed to stop errors or adverse events from happening in the first place. They can be manual or automated, though automated controls reduce human error and streamline testing through benchmarking. Examples include system access controls (including segregation of duties), invoice approvals above a threshold, background checks for new hires, and physical security like laptop locks and alarms.

Detective internal controls

Detective controls focus on identifying issues or irregularities after the fact and should operate alongside preventive controls to surface problems before they become significant. Examples include physical inventory counts, account reconciliations, and tying out financial statements to supporting documents.

A mix of preventive and detective controls is essential to mitigate risk and prevent issues from compounding.

Directive and corrective controls

Some frameworks expand the taxonomy beyond preventive and detective to four categories:

1. Directive controls — policies, training, standards, and codes of conduct that encourage desired behavior. Directive is generally considered the weakest form of standalone control.
2. Preventive controls — stop errors or fraud before they occur (segregation of duties, access restrictions, approval thresholds).
3. Detective controls — identify issues after the fact (reconciliations, inventory counts, exception reports).
4. Corrective controls — restore the organization to its intended state after a detective control identifies an issue. Examples include data backup restoration, disaster recovery and business continuity plan execution, patches and hotfixes, incident response procedures, journal entry corrections, financial restatements, and disciplinary action for policy violations. Test corrective controls as rigorously as the others — for example, periodically validate that backup restoration actually works rather than assuming the backup job completed.

IT general controls (ITGC)

ITGC governs the IT environment that financial and operational applications rely on, which means a weakness in any ITGC domain can undermine the reliability of automated application controls and the electronic evidence those systems produce. The four ITGC domains are:

1. Access controls — provisioning, deprovisioning, periodic access reviews, and segregation of duties in applications and infrastructure.
2. Change management — controls over how code, configuration, and infrastructure changes are requested, tested, approved, and migrated to production.
3. Data backup and recovery — backup design, execution, monitoring, and periodic restoration testing.
4. Security management — security configuration, vulnerability management, monitoring, and incident response.

The PCAOB's amended AS 1105, effective for fiscal years beginning on or after December 15, 2025, requires auditors to explicitly evaluate the reliability of external electronic information used in technology-assisted analysis — raising the stakes on ITGC testing.

Internal audit vs. internal control: function vs. system

It is almost impossible to talk about internal audit without mentioning internal controls, since both are needed for an effective risk management strategy.

Put simply, internal audit is a function, while internal control is a system. Internal controls are the ongoing policies, procedures, and activities management designs and operates every day to mitigate risk and achieve objectives. Internal audit is the independent and objective assurance function (as defined in the IIA Global Standards, which reorganized professional practice into 15 guiding principles across five domains effective 2024) that periodically evaluates whether the control system is well-designed and operating effectively, then reports findings to executive leadership and the audit committee.

While management is responsible for identifying risks and implementing controls to mitigate them, internal audit evaluates whether those controls are designed and operating effectively. Auditing internal control procedures reduces errors and fraud, improves the accuracy of financial reporting, increases operational efficiency, and strengthens a company's reputation and credibility.

Internal audit teams help organizations assess controls by evaluating the risk identification process, advising on control design and implementation, performing control testing, and conducting operational audits, compliance audits, and fraud investigations.

What are internal control objectives in auditing?

A control objective is the reason a control exists, typically written as a statement of how a particular risk will be managed. Control objectives from the COSO Internal Control — Integrated Framework fall into three categories: operational, reporting, and compliance.

Operational objectives

Operational objectives center on improving business operations. Examples include performance reviews, physical safeguards of assets, training and coaching, review and approval processes, and segregation of duties.

Reporting objectives

Reporting objectives relate to trustworthy and timely reporting, including compliance with AS 2201 standards for internal control over financial reporting. Examples include spending authorization, reviews and approvals, verification, budget reconciliations, and password protections.

Compliance objectives

Compliance objectives cover adherence to state and federal laws and industry regulatory requirements. Examples include data verification, training, and regular review of and adherence to policies and procedures manuals.

How do auditors test internal controls?

Determining which controls to test depends on the size and complexity of the organization, the nature of the business, and a risk assessment that identifies in-scope business units, processes, and applications. Controls associated with in-scope processes are then risk-ranked, which drives the extent of testing.

Testing internal controls involves procedures to evaluate the design and the operating effectiveness of a control in preventing or detecting material misstatements. The audit team documents procedures and results, including any deficiencies or weaknesses, and confirms timely remediation. Importantly, PCAOB AS 1105 — effective for fiscal years beginning after December 15, 2025 — now requires auditors to specifically evaluate the reliability of external information provided in electronic form, adding a new documentation requirement for technology-assisted audit evidence. Results are shared with management, executive leadership, and other stakeholders on a periodic basis.

The 5 stages of an internal control audit

An internal control audit typically follows five stages:

1. Planning and scoping — defining objectives, in-scope business units, processes, and applications.
2. Risk assessment and understanding of internal controls — identifying inherent risks and mapping controls to those risks.
3. Control design evaluation — assessing whether the control, if operating as described, would mitigate the risk (walkthroughs, inquiry, and inspection of one transaction).
4. Control testing — performing inquiry, observation, inspection, and reperformance over a sample of transactions to confirm operating effectiveness across the period.
5. Reporting and remediation — documenting deficiencies, communicating findings to management and the audit committee, and tracking remediation to closure.

Design effectiveness vs. operating effectiveness

Design effectiveness asks: if the control operated as described, would it prevent or detect a material misstatement? Testing typically involves walkthroughs, inquiry, and inspection of a single transaction. Operating effectiveness asks: did the control actually function as designed throughout the period? Testing requires a sample of transactions across the period using inquiry, observation, inspection, and reperformance. A control can be well-designed but operate ineffectively — for example, a documented management review that is signed off without real scrutiny — which usually drives a control deficiency or significant deficiency depending on magnitude and likelihood of misstatement.

How internal controls shape the audit strategy

One reason auditors place such weight on evaluating internal controls is that the findings directly influence the nature, timing, and extent of audit procedures. When controls are well-designed and operating effectively — control risk is "low" — auditors can place reliance on those controls, reducing the scope of direct substantive testing and producing a more efficient audit.

If controls are weak, inconsistent, or nonexistent — control risk is "high" — auditors cannot rely on them. The audit shifts to a fully substantive approach, requiring more extensive testing of transactions and balances to obtain sufficient assurance. This produces the evidence required but at a higher cost in time, effort, and resources. Reliance decisions should also factor in PCAOB AS 1105's amendments, which require explicit evaluation of the reliability of external electronic information used in technology-assisted analysis.

How 2024–2026 standards changes are reshaping control assessments

Standard-setters have overhauled the frameworks that drive control assessments. Internal audit functions need to perform a gap assessment against each of the following before their next external quality review:

• IIA Global Internal Audit Standards (January 9, 2024) reorganized professional practice into 15 guiding principles across five domains, replacing the previous International Professional Practices Framework. IA functions must update their charters, quality assurance and improvement programs (QAIPs), and methodology documentation accordingly.
• PCAOB AS 1105 amendments (effective for FYs beginning on or after December 15, 2025) require explicit evaluation of the reliability of external electronic information used in technology-assisted analysis.
• COSO's Achieving Effective Internal Control Over Generative AI (February 2026) adapts the five COSO components and 17 principles to GenAI-specific risks like hallucination, data leakage, model drift, and unauthorized use. With nearly 40% of CAEs planning GenAI investments in the IA function itself, auditors must govern the same tools they are deploying. Consider auditing AI management systems against ISO/IEC 42001:2023.
• NIST Cybersecurity Framework 2.0 (early 2024) added a new Govern function alongside Identify, Protect, Detect, Respond, and Recover, and introduced enhanced mapping to NIST SP 800-53 controls. Refresh cybersecurity control testing matrices against the CSF-to-SP 800-53 crosswalk.
• SEC climate disclosure rules (adopted 2024) require large accelerated filers to build ICFR-grade controls over Scope 1 and Scope 2 emissions data (subject to limited assurance) and over disclosure of capitalized costs and losses from severe weather events. EU-domiciled or operating entities also face CSRD reporting for the 2024 financial year.

The automation gap: why SOX costs are rising

The KPMG 2025 SOX Survey reveals a striking disconnect between budget and efficiency. Automated controls dropped from 21% of total controls in FY22 to 17% in FY24, even as average SOX program cost rose 44% (from $1.6M to $2.3M) and total hours grew 32%. The driver is scope expansion: in-scope systems jumped 135%, from 17 to 40 on average, outpacing organizations' ability to design automated controls in the new environments.

The practical takeaway: scope growth from cloud migrations, ERP modernizations, and AI tooling is creating manual-control debt. KPMG also found that 90% of organizations cannot quantify fee savings from external auditor reliance, suggesting the automation ROI case is being left on the table. Target a minimum of 30% automation by the end of FY2026 to offset rising costs from expanding in-scope systems.

Stay on top of internal audit controls with Optro

An effective internal controls program is mission-critical for long-term business success. Companies that invest in their controls program manage risk, protect assets, maintain compliance, and strengthen stakeholder trust. A controls management system further streamlines the process by centralizing risk and control information, automating workflows and testing, and providing tools for collaboration and dynamic reporting.

Frequently asked questions

What is the difference between internal audit and internal control?

Internal audit is a function; internal control is a system. Internal controls are the ongoing policies, procedures, and activities management designs and operates every day to mitigate risk. Internal audit is the independent assurance function that periodically evaluates whether the control system is well-designed and operating effectively, then reports findings to executive leadership and the audit committee.

What are the 4 types of internal controls?

The four types are directive, preventive, detective, and corrective. Directive controls (policies, training, standards) encourage desired behavior. Preventive controls (segregation of duties, access restrictions, approval thresholds) stop errors before they occur. Detective controls (reconciliations, inventory counts, exception reports) identify issues after the fact. Corrective controls (backups, disaster recovery, patches, financial restatements) remediate issues once detected. A mature environment uses all four together — directive is the weakest standalone form, preventive the strongest.

What are the 4 domains of ITGC?

The four IT general controls domains are access controls, change management, data backup and recovery, and security management. These controls govern the IT environment that financial and operational applications rely on, meaning a weakness in any domain can undermine the reliability of automated application controls and the electronic evidence produced by those systems. PCAOB AS 1105 amendments effective FY2025+ raise the stakes on ITGC testing for technology-assisted analysis.

What are the 5 stages of an internal control audit?

An internal control audit typically follows five stages: (1) planning and scoping, (2) risk assessment and understanding of internal controls, (3) control design evaluation, (4) control testing using inquiry, observation, inspection, and reperformance, and (5) reporting and remediation. The depth of stages three and four is driven by control risk — low control risk permits reliance and reduced substantive testing; high control risk forces a fully substantive approach.

How should internal controls address generative AI risks?

Use COSO's February 2026 publication Achieving Effective Internal Control Over Generative AI, which adapts the five COSO components and 17 principles to GenAI-specific risks like hallucination, data leakage, model drift, and unauthorized use. Establish a formal GenAI risk register, implement model governance and data-quality controls, and consider auditing AI management systems against ISO/IEC 42001:2023. With nearly 40% of CAEs planning GenAI investments in the IA function itself, auditors must govern the same tools they are deploying.

Why has the percentage of automated controls declined despite rising SOX budgets?

Automated controls dropped from 21% in FY22 to 17% in FY24, even as average SOX program cost rose 44% (from $1.6M to $2.3M) and total hours grew 32%. The driver is scope expansion: in-scope systems jumped 135%, from 17 to 40 on average, outpacing organizations' ability to design automated controls in the new environments. KPMG also found 90% of organizations cannot quantify fee savings from external auditor reliance, leaving automation ROI on the table.

What's the difference between control design effectiveness and operating effectiveness?

Design effectiveness asks: if the control operated as described, would it prevent or detect a material misstatement? Testing typically involves walkthroughs, inquiry, and inspection of one transaction. Operating effectiveness asks: did the control actually function as designed throughout the reporting period? Testing requires a sample of transactions using inquiry, observation, inspection, and reperformance. A well-designed control that operates ineffectively typically drives a control deficiency or significant deficiency.

About the authors

Kim Pham, CIA, is a Market Advisor, SOX & Compliance at Optro, with 10 years of experience in external and internal audit. She started her career in at Deloitte & Touche LLP., and continued to grow her experience in internal audit focusing on SOX compliance and operational audits at Quiksilver, the California State University Chancellor’s Office, and CKE Restaurants.