10.3 Internal controls, deterrence & corporate governance

Key Takeaways

  • The COSO Internal Control — Integrated Framework (2013) has five components: control environment, risk assessment, control activities, information & communication, and monitoring.
  • Segregation of duties splits authorization, custody, recording, and reconciliation so no one person can both commit and conceal fraud.
  • Preventive controls stop fraud before it occurs; detective controls (reconciliations, surprise audits) catch it afterward — a balanced program uses both.
  • The control environment and "tone at the top" are the foundation; management override of controls is the classic way strong systems are defeated.
  • Corporate governance places oversight with the board and an independent audit committee, which supervises internal/external audit and the whistleblower hotline.
Last updated: July 2026

Internal Control: The Backbone of Deterrence

Internal control is the system of policies and procedures that provides reasonable assurance an organization will achieve its objectives. It is the primary mechanism through which fraud is deterred and detected. The globally accepted model is the COSO Internal Control — Integrated Framework (originally 1992, updated 2013), published by the Committee of Sponsoring Organizations of the Treadway Commission. Regulators, auditors, and fraud examiners use COSO as the benchmark for judging whether controls are adequate.

The Three Objectives and Five Components

COSO organizes control around three categories of objectivesoperations (efficiency and effectiveness), reporting (reliable financial and non-financial reporting), and compliance (adherence to laws and regulations). Supporting these are five integrated components, detailed further by 17 underlying principles:

ComponentWhat it coversFraud relevance
Control environmentIntegrity, ethical values, governance, structure, competence — the "tone at the top"Sets the foundation; a weak tone enables fraud
Risk assessmentIdentifying and analyzing risks to objectives, including fraud risk (Principle 8)The 2013 update explicitly requires considering fraud potential
Control activitiesApprovals, authorizations, reconciliations, and segregation of dutiesThe concrete actions that prevent and detect fraud
Information & communicationRelevant, quality information flowing up, down, and across — including hotlinesEnables reporting and escalation of concerns
Monitoring activitiesOngoing and separate evaluations of whether controls functionCatches control breakdowns before they are exploited

The Control Environment and Tone at the Top

The control environment is the foundation on which every other component rests. It reflects the integrity, ethical values, and competence of the organization's people and, above all, the "tone at the top." When senior management models ethical behavior, enforces the code of conduct, and refuses to override controls for convenience, employees follow suit. When leaders cut corners, no amount of downstream control activity compensates — management override of controls is the classic way strong systems are defeated. Because tone is set by leadership, a weak control environment is treated as a pervasive, entity-level deficiency.

Preventive vs. Detective Controls

Control activities are commonly classified by when they act:

  • Preventive controls stop errors or fraud before they occur. Examples: segregation of duties, approval and authorization requirements, physical safeguards (locks, passwords), pre-employment background checks, and mandatory vacations.
  • Detective controls identify errors or fraud after they occur so they can be corrected. Examples: reconciliations, independent reviews, surprise audits, exception reports, and data analytics.
  • Corrective controls remediate identified problems — recovering losses, disciplining offenders, and redesigning the failed control.

A balanced program uses both. Prevention is preferred because it avoids loss, but no preventive control is perfect, so detective controls provide the safety net — and their visibility raises the perception of detection, which itself deters.

Segregation of Duties

Segregation (separation) of duties is the single most important control activity for fraud prevention. The principle is that no one person should control all key phases of a transaction. The four functions that should be split among different people are:

  • Authorization — approving the transaction;
  • Custody — physical control of the asset (cash, inventory, checks);
  • Recording — entering the transaction in the books; and
  • Reconciliation/verification — independently confirming records against reality.

When one person can both authorize a payment and record it, or hold cash and reconcile the account, that person can commit and conceal fraud without detection. Where a small organization cannot fully separate duties, compensating controls — increased management review, mandatory vacations, and job rotation — help fill the gap.

Reasonable Assurance and Inherent Limitations

An important exam point is that internal control provides only reasonable assurance, never absolute assurance, that objectives will be met. Even a well-designed system has inherent limitations: collusion between two or more people can defeat segregation of duties; management override can bypass any control; human error and faulty judgment cause breakdowns; and controls are constrained by cost-benefit trade-offs, so an organization will not spend more on a control than the risk it addresses. Fraud examiners keep these limits in mind — the existence of a control does not prove it operated effectively. This is also why monitoring, independent oversight, and a strong ethical culture matter: they compensate for the gaps that no single control activity can close and raise the odds that a breakdown is caught quickly.

Corporate Governance

Corporate governance is the system by which organizations are directed and controlled, and it sits above internal control. The board of directors is responsible for oversight, and much of the anti-fraud work is delegated to the audit committee, ideally composed of independent, financially literate directors. The audit committee oversees financial reporting, hires and evaluates the external auditors, supervises the internal audit function (which should report functionally to the committee to preserve independence), and administers the whistleblower/hotline process required by the Sarbanes-Oxley Act. Effective governance ensures that management — the group most able to override controls — is itself subject to independent scrutiny. When the board is passive or dominated by management, oversight collapses and fraud risk rises sharply. Strong governance, an ethical tone at the top, and well-designed COSO-based controls together form the deterrence system that a fraud examiner evaluates.

Test Your Knowledge

Which of the following is NOT one of the five components of the COSO Internal Control — Integrated Framework?

A
B
C
D
Test Your Knowledge

An accounts-payable clerk can approve invoices, cut the checks, and reconcile the bank statement. Which control principle is most clearly violated?

A
B
C
D
Test Your Knowledge

A surprise audit is best classified as which type of control?

A
B
C
D
Congratulations!

You've completed this section

Continue exploring other exams