An organization's operating procedures, processes and mechanisms are the backbone of its risk management system. These procedures, often known as internal controls, ensure that employees abide by top management's recommendations, industry practices and regulatory guidelines when performing their tasks. An internal auditor tests controls to ensure they are adequate and effective.

Internal Control Defined

An internal control is a set of instructions and procedures that top management puts into place to prevent operational losses resulting from employee error, neglect or fraud. For example, a control in the accounts receivable and billing department of a department store may instruct employees on how to handle cash payments. An internal control also helps senior management prevent losses due to technological malfunction. For instance, the store's senior supervisor can instruct sales associates on how to handle credit and debit card transactions in case of computer systems breakdown.

Control Adequacy

An internal auditor tests two aspects of a control—adequacy and effectiveness. A control is adequate if it clearly details procedures and steps that an employee must follow to perform tasks. To illustrate, a control may instruct a shipping clerk on how to record goods stored at the warehouse and sign the bill of lading. An adequate control also explains procedures for decision making and problem reporting. The shipping control could, for instance, require the clerk to notify a manager if goods received are worth more than $10,000.

Control Effectiveness

A control is effective if it provides appropriate solutions to internal control problems. For example, the accounts receivable department's manager at a small retail store believes an employee may be stealing cash because sales revenue amounts do not match cash received. He can establish a procedure requiring customer checks to be sent to a new address and asking three employees in different departments to record cash payments. The new control is effective if the manager notes that cash balances now match sales amounts.


An internal auditor may test various controls, depending on the audit objective, the company size and industry. An auditor may test procedures in financial reporting mechanisms to ensure that financial statements are accurate and complete, and conform to generally accepted accounting principles (GAAP). Operational control testing helps an auditor evaluate control adequacy and effectiveness at the the segment level. An auditor also could test information technology (IT) systems to prevent losses resulting from IT malfunction.

Testing Significance

Internal control testing is a significant practice because it helps a company's top leadership prevent operational losses resulting from error or system breakdowns. Testing also helps a department head ensure that employees abide by internal rules, laws and regulations when performing their duties. An auditor typically applies generally accepted auditing standards (GAAS) when testing internal controls and rates them as "high," "medium" and "low" based on loss expectations.