The internal controls you put in place help ensure that employees carry out the work according to company policies and procedures. Control strengths include simplicity, wide acceptance and effectiveness in making sure the company achieves its objectives. Weaknesses may manifest themselves as inconsistent application, frequent discrepancies and a lack of acceptance by employees. Your assessment of internal company controls has to look for such weaknesses and make corresponding changes using the strong controls as a model.
An assessment of internal control effectiveness has to evaluate the required separation of duties. A controlled task having several elements must be executed by several different employees. For example, paying a bill involves approving the spending, issuing the check and keeping a record of the transaction. The task of paying the bill has a strong control if three employees are responsible for the three elements, but a weak control if one employee handles the work and reports on it. You can assess the strength of critical controls by checking for the separation of duties.
Internal controls are strong if management receives reports from different areas of activity and can compare key variables. For example, if you get regular reports from manufacturing that include quantity of items shipped, and from sales with total sales figures, total sales over a period of time have to equal total items shipped. If you receive employee expense reports with gas charged to company credit cards, and reports of company payments, the total amount paid for gas has to equal the total reported by employees. Weak controls are those where variables from reports can't be compared.
A consistent structure of authorizations is an element of strong controls. When responsible employees sign off on each stage of a procedure, you can track problems to find out where the problem originated. For example, a new product may require an authorization to proceed with a design, several approvals during the design process, an authorization to send it to manufacturing and an authorization to ship it. If the product has frequent failures in one of the design elements, you can trace the responsibility back through the authorizations and fix the problem to prevent a repetition. A weak system of controls doesn't allow you to trace responsibility.
Access controls, both physical and digital, form an important part of your internal company controls. An assessment has to identify which areas of your facilities, such as data centers and warehouses, must have restricted physical access. You can then evaluate how strong your controls are by looking at the physical barriers to access and the records of who accessed the controlled facilities. Your assessment can apply a similar procedure for digital access, identifying which networked computers and servers should have restricted access and the effectiveness of the controls. A strong control limits access to authorized personnel and records who gained access and the time and date. A weak control doesn't control access and doesn't record the information reliably.