Internal controls are safeguards a company institutes to protect assets, resources and financial information. Most companies have internal controls at the particular organizational levels, starting at the top of the company and working down through the processes, transactions and applications. The evaluation of internal controls is a common focus of audits--it is the first step of the audit. Audits go through each organizational level to evaluate the effectiveness of controls and determine whether material weaknesses exist.

Defining Internal Controls

Defining internal controls is the first phase of the evaluation process. While auditors and accountants have a general idea about the purpose of internal controls, they must review how their client defines internal controls. This definition helps auditors to plan the audit scope and determine which areas will need evaluation. For example, the cash management function tends to be a critical area for internal control evaluation, since companies must have cash flow to run operations.

Team Selection

Public accounting firms are the primary sources for conducting client audits. Creating the right project team is essential when evaluating internal controls. Auditors and accountants often have a background in business. An auditor familiar with the retail industry is typically better prepared to conduct a retail audit than someone with a background in manufacturing. Assigning the proper individuals to an audit helps create a proper evaluation process.

Entity Level

Auditors typically start at the entity level and review procedures that focus on the company’s overall operations. The organizational structure, ethical values, behavior of executives and corporate governance are the focus of entity-level audits. Faulty entity-level internal controls can indicate owners, directors or executives have the ability to abuse the organization.

Process, Transaction and Application Level

The audit will evaluate internal controls at the process, transaction and application level. Processes include the accounts receivable, accounts payable and general ledger functions. Transactions involve the exchange of cash or goods. Applications can relate to the use of software programs.


The final evaluation phase is the determination of controls effectiveness and recommendations for improvements. Auditors discover if controls prevent employees from compromising business processes. Recommendations can help companies decide how to adjust or alter internal controls to better protect financial or business operations. Auditors may request a follow-up audit to review the effectiveness of recommended improvements.