Skip to main content

Question and Answers about Internal Control

Internal Control

The organization and method established by the Company to ensure that activities are carried out effectively, economically, and efficiently in accordance with the Company’s objectives, determined policies, and legislation, assets, and resources are protected, accounting records are kept accurately and completely, and financial and management information is produced in a timely and reliable manner. It refers to the set of financial and other controls covering the process and internal audit.

Automatic Controls

They are computer-aided controls placed within the system.

Principle of Separation of Duties

It is the sharing of the duties of approving, implementing, recording, and controlling activities and financial decisions and transactions among the personnel to reduce the risks of errors, omissions, inaccuracies, irregularities, and corruption.

To implement this principle, the duties of approving, implementing, recording, and controlling each activity, financial decision, or transaction should be assigned to different people.

What is Coso?

COSO: Committee of Sponsoring Organizations of the Treadway Commission – It consists of the initials of the Committee of Sponsoring Organizations Supporting the Treadway Commission.

Treadway Commission

The National Commission to Combat Fraudulent Financial Reporting was established after the US Watergate Scandal that emerged in the mid-1970s and the enactment of the Foreign Corrupt Practices Act in 1977, the main subject of which was internal control. It was established upon the call of this commission to prevent fraudulent reporting.

COSO founding date

It was founded in 1985 by the American Institute of Certified Public Accountants, the American Accounting Association, the Financial Executives Institute, the Institute of Internal Auditors, and the Institute of Management Accountants.


Frameworks Published by Coso

COSO (The Committee of Sponsoring Organizations of the Treadway Commission) There are two frameworks initially published:

The Internal Control-Integrated Framework, one of which was published in 1992, was revised in 2013.

The other one is “Enterprise Risk Management-Integrated Framework,” published in 2004.yes” say(Enterprise Risk Management – ​​Integrated Framework). It was republished in 2017 under the name Corporate Internal Control Framework Aligned with Strategy and Performance.


Basic Principles of Internal Control

Internal control activities are carried out within the framework of management responsibility.

Risky areas are primarily taken into account in internal control activities and regulations.

Responsibility for internal control covers all officials involved in the transaction process.

Internal control covers all financial and non-financial transactions.

The internal control system is evaluated at least once a year and determines the measures to be taken.

Internal control regulations and practices are based on corporate governance principles such as compliance with legislation, transparency, accountability, economy, and effectiveness.


Benefits of Effective Internal Control

It gives greater confidence to management, the board of directors, and other stakeholders in achieving goals,

Helping companies institutionalize offers the ability to meet certain conditions required to access capital markets.

It gives confidence to external investors in providing capital.

It provides reliable reporting supporting management and the board’s decision-making on product pricing, capital investment, and resource allocation.

Provides increased efficiency in functions and processes;

The opportunity to protect assets is provided.

It provides a basis for decisions that are highly dependent on the individual and require significant judgment.

It creates consistent mechanisms for the success and reliability of operations.

Provides the ability to accurately communicate business performance to business partners and customers to help maintain relationships.

Internal Control Risk Management Relationship

The internal control system is the basis of the risk management system.

The internal control system supports the management against the risks inherent in business activities in controlling and managing these risks. This support is the first step in risk management.

Businesses determine their goals, then internal (natural) risks that will prevent achieving them.

In general, the primary purpose of the risk management system is to eliminate internal (natural) risks through measures to be taken.

If there are still some risks despite the control measures, these are called residual risks.


Internal Control Internal Audit Relationship

Internal control provides reasonable assurance as a tool built into processes and workflows, influenced by people, and used to achieve the objectives of the business. In this respect, internal control is the responsibility of the business management.

Internal Audit activity is needed to evaluate the effectiveness and appropriateness of Internal Control. Therefore, internal control and internal audit should be considered two different but complementary concepts.

While the existence of an internal control system constitutes one of the foundations of an organization’s institutionalization, the internal controls’ appropriateness and quality are valued by the Internal Audit activity.


Internal Control and Independent Audit Relationship

The Independent Auditor must understand the internal control system of the business. The Independent Auditor uses the information obtained about the internal control system in the processes of identifying possible types of material misstatement, reviewing the factors affecting the risk of material misstatement, and designing the timing, scope, and structure of additional independent audit techniques.

There is an inverse relationship between the internal control system and Audit risk. As the effectiveness of the internal control system increases, audit risk decreases, and as the effectiveness of the internal control system decreases, audit risk rises.

If an effective internal control system exists, the auditor can narrow the scope and work with a smaller sample size. In this case, it will naturally reduce the resources that need to be allocated to auditing.


COSO Internal Control Components and Principles

  • control environment

  • Principle 1: Ethical Values ​​and Integrity
  • Principle 2: Oversight Responsibility of the Board
  • Principle 3: Establishing Structure Authority and Responsibilities
  • Principle 4: Commitment to Competence
  • Principle 5: Accountability


  • Risk assessment

  • Principle 6: Setting Appropriate Goals
  • Principle 7: Identifying and Analyzing Risks
  • Principle 8: Assessing the Risk of Fraud
  • Principle 9: Identify and Analyze Significant Changes


  • Control activities

  • Principle 10: Selecting and Developing Control Actions
  • Principle 11: Selecting and Developing General Controls to Apply to Technology
  • Principle 12: Implementation through Policies and Procedures


  • information contact

  • Principle 13: Using Relevant Information
  • Principle 14: Communicating Within the Organization
  • Principle 15: Communicating with External Parties


  • Tracing

  • Principle 16: Conduct Continuous and/or Separate Evaluations
  • Principle 17: Assessing and reporting deficiencies
  • Classification of Control Actions

  • router,
  • Inhibitor,
  • detecting
  • Corrective
  • Alternative



  • IPPF (International Professional Practice Framework) – Standards, Practice Recommendations, Practice Guides)
  • Public Internal Audit Guide (Public Internal Audit Coordination Board Ankara September 2013)
  • İSMMMO-Practical Information for Internal Audit in SMEs 2013
  • Teolupus Internal Audit Guide Studies

Bu gönderi şu adreste de mevcuttur: Türkçe