Maintaining effective internal controls in your organization requires discipline and consistency. When done well, the resulting control environment supports informed decision-making, financial integrity, and overall operational resilience. For teams already fluent in the basics of internal controls, such as internal auditors, risk managers, control assurance teams, and SOX practitioners, this article provides a more in-depth exploration of the practical application of the tools we use to design and assess controls. We’ll discuss best practices for selecting a control framework, building an internal risk and control matrix, and properly using an internal control checklist. The article also includes real-world internal control examples across finance and operations, sample internal control checklists for control owners, and a guide for strengthening controls as the organization matures.
Improving control design and execution with frameworks, matrices, and checklists
Choosing an internal control framework
Many internal control professionals gravitate toward a specific internal control framework based on their department's perspective. Internal auditors tend to follow COSO, IT control teams may focus on NIST CSF (cybersecurity framework), and enterprise risk management (ERM) teams likely refer to NIST RMF (risk management framework).
When choosing a framework, there are a few steps each of these teams can follow to ensure they select the right one for building effective internal controls.
- Consider the risks in your organization. Every organization has different needs based on its industry, size, maturity, and location in the world. A small tech startup in California faces a variety of different risks than a mature manufacturing company in France. The control framework should address your risks appropriately.
- Think about your regulatory compliance. The internal control framework could impact your regulatory compliance if they need to rely on that framework. For example, SOX practitioners may need to follow COSO since this is the commonly accepted framework for internal control over financial reporting.
- Review contractual obligations. In some industries, there may be contractual obligations that drive the decision. For example, many healthcare companies will require their partners to maintain a HiTrust certification and, as a result, they will use this as a framework.
- Understand the operational burden. Some control frameworks are designed with multiple levels so that you can implement the level of control that your organization can handle operationally. CIS 18 is one example of an IT control framework with three distinct levels to pick from based on “the risk profile and resources an enterprise has available to them to implement the CIS Controls.” Having flexibility allows the organization to implement the controls that fit them now with a clear line of sight for future maturity.
The key to using a framework successfully is to remember that it is a standard that can be adapted to fit your needs. No one framework is perfect, but they can be an extremely useful guide.
Internal controls examples in finance, operations, and IT
Once you have selected your framework, the next step is often building an internal risk and control matrix. The matrix shows the connection between the organization’s objectives, risks your organization faces, and the controls you have in place to mitigate those risks. Some teams will also include the evidence they intend to review to validate that the control is effective.
Below are several matrices that illustrate internal control examples embedded within a risk and control matrix. These examples highlight how the control should address the risk while not being so specific that the control owner has no room for flexibility in the control performance. The matrix also highlights that a single risk may need multiple effective internal controls to be appropriately mitigated.
Internal controls examples: Order-to-cash (O2C)
| Risk | Control(s) | Order-to-cash (O2C) |
| Pricing and revenue recognition risk. | System-enforced price lists and deal desk approval for non-standard terms. Automated revenue-recognition engine configured to policy. |
Workflow logs showing approver, timestamp, and deviation rationale; configuration export and revenue-recognition ruleset; sample contracts traced to revenue schedules. |
| Credit risk and write-offs. | Pre-shipment credit limit check with auto-hold for exceeded limits. Segregation between accounts receivable (AR) posting and write-off approval. |
System holds reports, exception queue, and approvals; monthly AR aging with documented collection actions. |
| Sales cutoff risk | Period close freeze, three-way matching of order–shipment–invoice dates. Late entries require controller approval |
Close checklist; late journal entry (JE) log; sample of shipments near period end traced to invoices. |
View a demo
TeamMate+ Controls
Length: 4 minutes, 10 seconds
Internal controls examples: Procure-to-pay (P2P)
| Risk |
Control(s) | Supporting documentation |
| Unauthorized vendor creation. | Vendor master changes require dual approval and independent supplier verification. Restricted access to vendor maintenance is required. |
Workflow approvals, change logs, call-back or domain verification evidence, and role assignments. |
| Duplicate or fraudulent payments. | System duplicate detection on vendor name, bank account, invoice number/amount/date. Payment run review by someone without posting rights. |
Duplicate report with investigated exceptions; payment proposal sign-off. |
| Three-way match and tolerance. | Automated three-way match (Purchase order (PO), receipt, invoice) with tolerances. Variances escalate to the buyer/controller. |
PO/Receipt/Invoice match logs; variance resolution notes. |
Internal controls examples: Record-to-report (R2R)
| Risk | Control(s) | Supporting documentation |
| Manual journal entry risk. | Segregation of JE preparation and approval. The templates require explanation and support. System blocks postings outside open periods. |
JE workflow history; attachment of source docs; monthly JE exception review. |
| Account reconciliation and roll-forwards. |
Standardized reconciliations with defined frequency and materiality thresholds. Automated feeds to subledgers. Escalation for aged unreconciled items. |
Reconciliation packs with preparer/reviewer sign-off, aging schedules, and an audit trail of reconciling items. |
| Key estimates and reserves. |
Formal policy for revenue reserves, bad debt, warranty, and contingencies. Quarterly audit-committee-visible controls over models, assumptions, and sensitivity. |
Model version control; management memos; reviewer notes on model validation and back-testing. |
Internal controls examples: IT general controls (ITGCs)
| Risk | Control(s) | Supporting documentation |
| Access management. | Role-based access. Periodic user access reviews (UAR) for in-scope systems. Immediate de-provisioning upon termination. Multi-Factor Authorization (MFA) for privileged accounts. |
UAR sign-offs, termination tickets, IAM logs, Segregation of Duties (SoD) rule set, and exceptions. |
| Change management. | Segregation between developers and deployers. Ticketed changes with test evidence. Approvals before production deployment. Emergency change review. |
Change tickets with test results, deployment logs, and post-implementation reviews. |
| Computer operations. | Backup and restore tests. Job monitoring with alerts. Incident management with root-cause analysis and corrective actions. |
Restore test results, incident postmortems, and monitoring dashboards. |
Just like working with a framework, building an effective internal control matrix should incorporate your organization’s specific needs. While you can find static libraries for risks and controls, you should always update these to reflect your environment.
Appropriate use of internal controls checklists
For control owners and operators, internal controls checklists are a critical tool for consistency. Often, they are expected to run the same report with the same parameters, or generate a list of users, capture specific screenshots, and perform these tasks for multiple controls simultaneously. They rely on internal controls checklists to ensure they complete these tasks completely and accurately. In practice, the control owners may have both high-level and detailed internal controls checklists to help track monthly, quarterly, and annual control activities. Below are several internal control checklist examples.
Monthly internal controls checklist example (high-level)
| Task | Completed by | Completed on (date) |
| Review bank reconciliations, AR aging, AP aging; investigate and clear aged items. |
|
|
| Review manual journal entries posted late or with unusual characteristics; ensure approvals and support. | ||
| Perform vendor and customer change reports review; verify independent call-backs for master data changes. | ||
| Run duplicate payment and duplicate vendor analytics; resolve hits. | ||
| Confirm terminated user de-provisioning for the month; spot-check high-risk applications. |
Quarterly internal controls checklist example (detailed for access controls)
| Task | Completed by | Completed on (date) |
| Validate the user extraction query for execution. |
|
|
| Record evidence of the successful execution of the query. | ||
| Export to CSV format for review. | ||
| Confirm the completeness and accuracy of the export. | ||
| Confirm the export includes detailed permissions for review. | ||
| Include the reviewer for each application user. | ||
| Send the list to the appropriate managers for review. | ||
| Confirm any revocation requests from reviewers. | ||
| Perform lookback analysis on revokes as needed. |
Annual internal controls checklist example
| Task | Completed by | Completed on (date) |
| Update policies and SOPs with effective dates. |
|
|
| Re-assess SOX scoping and materiality thresholds. | ||
| Perform vendor risk assessments for critical suppliers. | ||
| Validate role-to-permission assignments for access. | ||
| Conduct training for control owners and reviewers. |
Components of a mature internal controls environment
An effective internal controls environment matures over time when we use tools like frameworks, matrices, and checklists consistently. At first, we should take care to balance expected results with feasibility for the control owners and operators. If the controls are over-designed or constructed in a way that makes the execution too burdensome, then the owners will lose patience and the process could fail. Implementing the internal controls best practices listed below as a playbook for improvement will help you build a sustainable, mature controls environment.
- Tone at the top and middle. As PWC points out, “Your organization’s decision makers define the [internal control] culture.” Leaders should consistently advocate for effective internal controls, with managers reinforcing this message through their daily actions, like bringing the controls team into conversations early when processes are likely to change.
- Organizational accountability. Responsibilities should be documented, with control ownership assigned at the role level, not to individuals, with back-up coverage defined. Performance goals should also be linked to control performance.
- Transparency and training. Team members should be educated to understand why the controls exist and receive training on both the policy and the practical steps to execute and evidence the control performance.
- Policies and procedures. Policies should be concise, current, and accessible, with version control and effective dates. Standard operating procedures (SOPs) can include screenshots, decision criteria, and examples of acceptable evidence.
- Monitoring and remediation discipline. Organizations should conduct regular self-assessments, internal audits, and review analytics to surface issues early. Then, any remediation actions are tracked to completion, validated, and shared so other teams can learn from these corrective actions as well.
As these internal controls best practices are applied consistently, we are setting clear expectations with the control owners. Then, we can push for further improvements for more effective internal controls. For example, we might start by developing a manual process for quarterly user access reviews for critical applications. If we introduce automation that improves accuracy and reduces the workload for control owners, we can also expand the scope of the evaluation to include additional applications. While making this change, we would ensure buy-in from management, train the team on the new process, update the procedures, and review the new process for any corrective actions that are needed. In this example, we expand the scope of an existing control while refining its execution, and we follow our playbook for consistent, continuous improvement.
Building a mature control environment
Internal controls best practices include using the tools we have to design better controls, linking our objectives, risks, and controls together, and providing actionable guidance to the business. For professionals who manage internal controls, the differentiator is consistency in control design, gathering evidence, and in how we learn from exceptions. When you align the business objectives with a thoughtfully designed control environment that is attainable by the control owners, and then apply continuous improvement over time, you create a control environment that matures naturally and stands up under scrutiny.
Subscribe below to receive monthly Expert Insights in your inbox
Missing the form below?
To see the form, you will need to change your cookie settings. Click the button below to update your preferences to accept all cookies. For more information, please review our Privacy & Cookie Notice.
Related Insights
-
ArticleComplianceAugust 06, 2025
Bridging the Lines: Enhancing assurance through collaboration
Learn how the 2nd and 3rd lines can collaborate effectively within the three lines model to strengthen assurance and reduce duplication. -
ArticleComplianceJuly 09, 2025
Strengthening internal controls to prevent fraud
Discover how internal controls prevent fraud, protect organizations from costly fraud risks, and foster a culture of ethical behavior. -
ArticleComplianceJune 18, 2025
Internal control testing: Building a strong foundation
Master internal control testing with proven methods, examples, and tips to improve risk management, compliance, and operational efficiency. -
ArticleComplianceMarch 26, 2025
Internal control weaknesses: Identification and solutions for internal auditors
Understand internal control weaknesses with real-world examples and prevention solutions. Identify deficiencies, distinguish SOX control exceptions, and implement strategies to strengthen internal controls for compliance and operational efficiency.
