Risk Management Blog | Pirani

Types of internal control in company

Written by Juan Pablo Calle | February 12, 2020

Financial entities should have an effective internal control system in place to correct errors and ensure that objectives are met. Learn the types of controls.

The Basel Committee on Banking Supervision defines internal control as "the set of rules and controls governing the bank's organizational and operational structure, including reporting processes and risk management, compliance and internal audit functions".

This means that the board of directors and management must implement steps to consolidate a risk culture within the company. This internal control environment is aimed at incorporating the values and internal standards for all of the entity's processes.

The internal control system, however, should not be viewed as a simple bureaucratic procedure, but rather as a tool to monitor transactions, manage risks and reduce the possibilities of financial fraud.  

A company's internal control serves as a roadmap to provide the necessary security to help reduce the likelihood of risks occurring.

To this end, organizations must have indicators and records of errors, losses and fraud. Based on this information, risk managers look for the best way to mitigate the impact.

Depending on its source of risk, a company's internal control can be classified into two: source controls and subsequent controls.

Source controls

These are defined to ensure that the source of risk is kept within risk appetite and tolerance levels. The person responsible for ensuring the implementation of this control is the person who generates the activity that is the source of risk. In these cases, both the risk producer and the supervisor are responsible for keeping the threat under control.

Subsequent controls

These types of controls are implemented after the source of risk has been set in motion. The measures taken aim to prevent future harm, whether coming from reckless or malicious behavior.

Subsequent controls, in turn, are classified as permanent, periodic or optional.

Permanent controls

These are implemented when the source of risk has a high probability of exceeding risk tolerance limits. It is precisely for this reason that control must be permanently maintained.

Periodic controls

If the source of risk does not imply a continuous threat, it is sufficient to maintain periodic controls. The strength of the measures will depend on the characteristics of the risk. The controls are aimed at ensuring that risk levels are kept within the established limits. Otherwise, relevant measures must be taken to ensure that they remain within the specific limits.

Optional controls

These controls are not mandatory. They depend directly on individuals, who are responsible for ensuring that the level of danger does not exceed the permitted limits.

In order to comply with this control,it is essential to supervise management. It must ensure that staff members take the necessary steps to disclose any possible violations and that internal regulations are complied with.

Since the criteria for establishing the internal control system should not be quantitative, the Board of Directors must appoint those responsible for defining methodologies, models and technical value indicators that allow the timely recognition of threats.

These models help to make decisions about how monitoring will be carried out, as well as to define the probability of occurrence.