Most leaders meet financial controls only when something has already gone wrong, a duplicate payment, an invoice nobody approved, a year-end audit that drags on. By then a control is an irritant. Seen earlier, it is the opposite: a quiet, cheap way to make sure the figures you steer by are real, and that money leaves the business only when it should. What follows is the working map for anyone whose job isn't finance, what a control actually is, who checks the checks, and the few questions worth asking.

The quick version

  • A financial control is a rule or step built into a process so errors and fraud are caught or prevented, an approval limit, a reconciliation, two signatures on a payment.
  • The reference model is COSO, which organises internal control into five components and seventeen principles. You don't need to memorise them; you need to know they exist and roughly what they cover.
  • Assurance is independent checking that the controls actually work. Internal audit checks for the board; external audit gives an opinion to shareholders that the accounts are fairly stated.
  • The cheapest, most universal control is segregation of duties, no single person should be able to start, approve, record and conceal the same transaction.

The idea in depth: what a control is, and the framework behind it

Strip away the jargon and a control is a deliberate piece of friction. Someone wants to pay a supplier; the control says a second person must approve anything over a threshold. Someone records the month's cash; the control says the ledger must be reconciled against the bank statement, line by line, before the books close. Each one trades a little speed for a lot of reliability. The discipline isn't adding friction everywhere, it's adding it at the few points where a mistake or a theft would actually hurt.

The standard way to think about this across a whole organisation is the framework published by the Committee of Sponsoring Organizations of the Treadway Commission, COSO. Its Internal Control, Integrated Framework (originally 1992, updated 2013) defines internal control as a process designed to give reasonable assurance about reliable reporting, effective operations, and compliance with laws. It breaks that into five components, control environment, risk assessment, control activities, information & communication, and monitoring, under which sit seventeen supporting principles. The phrase that matters most is reasonable assurance: COSO is explicit that no system of controls can promise certainty.

For a non-specialist leader, the point is not to learn the seventeen principles. Use the five components instead as a checklist of honest questions about your own area: Do my people know what good conduct looks like (environment)? Have we named what could go wrong (risk assessment)? Are there actual steps that catch it (control activities)? Does the right information reach the right person in time (information)? And does anyone ever check the steps are still happening (monitoring)? Most control failures are not exotic, they are one of those five quietly missing.

flowchart LR
  A(["Control environment
tone, ethics, accountability"]) --> B(["Risk assessment
what could go wrong?"])
  B --> C(["Control activities
approvals, reconciliations"])
  C --> D(["Information & communication
right data, right person"])
  D --> E(["Monitoring
are the controls still working?"])
  E -.->|"feedback"| A
COSO's five components of internal control, read as questions to ask about any process you own. Leaders Loop

An honest limitation. COSO is a framework, not a recipe. It tells you the categories of a sound control system but not which specific controls your business needs, that is a judgement about your risks. It can also be applied as paperwork: a binder of documented controls that look impressive and are never actually performed. A control that exists on a process map but not in anyone's week is worse than none, because it manufactures false confidence. The framework is a lens for asking better questions, not a substitute for checking that the work is really done.

Why controls exist at all: the fraud triangle

Controls aren't only about honest mistakes; a fair share of the discipline exists because people occasionally steal. The most durable explanation of why they do comes from the criminologist Donald Cressey, whose mid-twentieth-century study of embezzlers produced what is now taught everywhere as the fraud triangle: fraud tends to need three things present at once, pressure (a financial problem the person feels they can't share), opportunity (a weakness in the controls that lets them act), and rationalisation (a story they tell themselves that makes it feel acceptable). The model is widely referenced in auditing standards and remains the standard teaching frame for occupational fraud.

Of the three sides, opportunity is the one to work on, because it is the only side a leader directly controls. You can't manage an employee's debts or their conscience, but you can remove the opening. That is exactly what segregation of duties does, the single most cost-effective control there is. The principle: no one person should be able to initiate a transaction, approve it, record it, and hold the resulting asset. Split those steps across people and most casual fraud simply becomes impossible without a conspiracy, which is far rarer and far easier to detect.

You can't manage someone's debts or their conscience, but you can close the opportunity. That is what a control is for.

The practical version is concrete and free: look at any process where money moves and ask whether the same person does two or more of request, approve, pay, record. In a small team that overlap is often unavoidable, which is the honest caveat. When you genuinely can't separate the duties, substitute a compensating control: a manager who reviews the bank statement they didn't prepare, or a monthly report a second person eyeballs. The aim isn't a perfect org chart; it's making sure no single set of hands can both do the deed and hide it.

Who checks the checks: assurance, and the three lines

Having controls is one thing; knowing they work is another. That second job is assurance, independent confirmation that the controls are designed well and actually operating. The cleanest way to see how the pieces fit is the Three Lines Model, published in its current form by the Institute of Internal Auditors in July 2020 (a refresh of the older "three lines of defence"). The first line is the managers who own and run the process and its controls day to day. The second line is the risk and compliance functions that set policy and watch over the first. The third line is internal audit, which independently checks both and reports to the board, deliberately kept separate so its judgement isn't compromised by the work it reviews.

flowchart TD
  Board(["Board / audit committee
oversight & accountability"])
  Board --> L1(["First line
managers who own the controls"])
  Board --> L2(["Second line
risk & compliance set policy"])
  Board --> L3(["Third line
internal audit, independent check"])
  L2 -.->|"support & challenge"| L1
  L3 -.->|"assurance to the board"| Board
  Ext(["External audit
opinion to shareholders"]) -.->|"outside the lines"| Board
The IIA's Three Lines Model, with external audit sitting outside it, who does the work, who oversees it, and who independently checks. Leaders Loop

Sitting outside those three lines is the one most people mean when they say "the audit": external audit. An external auditor is an independent firm that examines a company's financial statements and issues an opinion, usually that the accounts give a "true and fair view", for the benefit of shareholders and the public, not management. The distinction is worth holding: internal audit serves the board and ranges across operations and controls; external audit serves the owners and focuses narrowly on whether the published numbers can be trusted. An external auditor expresses an opinion; it does not certify perfection, and it explicitly works to a level of reasonable assurance.

For listed companies in the United States, this is not optional. After the Enron and WorldCom collapses, the Sarbanes-Oxley Act of 2002 made executives personally accountable for controls. Section 302 requires the CEO and CFO to personally certify each periodic filing; Section 404 requires management to assess and report on the effectiveness of internal control over financial reporting, with the company's external auditor attesting to it. SOX is why "internal control over financial reporting" became a board-level phrase rather than an accounting footnote. The lesson carries even if you are nowhere near a listed company: treat the audit not as a grade to survive but as free, independent eyes on whether your numbers can be trusted, and actually read what they tell you.

A worked example

Picture a 40-person services firm, call it Harbour & Co. (Illustrative figures and names throughout; this is a teaching example, not a real company.) The office manager, trusted for years, handles supplier invoices end to end: she receives them, sets up the new supplier, approves payment, and runs the bank payment file. No one reviews her work because she has never given anyone reason to. Over eighteen months she creates a fictitious supplier and pays it roughly £2,000 a month, about £36,000, into an account she controls. Nothing stops her, because she is the whole process.

Walk it through the triangle and the model: the opportunity was total, one person did request, approve, pay and record. There was no segregation of duties and no monitoring. The fix costs almost nothing. Split the duties so whoever sets up a supplier cannot also approve a payment to it. Add an approval threshold, anything over, say, an illustrative £500 needs a director's sign-off. Have someone who didn't prepare it review the monthly bank statement: a compensating control for a team too small to separate everything. Each step is a different rung of COSO, and each would have closed the opening on its own.

flowchart TD
  A(["One person: receive,
set up, approve, pay, record"]) --> B{"Can the same hands
both do it and hide it?"}
  B -->|"Yes, no separation"| C(["Fraud opportunity open
~£36k over 18 months"])
  B -->|"No, duties split"| D(["Setup ≠ approver,
threshold sign-off, statement review"])
  C --> D
  D --> E(["Opportunity closed
at near-zero cost"])
The same process, before and after segregation of duties, the cheapest control closing the most common opening. Leaders Loop

The point of the example isn't the loss; it's how ordinary the gap was. No villainy was needed in the design, just a process that grew up around one trusted person and was never questioned. That is what financial controls quietly prevent, and why a leader who asks "could one person here both do it and hide it?" is doing real risk work, no accounting degree required.

Frequently asked questions

What's the difference between internal and external audit?

Internal audit works for the organisation's own board, ranges across operations, risk and controls, and aims to improve how the business runs. External audit is an independent firm engaged on behalf of shareholders to give an opinion on whether the published financial statements are fairly stated. Internal audit is continuous and broad; external audit is periodic and focused on the numbers. They are complementary, not interchangeable.

What does "assurance" actually mean?

Assurance is independent confirmation that something can be relied upon. In this context it means a party with no stake in the outcome has examined the controls or the accounts and can vouch, to a stated level of confidence, that they hold up. Note the careful language the profession uses: auditors provide reasonable assurance, not a guarantee. No examination can promise that nothing is wrong, only that nothing material was found.

We're too small for an audit. Do controls still apply?

Yes, and arguably more so, because small teams have the least natural separation of duties and the most concentrated trust. You almost certainly don't need a formal audit function. You do need a handful of basic controls: split who approves payments from who makes them, set an approval threshold, reconcile the bank monthly, and have a second person review what the first one prepared. These cost nothing but attention and remove most of the common openings.

Isn't this just bureaucracy that slows everyone down?

It can become that if controls are added everywhere without thought, the binder-full-of-controls failure. The discipline is proportionality: put friction only where an error or theft would genuinely hurt, and keep the rest of the process fast. A good control is invisible most of the time and decisive on the rare occasion it's needed.

What should a non-finance leader ask for?

Three questions cover most of the ground. First: for any process where money moves, can one person both carry out a transaction and conceal it? Second: when did we last reconcile the key accounts, and who checked? Third: if internal or external audit raised issues, what were they and were they fixed? You don't need to run the controls yourself, you need to know they exist, who owns them, and that someone independent occasionally looks.

Related in the Toolkit

Controls protect the very numbers other tools rely on, the financial statements only mean something if the figures behind them are trustworthy, and a healthy control environment is exactly what an outsider is judging when reading an annual report.

Where to go next