Internal controls are the policies, procedures, and checks an organisation uses to safeguard assets, prevent errors, and keep records reliable.
Internal controls are the policies, procedures, and checks an organisation builds into its everyday processes to safeguard assets, prevent and catch errors, and keep financial and operational records reliable. A control can be as formal as a documented asset management policy or as small as requiring a second person to approve a purchase - what makes it a control is that it constrains how things can go wrong, rather than relying on everyone being careful.
Preventive, detective, and corrective controls
Controls are usually grouped by when they act:
- Preventive controls stop a problem before it occurs: approval required before money is spent, equipment issued only against a recorded checkout, storerooms locked, system permissions limited by role.
- Detective controls surface problems after the fact: periodic physical counts reconciled against the register, review of audit trails, warranty and invoice checks, exception reports for overdue returns.
- Corrective controls repair the damage and stop the repeat: a formal write-off procedure, a root-cause look at how the laptop went missing, a revised process so the same gap cannot reopen.
The classic design principle underneath all three is segregation of duties - no single person should be able to both commit and conceal an error.
Internal controls over physical and IT assets
Asset controls are where theory gets concrete. The ones that earn their keep: register every item at receipt, before it disappears into a drawer; give shared kit such as conference room equipment a named custodian so “everyone’s responsibility” does not become no one’s; record every handover, because the register is only a control while it matches reality; count a sample periodically rather than trusting the paperwork; and require sign-off plus a data wipe before anything is disposed of. Controls should also be proportionate - per-item custody records for chargers and cables would cost more than the cables, so low-value pooled stock is better controlled by reorder counts than by signatures.
What controls look like in a small team
A five-person company cannot split every process four ways, and does not need to. The workable pattern is compensating controls: keep the preventive basics (approval above a money threshold, a register, recorded handovers), and lean on detection where prevention is impractical - the owner reviews the audit log monthly, counts happen quarterly, and anything unusual gets asked about while memories are fresh. The trap to avoid is the opposite one: copying an enterprise control framework wholesale, finding it unbearable, and abandoning controls entirely.
Internal controls in practice
Controls fail quietly when they live in a policy document and nowhere else, so the durable approach is to embed them in the tools people already use for the work. In AMPthilly, asset requests route through an approval queue and every decision is logged in the audit trail under the named approver, which gives a small team a preventive and a detective control without any extra paperwork. The measure of success is dull by design: fewer surprises at count time, and an audit that consists of pointing at records rather than explaining their absence.
Related terms
- Segregation of Duties - the design principle that splits a process so no one person controls it end to end
- ISO 27001 Asset Management - the security standard whose Annex A is essentially a catalogue of controls
- Information Asset Register - the record-keeping control for data and information assets
- Data Retention Policy - the control governing how long records are kept and producible
- Asset Management Policy - the document that names who may approve, hold, and record assets