Getting started with internal controls

Kaffe och bok
Written by
Karl Sandström
Reading time
2 min

How do you start your internal control work when there are no structures in place? How do you rekindle a slowed or halted process? To help you and your organisation, we have collected some of our best tips to help you secure the praise of the auditors every time they visit.

Step 1: Develop a simple and clear process

Unfortunately, the internal control work is in many organisations seen as difficult and something ’extra’ that has to be done on top of other work. But, as usual, it is about process and procedures – how we do things.

  • Develop clear steer-documents

Make sure they are concrete and the content accessible. Avoid vagueness and break down complicated processes to detail level.

  • Set clear expectations

Use a planning wheel! It’s an excellent way to break down all the annual activities and make them visible to the business. Clarity and simplicity generates assurance and trust.

  • Be exact in your definitions

Develop a glossary! It will make it easier for the whole organisation to ’talk the same talk’ and ensures that everyone knows the difference between risks, controls, assessment, and action.

  • Generate overview and transparency with a digital tool
    Collecting all the information in one place facilitates cross-functional learning and prevents time and energy going into inventing the same wheels over and over again.

  • Integrate internal control with the business planning
    Make sure everyone works together! To integrate internal controls is a good way to ensure that it’s not seen as a parallel process that is side-lined by ’real’ work.

Step 2: Change management takes a lot of energy

With a clear plan and structure showing where you want to go and how to get there, half the battle is already won.

  • Develop a clear and realistic vision
    ’Where do we want to be with our internal control work in 1, 3, and 5 years?’ If the business has the same understanding of the objectives, it’s easier to bring people along on the journey.

  • Establish the necessity of the change
    If you can’t explain why and how internal controls add value, nor will the business. Find your specific reason!

  • Communicate, communicate, and communicate with your people

No one likes changes, especially if they appear out of the blue. A good rule of thumb is to communicate at least double the volume of what you think is sufficient. This is especially important in relation to new ways of working.

  • Distribute and delegate responsibility!
    Ensure that at least one person centrally and one person at each organisational level is a knowledge leader with a responsibility to drive the work onwards and upwards. Nothing just happens, least of all internal controls.


Step 3: View internal controls as systematic improvement work

A lot of what you are already doing is actually a part of internal controls. As you know, the purpose of internal controls is to manage the most relevant risks related to e.g. compliance and requirements, before they materialise. The internal control process is about creating an overview and establish assurance that there is order in the business, to then be able to build on this foundation.

Many businesses make the mistake of focusing on the evaluation. Don’t forget that the majority of work is in the continuous improvement of the business. Only when this is done is there anything relevant to evaluate.

Step 4. Finally – have a suitable ambition-level

When people are unused to a structured internal control process, it’s important to remember that it is a marathon, not a sprint. Dare to acknowledge that change takes time and that established ways of working don’t change overnight.

Start your work by setting reasonable expectations, for example asking each part of the business to assess their risks and identify only the five most crucial. These five require a risk management plan including mitigation controls, improvement actions, and follow-up. Increase the expectations next year.

And remember: One step forward is better than no step at all!  

Do you want to read more about risk management? Check out our guide “Your guide to understanding risk analysis”. You can download it on the link below.

Download guide