Internal Controls
Internal controls are governance mechanisms that protect institutional integrity. They help ensure that actions are authorized, records are accurate, assets are protected, duties are separated, conflicts are disclosed, decisions are reviewed, errors are corrected, and misconduct is deterred. Internal controls are not bureaucracy. They are the operating safeguards that preserve fiduciary accountability and institutional continuity. Without internal controls, institutions rely on trust alone — a condition that cannot sustain accountability.
Internal controls are the policies, procedures, approvals, records, reviews, and safeguards used to ensure institutional actions are authorized, accurate, compliant, accountable, and protected from misuse.
No institutional control system should operate without identifying:
- control objective (what risk or risk is being addressed);
- responsible party (who is accountable for the control);
- approval requirement (what approvals are required);
- record requirement (what documentation must be maintained);
- review standard (how the control is monitored);
- escalation process (how control failures are reported); and
- correction procedure (how deficiencies are remediated).
If any of these elements is missing, the control is incomplete and may be ineffective.
Internal controls doctrine provides the framework for institutional safeguards. Key elements include:
- Control Environment: The organizational culture, policies, and oversight that set the tone for internal control. The control environment influences whether controls are taken seriously.
- Risk Assessment: Identifying risks that could prevent the institution from achieving its objectives. Controls are designed to mitigate identified risks.
- Control Activities: Specific actions that implement controls: approvals, authorizations, verifications, reconciliations, and physical or digital safeguards.
- Segregation of Duties: No single person should have control over all aspects of a transaction (authorization, custody, recordkeeping, review). Segregation prevents and detects errors or fraud.
- Authorization Limits: Defined spending, approval, and decision limits by role. Transactions exceeding limits require higher-level approval.
- Approval Workflows: Documented sequences of review and approval for material actions. Workflows ensure that multiple eyes review significant decisions.
- Record Controls: Policies for creating, authenticating, retaining, and disposing of records. Record controls protect data integrity and availability.
- Access Controls: Restrictions on who can access systems, records, assets, and sensitive information. Access controls prevent unauthorized use.
- Monitoring: Ongoing review of control effectiveness through oversight, audits, exception reports, and management review.
- Corrective Action: When controls fail or deficiencies are identified, corrective action must be taken, documented, and reviewed.
- Audit Trail: A chronological record of transactions, approvals, access, and changes. Audit trails enable reconstruction of events and detection of irregularities.
- Fiduciary Oversight: Fiduciaries must ensure that internal controls are adequate to protect entrusted property and fulfill fiduciary duties.
- COSO Internal Control — Integrated Framework – The leading framework for designing, implementing, and evaluating internal controls, organized around five components: control environment, risk assessment, control activities, information and communication, and monitoring.
- Generally accepted governance, risk, and compliance principles – Internal controls are foundational to GRC; without controls, governance is unenforceable.
- Generally accepted internal audit and control principles – Auditing standards require evaluation of internal controls as part of audit procedures.
- Uniform Trust Code § 801 – A trustee shall administer the trust in good faith, which requires adequate internal controls over trust administration.
- Uniform Trust Code § 802 – The duty of loyalty requires controls that detect and prevent self-dealing.
- Uniform Trust Code § 810 – A trustee has a duty to keep trust property separate and maintain clear records — a core internal control.
- Uniform Trust Code § 813 – A trustee has a duty to inform and report, which relies on internal controls over information.
- Restatement (Third) of Trusts § 77 – The duty of prudence requires trustees to implement appropriate controls over trust administration.
- Restatement (Third) of Trusts § 83 – A trustee has a duty to furnish information, which requires controls over information accuracy.
These authorities reflect broadly recognized internal control, fiduciary, governance, and recordkeeping principles. Specific application depends on entity type, governing instruments, operational risk, jurisdiction, and competent professional review.
Internal controls apply across all organizational contexts:
- Trust Administration: Separate trust property from personal assets (segregation of assets). Implement account controls (dual approval for large transactions). Establish distribution approvals (defined limits and review). Conduct accounting review (periodic reconciliation).
- Institutional Governance: Define approval workflows (who can approve what). Require conflict disclosures with documented review. Implement access permissions (role-based access to systems and records). Monitor policy compliance through periodic review.
- Administrative Process: Notice controls ensure that notices are properly issued and delivery is documented. Evidence handling requires chain-of-custody controls. Review logs document who reviewed what and when. Corrective action records demonstrate remediation.
- AI Governance: Access controls restrict who can use AI tools. Human review controls ensure outputs are verified. Audit logs preserve records of AI use. Incident reporting captures AI failures or misuse.
Private Individual Capacity: A private person may choose personal controls, but institutional accountability is not automatically created. Personal controls are voluntary.
Representative / Fiduciary Capacity: A fiduciary must use controls sufficient to protect entrusted property and fulfill duties. Failure to implement adequate controls may constitute a breach of the duty of care.
Institutional / Office Capacity: An officeholder must follow controls established by governing instruments, policies, and oversight standards. Controls are mandatory, not optional.
Capacity determines consequence. The same person may operate without formal controls in personal capacity but must follow strict controls in fiduciary or institutional capacity.
- Internal control policy (written control framework).
- Risk assessment (documented risk identification).
- Approval matrix (who can approve what).
- Segregation of duties chart (assigned responsibilities).
- Access control records (who has access to what).
- Authorization records (approvals granted).
- Accounting controls (ledgers, reconciliations, separation of duties).
- Conflict disclosure records (documented disclosures and review).
- Review logs (records of oversight and monitoring).
- Audit trail (chronological record of transactions and approvals).
- Incident reports (control failures or breaches).
- Corrective action records (documented remediation).
- Policy exception records (authorized deviations).
- Signature capacity records (who approved, who acted).
Core rule: If it is not controlled, it is not governed. Internal controls must be documented and enforced.
- No written controls – relying on unwritten practices that cannot be enforced or reviewed.
- Informal approvals – verbal approvals without documentation.
- One person controls everything without review – no segregation of duties, creating fraud risk.
- No segregation of duties – the same person authorizes, processes, and reviews transactions.
- No access controls – anyone can access systems, records, or assets.
- No audit trail – no record of who did what, when, or why.
- No conflict procedure – failing to require or review conflict disclosures.
- No correction process – control failures identified but not remediated.
- Outdated policies – controls not updated to reflect current operations or risks.
- Treating controls as optional – assuming controls can be bypassed without consequence.
KLI teaches internal controls because institutional integrity depends on more than intention. Controls convert duty into procedure, procedure into records, and records into accountability. Structure determines outcome. Organizations that implement internal controls reduce risk of error, fraud, misuse, and non-compliance. Controls are not bureaucracy; they are the operational safeguards that transform governance from aspiration into enforceable discipline.
- Institutional Governance (KLI-KL-GOV-001)
- Institutional Accountability (KLI-KL-GOV-002)
- Governance Records (KLI-KL-GOV-003)
- Authority Delegation (KLI-KL-GOV-004)
- Duty of Care (KLI-KL-FID-005)
- Duty to Account (KLI-KL-FID-004)
- Trust Accounting (KLI-KL-TRUST-009)
- AI Risk Management (KLI-KL-AI-002)