Risk registers describe what could go wrong. Controls are what you actually do about it. A risk without a control is a worry; a control without a risk is overhead. The discipline that connects the two - consistently, across an entire organisation - is the control framework.
In short
An internal control is any process, check, approval or system setting that reduces the likelihood or impact of a risk. A control framework is the structured set of controls - and the principles behind them - that lets you manage risk the same way everywhere.
- Types - preventive (stop it), detective (catch it), corrective (fix it); manual vs automated; key vs non-key.
- Effectiveness - a control must pass two tests: design effectiveness and operating effectiveness.
- Good controls - specific, owned, risk-linked, evidenced, proportionate and testable.
- Frameworks - COSO, COBIT, ISO 27001, NIST give you a shared taxonomy so controls are defined and tested consistently.
What Is an Internal Control?
An internal control is a deliberate action, rule or mechanism that an organisation uses to keep a risk within appetite. Controls take many forms - a segregation of duties, a system that blocks an action, a reconciliation, an approval workflow, a policy, a training requirement, a monitoring report. What they share is intent: each one exists to change the likelihood or the impact of a specific risk.
This is why controls sit at the heart of every risk methodology. In the language of gross, net and residual risk, controls are precisely what moves a risk from its gross (uncontrolled) position to its net (controlled) position. Assess the controls and you can defend the residual number; ignore them and the register is just opinion.
What Is a Control Framework?
A control framework is a structured, principle-based system for organising controls so they are defined, owned and tested consistently across the organisation. Rather than every team inventing its own controls in its own words, a framework provides a shared taxonomy: standard control categories, standard language for design and effectiveness, and a standard way to evidence that a control works.
Most organisations adopt or map to one or more established frameworks rather than starting from scratch. The best-known are:
| Framework | Primary focus | Typically used for |
|---|---|---|
| COSO Internal Control | Financial and enterprise controls | SOX, UK Provision 29, board assurance |
| COBIT | IT governance and management | Technology and data controls |
| ISO 27001 (Annex A) | Information security | InfoSec certification, customer assurance |
| NIST CSF / SP 800-53 | Cybersecurity | US federal, security programmes |
| PCI DSS | Payment card security | Anyone handling card data |
You do not need to boil the ocean. A mid-sized regulated firm might anchor its financial controls to COSO, its security controls to ISO 27001, and stop there. The point of a framework is not the badge - it is the discipline of a consistent, defensible control library.
The Types of Controls
Controls are classified in a few complementary ways. The most important is by purpose - what the control is trying to do in the sequence of an event.
- Preventive controls stop a problem before it happens. Example: a system that will not release a payment without a second authoriser; segregation of duties so no one person can both create and approve a supplier.
- Detective controls identify a problem after it has happened, so it can be dealt with. Example: a monthly bank reconciliation; exception reporting; access-log reviews.
- Corrective controls put things right once a problem is detected. Example: an incident response process; a data-restore procedure; a remediation workflow.
- Directive controls steer behaviour toward the desired outcome. Example: policies, procedures, mandatory training and standards.
- Compensating controls substitute for an ideal control that is not feasible. Example: enhanced monitoring where full segregation of duties is impossible in a small team.
Two further distinctions matter in practice:
- Manual vs automated. Automated controls (system-enforced) are more reliable and cheaper to test than manual ones (a person performing a check), because they operate consistently and leave a log.
- Key vs non-key. Key controls are the ones you rely on most to keep a material risk in check. Testing effort should concentrate here, not spread thinly across hundreds of minor controls.
| Control type | Purpose | Example |
|---|---|---|
| Preventive | Stop it happening | Second-authoriser on payments |
| Detective | Catch it after the fact | Monthly reconciliation |
| Corrective | Fix it once found | Incident response plan |
| Directive | Guide behaviour | Policy and mandatory training |
| Compensating | Substitute for the ideal | Extra monitoring in small teams |
The Anatomy of a Well-Designed Control
Whatever its type, a control is only useful if it is defined well enough to be relied on and tested. A well-designed control has six characteristics:
- Specific - it states exactly what must happen, not a vague aspiration. "All payments over £10,000 require a second authoriser" beats "payments are reviewed".
- Owned - a named person in the first line is accountable for it operating.
- Risk-linked - it maps to a specific risk on the register, so its purpose is unambiguous.
- Evidenced - it produces proof it ran: an approval record, a system log, a signed reconciliation.
- Proportionate - the effort to operate it is justified by the size of the risk. Over-controlling is as damaging as under-controlling.
- Testable - both its design and its operation can be objectively checked.
The "management review" control
The single most common weak control is a line that simply reads "management review" or "regular monitoring". Reviewed by whom? How often? Against what? Evidenced how? Without those answers there is nothing to test, and the control provides comfort without assurance. If you cannot describe the evidence a control produces, you do not yet have a control - you have an intention.
Control Design vs Operating Effectiveness
This is the distinction auditors, regulators and boards care about most - and the one most control libraries blur. Every key control must pass two separate tests:
- Design effectiveness - if this control operated exactly as intended, would it actually mitigate the risk? This is a judgement about the control on paper.
- Operating effectiveness - did the control actually operate as intended, consistently, across the period being assessed? This is a test against evidence.
The two failure modes are different and both are common. A control can be well designed but poorly operated - the second-authoriser rule exists, but under deadline pressure people share logins and skip it. Or a control can be diligently operated but poorly designed - a team performs a monthly review religiously, but the review does not actually address the risk it is attached to.
You need both tests, or you cannot defend the residual risk. A control that passes design but fails operation is a false comfort; a control that passes operation but fails design is wasted effort. When you report a residual risk to the board, you are implicitly claiming both tests pass for the key controls behind it. If you have not checked, you cannot defend the number - which is exactly where most RCSA programmes quietly fail.
How to Design an Effective Control (Step by Step)
- Start from the risk, not the control. Name the risk and whether you are reducing its likelihood or its impact.
- Define the control objective in one testable sentence.
- Choose the control type - preventive/detective/corrective and manual/automated. Prefer preventive-and-automated where you can.
- Assign an owner and a frequency - a named first-line owner and a defined cadence.
- Specify the evidence up front - what proof shows the control operated.
- Test design first, then operation - confirm it would work, then confirm it did.
Worked Example: A Payment Approval Control
Risk: a fraudulent or erroneous large payment is released. Control objective: no payment over £10,000 is released without a second authoriser independent of the person who raised it. Type: preventive, automated (enforced in the payment system). Owner: Head of Finance Operations. Frequency: per-transaction. Evidence: system approval log showing two distinct approvers per qualifying payment.
Design test: confirm the system rule blocks single-approver payments over the threshold. Operating test: sample a month of qualifying payments and confirm every one has two distinct approvers in the log. If both pass, the residual risk of an unauthorised large payment is genuinely low - and you can prove it.
Why Control Frameworks Matter
A consistent control framework is not bureaucracy for its own sake. It delivers four things a pile of ad-hoc controls cannot:
- Board and regulator confidence - evidence that risks are actively managed and tested, not merely logged.
- No gaps or duplication - a taxonomy shows where a risk has no control, and where three controls do the same job.
- A common language - the first line, risk, compliance and audit describe and test controls the same way, aligned to the Three Lines of Defence model.
- Efficient assurance - because controls are defined and evidenced, testing is repeatable rather than a rediscovery exercise every cycle.
A Practical Control Design Checklist
- Every key control maps to a specific risk on the register.
- Each control has a named first-line owner and a defined frequency.
- The control objective is written as one testable sentence.
- The evidence the control produces is specified in advance.
- Design effectiveness and operating effectiveness are assessed separately.
- Key controls are distinguished from non-key, so testing effort is focused.
- Automated controls are preferred where the risk and cost justify it.
How Initia Puts Controls Into Practice
A control framework only works if it lives where the work happens, not in a spreadsheet nobody opens between audits. Initia Risk builds the control library into the platform: controls are linked directly to the risks they mitigate, each has an owner and a cadence, design and operating effectiveness are assessed as distinct tests, and every assessment carries its evidence and an audit trail.
That is what turns a control framework from a static document into a living assurance process - and what lets you defend a residual risk position to the board with evidence rather than assertion. For the assessment process that operationalises all of this, see what an RCSA is and why most fail, and for the scoring layer behind it read gross risk vs net risk vs residual risk. If your controls feed regulatory work, our guide on identifying material internal controls under Provision 29 shows how to prioritise the ones that matter.
For one-line definitions of the terms used here - control, key control, design vs operating effectiveness, RCSA, residual risk - see our GRC and risk management glossary.

