Systems of Control

By R. Lotan June 3, 2026 0 55

Introduction

Having discussed the Anatomy of Risk and Risk Assurance Frameworks in prior write ups – and evoking along the way the tenets of risk management – we will now discuss controls. It follows logically that having identified and understood the risks that stand in the way of achieving its strategic objectives, an organization’s leaders have to – in response – design and orchestrate a system of controls which serves the core purpose of mitigating risk factors and enabling the organization to achieve its strategic objectives.

The concept image chosen for this article (a conductor and his orchestra) is highly relevant to our discussion: controls are best understood and managed as a system – a musical production in this analogy:

The Producer represents the Board of Directors – the invisible architect of the system of governance, who defines the vision & strategy;
The Conductor represents the CEO and Senior Management – the visible leaders of execution who translate strategy into action;
The Conductor’s Baton represents the instrument of authority and influence entrusted to leadership – to facilitate coordination, enforce direction and build alignment;
Sections of the Orchestra – strings, woodwinds, brass, percussion and singer/choir – represent the organizational functions and layers/levels of control, distributed across divisional and operational levels, each with a specific role, confronted with specific risks and implementing controls tailored to those risks;
Harmony vs noise represents the ultimate test of the quality of controls – the extent to which controls are effective and aligned, risks are managed and objectives are consistently achieved.

From this setup, two things are immediately apparent:

People are the cornerstone of a control system; from the board, to senior management and process-level leads, each one has a role to play – a part of the control system to animate – to help the organization succeed.
Risk management and control systems are a means to an end, and not an end in themselves. Their effectiveness is to be judged by their effect on outcomes: harmony vs noise, strategic success versus operational chaos.

This fourth article in our Governance Universe journey is not a recital or summary of established frameworks. No. It is intended to be practical, structured, and action-oriented—providing a template through which corporate leadership can build/assess their systems of control and strengthen coordination, monitoring, and overall control maturity.

Understanding Controls: Concepts and Foundations

Internal Control, Internal Controls, Control, Control Activities… these are terms often used in the GRC lexicon. But just what do they mean? Defining these terms from first principles is essential to ensure that meanings are not conflated and that each term is used appropriately within its context.

Internal Control is a process, effected by an entity’s Board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.¹ This definition positions People (The Board, Senior management and Support personnel) as those responsible for orchestrating controls, and highlights the end-purpose of internal control – the achievement of goals. Interestingly, the word risk is notably absent from this widely accepted COSO definition of internal control—yet, in practice, internal control exists primarily as a response to risk.

Control on its part is specific in nature – related to particular processes in an organization – designed and implemented to prevent, detect or correct deviations from expected outcomes (objectives). I like to think of controls as the foot soldiers of the control system; checkpoints, tasks, firewalls and filters embedded across organizational processes, ensuring that micro failures are prevented, detected and corrected in time so that, collectively, the organization is in a better position to achieve its goals.

The term Internal Controls is aptly used in reference to a set of individual controls within a given organizational process. A set of internal controls serves to ensure that the objectives of that process are achieved. This perspective is particularly useful when scoping processes for monitoring/audit purposes, or assessing the maturity of controls in relation to strategic objectives.

At SG, we prefer using the term Systems of Control. A system of control is a structured arrangement of inputs, processes, control activities, and feedback mechanisms, adapted to the organization and designed to continuously manage risk and enhance performance toward the attainment of strategic objectives. Viewing controls as a system (composed of interrelated subsystems) introduces multiple layers of action that the Board, Senior Management, and support functions can leverage to improve control maturity and optimize performance.

In summary:

A control is a single mechanism;
Internal controls refer to a collection of controls within a defined process;
Internal control represents the organization-wide control architecture; and
A system of control is a structured model that enables management, oversight, optimization, and the continuous enhancement of control maturity across process, divisional, and organizational levels.

Risks & Controls: Two Sides of the Same Coin.

In GRC, one thing never fails—and that is going back to first principles. In exploring controls, the axiom Objective → Risk → Control must always be kept in mind—regardless of whether we operate at the level of oversight, management, operations or assurance. Organizations are built to achieve a purpose—goals often framed in a shared vision, mission statements, and strategic objectives. Standing in the way of these goals are structural, inherent, and systemic challenges—uncertainties—risks. Controls are therefore designed and implemented to mitigate these risk factors and increase the likelihood that the organization succeeds, according to its chosen measures of performance.

A commonly adopted approach to layering risks within an organization is to analyse across entity (organization-wide), divisional (functional), and process (operational) levels. Increasingly, risks are also being analysed and managed at the project level—particularly in organizations where cross-cutting operations and transformation initiatives are delivered through project-based structures. For a more aligned management of risks, it becomes essential that this stratification is extended to objectives and controls, which form part of the Objective → Risk → Control axiom. Objectives can therefore be structured as strategic goals at the entity level, functional performance goals at the divisional level, project delivery milestones at the project level, and transaction-level objectives at the process level.

Within this framework, it is critical that lower-level objectives support the achievement of higher-level objectives, thereby ensuring goal congruence across the organization. In this way, risks are defined in relation to objectives, and controls are designed in response to those risks—progressively translating strategy into execution.²In this logic, controls must be matched to the level at which the corresponding risks arise. At the entity level, Board oversight and governance controls address strategic risks. At the divisional level, policies and performance reviews mitigate functional risks. At the project level, steering committees and milestone approvals address execution risks. At the process level, controls such as approvals, access restrictions, and reconciliations are best suited to transactional risks and objectives.

The Risk and Controls Matrix:

A tool that translates this axiom from pure concept to practice is the Risk and Control Matrix (RCM). In practice, many RCMs are reduced to spreadsheets documenting processes, risks, controls, control owners, and execution frequency. However, when extended to reflect the Objective → Risk → Control logic and provide clarity on the criticality of controls, the RCM evolves beyond documentation into a structured representation of the relationship between strategy, risk exposure, and control mechanisms across organizational levels.

Viewed through this lens, the RCM becomes a central governance tool supporting four core processes:

Alignment: ensuring that risks are tied to clearly defined objectives and that controls address real and relevant exposures;
Traceability: enabling process-level controls to be connected back to risks and, ultimately, to strategic objectives;
Coordination: providing senior management and the Board with a consolidated and coherent view of risks and controls across the organization;
Monitoring and Improvement: offering a structured basis for evaluating control effectiveness, assessing internal control maturity, coordinating risk mitigation and performance improvement initiatives.

In Section E we will see how with the right methodology the RCM can serve as the basis for structured process-level and entity-wide maturity assessments.

The Control Environment: Culture is the Foundation of Systems of Control

As stated in the Introduction, people (human beings) are the cornerstone of every system of control. The attitudes and behaviours of people at every level of the organization – from the Board to senior management down to operational leads – creates the prevailing culture of that organization. How power and authority are exercised, the quality and depth of Board oversight, and place of accountability within the organization generally defines the governance system in operation.

The COSO Framework positions culture and governance under the canopy of what is popularly known as the Control Environment. The framework describes the control environment as the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.³ Elsewhere, it states that the control environment has a pervasive impact on the overall system of internal control.⁴

‘The basis for carrying out internal control’ … ‘a pervasive impact on the overall system of internal control’…these are strong statements. In plain terms what it means is this: it doesn’t matter the extent to which control activities are designed and executed, if the control environment is dysfunctional, the organization will hardly live up to the standard of performance it has set for itself – its strategic objectives. Likewise, if the overall production of the orchestra is off (beginner instrumentalists, poorly calibrated instruments, delayed and inconsistent rehearsals, lack of preparation, no respect for the conductor’s instructions, limited understanding of score sheets, poor lighting and a rowdy audience), the performance will certainly be nothing short of a fiasco.

The Control Environment of an organization is generally reflected by:

the history of the organization; its heritage and legacy,
what values and belief systems are upheld and adhered to across the organization;
what behaviours are deemed dysfunctional or productive, and sanctioned or motivated… on a consistent basis;
the place of competence & excellence vs incompetence & mediocrity in the organization; and
the priorities demonstrated by leadership (the nebulous tone at the top) and emulated across the organization.

Invariably, discussing the control environment involves asking and answering difficult questions. Culture and governance are often perceived as “soft” topics, discussed in qualitative terms, and their stewardship is rarely approached in a structured and measurable way. Yet, what practical levers can the Board and Senior Management act upon—expediently—to effect meaningful and positive change in the control environment? And how can such actions be monitored and their effectiveness assessed in a disciplined manner? The COSO Framework articulates 10 such levers:

The Institute of Internal Auditors (IIA) has recently contributed an interesting piece to the culture puzzle: the Topical Requirement on Organizational Behaviour. This guide published in December 2025 provides a structured, evidence-based approach to assessing human behaviour and its influence on governance, risk management and control practices. The Topical Requirement highlights key determinants of organizational behaviour auditors should focus on including: the tone at the top, consequence management, performance incentives, communication and risk-based decision making.

A strong control environment creates the conditions for effective control, but it does not, by itself, guarantee performance. The true test lies in how well control activities are designed, operated, coordinated, monitored, and continuously improved over time. This brings us to the concept of internal control maturity—the yardstick by which the reliability and effectiveness of a control system can be assessed.

The Journey to Internal Control Maturity

To question maturity is to go beyond the broad construct of the control environment and dive deeper into the design, quality, and effectiveness of the system of control. Assessing the maturity of a system of controls ultimately seeks to answer a simple but fundamental question: Does the system of control serve its intended purpose? As established earlier, control systems are a means to an end—not an end in themselves. Their effectiveness is to be judged by their impact on outcomes—on the organization’s ability to consistently achieve its strategic objectives.

Established frameworks provide strong foundations for understanding governance and risk: the IIA’s Quality Assurance and Improvement Program (QAIP) focuses on internal audit quality, the RIMS Risk Maturity Model (RMM) provides structured maturity assessment for risk management, and the COSO 2013 Integrated Framework defines internal control through its components and principles. However, none offers a structured and widely adopted model for assessing internal control maturity across progressive levels.

The SG Consultants internal control maturity model

At SG, we have designed a structured approach to assessing internal control maturity, built around three cardinal phases: modelling, evaluation and improvement.

Modelling: defining the structure of internal control within the organization by contextualizing its components and determinants, and establishing the maturity thresholds and assessment criteria to be applied. The COSO Framework provides a baseline structure that can be used to define the internal control components. Our model included defined maturity levels and criteria of assessment.
Evaluation: the systematic assessment, scoring and reporting of the effectiveness of the system of control over time. This is not a one-off exercise, but a coordinated process drawing on multiple sources—process performance indicators, control monitoring results, internal audit outcomes, and external assurance reviews.
Improvement: the targeted and continuous improvement of the system of controls. Evaluation results and actions for improvement can be overlaid on the RCM, transforming it from a mere documentation tool to a central platform for coordination and improvement – providing senior management and the Board with a 360° view of control effectiveness. In a system of controls, improvements can be orchestrated at every ebb of the system: inputs, processes, control activities, monitoring and oversight.

Our maturity model is built on a five-level progression that evolves from an initial stage to an optimized state. At the early stages of maturity, controls are often fragmented and applied inconsistently. As maturity increases, controls become more structured, integrated, and increasingly supported by technology. At advanced levels, control systems are continuously monitored and proactively improved.

The maturity of a system of control evolves through progressive stages, defined not only by how controls are designed, but by how effectively they are executed, monitored, and continuously improved in practice.

Maturity is achieved not by the number of controls in place, but by the consistency, effectiveness, and reliability with which they enable performance and risk management.

Guiding principles for assessing control maturity.

In our model, two parameters are used in assessing the maturity of controls: the control design and its operating effectiveness.

Control design: is the control designed to sufficiently and consistently mitigate risk? Control maturity begins with design. Here we assess each control in relation to the following core qualities:⁵

Segregation of Duties: adequate segregation from adjacent duties that allows for non-duplication of effort and curbs fraud,
Documentation: clear and up-to-date documentation in workflows, policies and procedures aligned with current practices,
Resourcing: sufficient and competent human, material and technological resources are present to enable the control to operate and continue to operate in a consistent manner,
Automation: the level to which technology is used to automate the control and reduce the incidence of human error and fraud.

Operating effectiveness: controls are not only expected to be well designed, but also to operate as intended over time. It means looking at whether controls are executed consistently – across all relevant circumstances – and whether they achieve their purpose within the limits of tolerable deviation. We assess operational effectiveness of control through collecting and verifying evidence of:

Consistency: the extent to which the control is executed reliably across all relevant instances, and
Effectiveness: the extent to which the control achieves its intended outcome, within acceptable deviation tolerance levels.

The control maturity assessment process.

Away from the metrics of assessing internal control, how can organizations actually go about assessing the maturity of their systems of control. This is a daunting task, one that requires a deep understanding of operations and control, ready access to performance data, and appropriate organizational positioning – at a level that facilitates access and the coordination of different sources of evaluation. In our model, the assessment of control maturity draws on multiple complementary sources:

Performance Analysis: how well is a control performing in relation to associated process KPI(s)? Whilst it is not expected that each control should be tied to a KPI, process performance analyses provide valuable information on the effectiveness of controls. KPI analyses are the baseline criteria for scoring the effectiveness of controls, and can also provide insights into how consistently controls are performing over time.
Control Monitoring Results: what is the outcome of the continuous monitoring of the control? Control monitoring provides relevant insights into the consistency of controls, and are a valuable opportunity to continuously assess the adequacy of control design, especially in situations of extreme instability and uncertainty.
Internal Audit Reviews: what is the most recent independent assessment of the effectiveness of this control? Internal audits make an objective assessment of governance, risk management and compliance over operations. They are a great opportunity to have an objective and independent assessment of the design and operational effectiveness of controls.
External audits and reviews: has there been an independent and external validation of the reliability of controls? External assessments provide much needed clarity when independence and credibility are critical. They also come in handy when related risks are critically high, and the complexity of operations necessitates special competencies outside the potential of internal assurance providers.

In determining what sources to rely on, we base our decision on the complexity of operations, the severity of related risks and the assurance expectations of leadership (the Board and senior management). At minimum, assessments over control maturity should be supported by performance indicators and monitoring activities. Independent (internal and external) assessments provide an additional level of comfort, especially when warranted by critical risks and complex situations. The depth of assessments & assurance used can be integrated into the RCM through a colour grading. Such an illustration allows for nuanced interpretation of results. A high maturity rating supported only by internal monitoring may signal the need for independent validation.

The RCM is the foundation of Internal Control maturity assessment.

The Risk and Controls Matrix is really what makes what makes maturity assessments feasible, scalable and coordinated. When properly structured—aligned with the Objective → Risk → Control logic and populated with clearly defined control activities across entity, divisional, and process levels—the RCM provides visibility, traceability and eases coordination. When supported by adequate technology, the RCM goes beyond facilitating the documentation of risks and controls, and can be used to coordinate performance optimization and assurance activities.

Some caution is necessary:

While organization-wide maturity assessments may appear attractive, they can quickly become superficial and misleading if not grounded in structured analysis. Statements such as: “Our internal control system is currently at level 4.2” are tempting, but should be approached carefully. A credible maturity assessment must be grounded in a clearly articulated control framework (modelling), reliable performance and monitoring data (first- and second-line assessments), coordinated independent assurance inputs (internal audit, external reviews), and transparency and consistency in the application of assessment methodology (scoring, weighting and criticality assessments).

Ultimately, maturity is not a fancy headline metric, but the result of a disciplined, bottom-up evaluation process. The most reliable assessments begin at the process level and progressively build toward an organization-wide view. It takes time, structure and commitment.

Harmony V Noise: The Soothing Melody of Effective Systems of Control

If we are to understand controls as a system, then their ultimate test is not found in policies, matrices, or audit reports—it is found in Performance which as previously established is the most resounding theme across noteworthy definitions of Governance. The question is simple:

“Does the organization’s system of controls produce harmony or noise – success or chaos?”

In an orchestra, each instrument may be technically sound, each musician individually competent, and each section well-rehearsed. Yet without alignment—without coordination in tempo, rhythm, and interpretation—the result is noise. The music exists –instruments are played– but the performance fails. Similarly, as it is with organizations, controls may exist in abundance –everyone seems busy–, yet operational failures persist, audit findings recur year after year and decision-making lacks clarity.

In contrast, where objectives are clearly articulated across levels, risks are consistently identified and structured, and controls aligned to those risks, control activities reinforce one another, and performance becomes stable and predictable. When instruments are well calibrated, the best instrumentalists are selected, team cohesion is strong and the overall production environment is well managed, the symphony becomes a delightful experience.

The system of control provides the Board and senior leadership with clear levers through which meaningful improvements in organizational performance can be engineered:

Inputs: a solid risk management framework, a clear and competitive strategy, and competent, well-equipped resources;
Processes: efficient and optimized operations, lean workflows, and well-informed decision-making;
Control Activities: controls that are well designed, consistently implemented, and supported by appropriate technology;
Monitoring and Independent Reviews: continuous monitoring and independent assurance providing structured feedback on performance and control effectiveness; and
Governance and Oversight: a Board that receives timely, relevant, and reliable information to guide decisions and steer improvements across the system.

At the centre of this transformation (from noise to harmony) sits an often-underutilized tool: the Risk and Control Matrix. When poorly structured, the RCM is merely a documentation exercise. But when aligned with the Objective → Risk → Control logic and consistently maintained across entity, divisional and process levels, it becomes the coordination backbone for greater alignment, coordination and maturation of the system of controls. The journey from noise to harmony is not achieved by adding more controls, but by structuring them, aligning them, coordinating their execution, and creating the appropriate environment – a system of control does not operate on its own, but is animated by people. An orchestra with a perfect script, best instruments but no discipline will still produce noise. Likewise, an organization with well-designed controls but a weak control environment will struggle to achieve consistent performance.

Let's Connect!

Organizations seeking to move from fragmented control practices to coherent, performance-driven systems must go beyond documentation and embrace a structured, system-wide approach. Whether it involves consolidating Risk and Control frameworks, strengthening the design and coordination of control activities, or assessing the maturity of controls across process and organizational levels, the journey requires clarity, discipline, and informed guidance.

At SG Consultants, we bring a structured methodology grounded in systems thinking, alignment with leading frameworks, and adaptation to organizational realities, enabling organizations to:

structure and consolidate their Risk and Control Matrices (RCMs),
design and strengthen systems of control aligned with strategic objectives,
conduct process-level, project-based and entity-wide control maturity assessments, and
develop targeted roadmaps for continuous improvement and performance optimization.

We welcome the opportunity to support organizations committed to transforming their control environments—from fragmented efforts into coherent systems that deliver clarity, coordination, and sustained performance.

Email: [email protected]
Tel: (+237)670-325-203

___________________________________

¹COSO (2013), Internal Control—Integrated Framework, Executive Summary, p. 15.

²This structured cascade of risk across organizational levels also enables the aggregation of risk severity. Risks assessed at the process and divisional levels can be consolidated to provide a coherent view of exposure at higher levels, including the entity as a whole. This will be explored in more detail in a future article.

³COSO (2013), Internal Control—Integrated Framework, Framework & Appendices, p. 26.

⁴COSO (2013), Internal Control—Integrated Framework, Framework & Appendices, p. 45.

⁵At the process level, the entirety of these qualities could be relevant for the assessment of a control’s design. As we rise up the ranks to the entity level, where controls are more directive in nature, the expectations for effective design would be more along the lines of documentation and a segregation of duties that provides clarity and eases oversight.