The financial and operational health of any firm depends on effective risk management. To provide the kinds of data that support their financial and operational management, businesses rely on ever-complexer systems. Companies expose themselves to considerable financial risks, such as fraud and asset loss, if the system has a defect in its functioning or design. Internal controls are among the most crucial resources available for effective risk management even if some risk is unavoidable.

The American Institute of Certified Public Accountants (AICPA) states that internal controls are intended to offer a reasonable level of assurance regarding the accomplishment of a company's goals in three crucial areas: the accuracy and dependability of financial reporting, the effectiveness and efficiency of operations, and compliance with relevant laws and regulations. When a control does not enable management or staff to prevent, detect, and remedy misstatements in a timely manner, there is a failure in internal control.

An suitable internal control system is the responsibility of management, and the management's annual Internal Controls Report must include an evaluation of the effectiveness of the control structure. However, the company's claim that appropriate internal controls are in place may also need to be attested to by an independent external auditor.