DOES YOUR BUSINESS HAVE CONTROL?

7 SIGNS YOUR SYSTEMS ARE FAILING

By: Ylli Llonçari – Director, Audit Assurance, Baker Tilly Kosovo

One thing I have learned throughout all these years as an auditor is this:
The greatest risk to a business is not competition – it is the absence of internal controls.

Most financial issues in Kosovo businesses do not arise from fraud.
They occur from missing or weak basic controls that no one had the time or the system to notice.
In a world where technology evolves rapidly, processes become more complex, and pressure increases,
internal controls are not a luxury, nor bureaucracy. They are the shield that protects the business.

Internal controls directly influence the reliability of financial reporting, operational efficiency, data security,
and long-term stability. To make these concepts as understandable as possible, I explain them through
practical everyday examples, linking them to the requirements of the ISAs and the COSO framework, the
most widely adopted global standard for internal control systems.

1. WHAT ARE INTERNAL CONTROLS AND WHY ARE THEY ESSENTIAL?

The car analogy – a business without controls
Imagine driving a car without a speedometer, without lights, without brakes.
On the highway, everything may seem perfectly fine… until the moment danger appears. How would you react?
How would you protect yourself?

In business terms: everything looks normal until a mistake surfaces, a fraud incident occurs, a delay
disrupts operations, a document goes missing, or an unauthorized transaction slips through.

Throughout my career, I have seen companies fall into difficulty not because of poor work or weak
processes, but because they lacked warning signals.
Internal controls are those signals. But are we truly clear on the difference between a process and a control?!

2. PROCESS VS. CONTROL – THE MOST COMMON MISUNDERSTANDING IN BUSINESSES

Many businesses assume that having a process automatically means having a control.
In reality, these are two completely different concepts although neither can function effectively without the other.

The cake analogy
– Think of the steps required to prepare a cake = PROCESS
–Now think of ensuring the cake turns out exactly as intended—accurate measurement of
ingredients, monitoring oven temperature, controlling baking time = CONTROLS
The role of control in this scenario is clear: controls prevent errors, detect deviations when they occur, and
enable timely correction without having to “throw away” the entire cake.

The same applies in business:

• A process describes how transactions are initiated, processed, and recorded.
• A control ensures they are prevented from going wrong, deviations are detected on time, and errors
  can be corrected.

Both must exist and both must function properly.
In modern businesses, processes and controls are not isolated components; they form parts of a much
broader internal control architecture.

This is precisely where ‘COSO’ comes in the most recognized international framework for designing,
implementing, and evaluating internal control systems.

3. THE COSO FRAMEWORK – THE FOUNDATION OF INTERNAL CONTROLS

COSO is the globally recognized model for designing and operating internal control systems.
It is built on five integrated components:

I. Control Environment
The culture of integrity, management’s ethics, organizational structure, and clear division of responsibilities.
II. Risk Assessment
Identification of financial, operational, technological, and legal risks.
Aligned with the requirements of ISA 315.
III. Control Activities
Authorizations, reconciliations, verifications, segregation of duties, and IT controls.
IV. Information 
Communication Accurate, timely, and relevant information shared
across the organization.
V. Monitoring
Ongoing reviews, daily oversight, internal and external audits.
This framework forms the backbone of a strong internal control system, but it is only effective when
controls are properly tested.

4. WHY DO AUDITORS TEST CONTROLS?

In an audit, the risk of material misstatement (RMM) is determined by:
Inherent Risk × Control Risk = RMM (Risk of Material Misstatement)
Remember: RMM represents the risk of material misstatement arising from the client’s environment.
It is not a risk controlled or influenced by the auditor it is a risk that the auditor identifies, assesses, and
evaluates as part of the audit process.
It is not managed by the auditor only identified, assessed, and responded to.

If controls are not tested:

• We cannot place reliance on the client’s system
• The risk of material misstatements increases
• More detailed substantive testing becomes necessary
• Audit time and costs increase
• The efficiency of the audit decreases

The umbrella analogy
– The rain = material misstatements in the financial statements.
–  The umbrella = internal controls designed to prevent those misstatements

It is not enough to simply look at the umbrella. We must evaluate whether it actually withstands the rain.
The aim is to test the effectiveness and efficiency of operations and controls not just verify that procedures
or controls exist on paper.

Every auditor has encountered statements such as: “We are a small company, so we don’t have controls.”
In reality, every entity has controls—formal or informal.

Small and medium businesses often face these risks:

• One person handling everything → risk of management override
• Weak or missing segregation of duties → risk of fraud or error
• Informal processes → uncontrolled or unreliable data

Even the smallest business needs minimum safeguards, because risk exists regardless of the entity’s size.

5. THE CRITICAL ROLE OF INFORMATION TECHNOLOGY CONTROLS

Today, digitalization is a fundamental component of every company. Most processes and controls are now
technology-driven and provide a reasonable level of assurance.

But do automated processes and controls still require manual intervention or professional judgment?
Absolutely yes.

In 2025, when most processes are system-based, any weakness in IT controls can result in:

• inaccurate postings
• material misstatements
• manipulation or alteration of data
• unreliable financial reporting

IT controls are the foundation of modern internal control systems.
If they fail, every other process is exposed to risk.

6. WHAT DO BUSINESSES GAIN WHEN CONTROLS ARE TESTED?

• A more efficient audit
• Fewer substantive tests
• Greater confidence in internal data
• Clearer identification and assessment of risk
• Compliance with ISA 315 and ISA 330
• More reliable and consistent financial reporting
• Added value for management and shareholders

Audit is not a simple exchange of documents.
It is an analysis, a dialogue, and a thorough evaluation of the systems that keep the business secure and
ensure that financial reporting is presented fairly, accurately, and free from material misstatement.

CONCLUSION

Internal controls are not a formal requirement, they are the foundation of a stable, reliable, and well-
protected business. When processes and controls function together, and when the COSO framework is
implemented with integrity, the business gains clarity, transparency, and long-term stability.

Below are several red flags that indicate your business may have weaknesses in its internal control system:

1. One person performs all key functions
2. Bank reconciliations are not performed regularly
3. Documents are missing or scattered across email chains
4. Unrestricted access to software systems
5. Approval levels are unclear
6. Informal (undocumented) procedures — “we were told to do it this way”
7. Override of procedures by individuals with managerial authority

If your business exhibits two or more of these red flags, your control system requires a professional review
without delay.

WHY BAKER TILLY?

Because you need a partner who does not simply audit numbers and financial reports, but the entire control
architecture that produces them.

We offer:

• Advanced expertise in identifying and assessing risks
• Extensive experience in both international and local audits
• Risk and control evaluation aligned with the COSO framework
• A practical, tailored, and integrity-driven approach

Baker Tilly Kosovo – audit with standards, depth, and vision.
We provide assurance where your business needs it most.