Behavior-Based Internal Control: Designing for Real Human Behavior

Traditional internal control design operates under an ideal assumption: that people will behave rationally, predictably, and ethically—as long as controls are clearly defined. But in the real world, people are not algorithms. We make emotional decisions, take shortcuts, and often act in ways that defy logic.

This article invites a deeper reflection:
Are we designing controls based on how people should behave, or how they actually behave?

Incorporating behavioral insight into internal control design means acknowledging the role of cognitive biases, habits, social dynamics, and hidden motivations in control effectiveness. This perspective is especially useful when strengthening key COSO 2013 principles, including ethics, communication, and control activities.

What Is the Behavioral Approach to Internal Control?

It’s the practice of designing or adjusting controls based on how people behave in practice, not just how they’re expected to behave in theory. This involves analyzing:

  • Cognitive biases (e.g., overconfidence, loss aversion)
  • Social or hierarchical pressure
  • Organizational inertia and habits
  • Decision fatigue or task overload
  • Hidden preferences or rationalizations for errors

Real-World Behavioral Failures in Control Design

Designed ControlActual BehaviorConsequence
Mandatory dual signature for paymentsAutomatic signing without reviewSymbolic control, no real check
Annual signed Code of EthicsSigned without reading or internalizingFormal compliance, unethical behavior
Anonymous whistleblower hotlineLow usage due to fear or apathyHidden risks, no early warnings
Long inspection checklistsFilled out routinely without verificationFalse positives, unreliable data

Behavior and the COSO Framework

While COSO 2013 doesn’t explicitly mention “organizational behavior,” many of its principles rely on it implicitly. Key examples include:

  • Principle 1: Control environment must reflect ethical values and organizational culture
  • Principle 4: Control responsibilities should be understood and accepted, not just imposed
  • Principle 10: Controls must be tailored to real operating conditions and personnel
  • Principles 16 & 17: Monitoring must consider perceptions, reactions, and actual usage of controls

How to Redesign Controls Using Behavioral Insights

1. Make Controls Visible and Easy to Use
Effective controls should fit naturally into daily work. If they interrupt without clear value, users will bypass or ignore them.

2. Include Clear Incentives and Consequences
People respond better when they understand why a control exists and its impact—both positive and negative.

3. Simplify the Experience
Cognitive overload causes people to skip steps. Use simple formats, automation, and behavioral cues that guide actions.

4. Observe and Interview Users
Before redesigning, understand how people actually use controls. Ask: What helps? What hinders? What do they ignore?

5. Diagnose Common Biases in Your Organization
Is there excessive trust in certain individuals? Is there underreporting of errors? Do people justify policy violations? Adjust your controls to limit these patterns.

Case Study: Behavior-Based Access Control Redesign

Original Situation
The system required monthly renewal of complex passwords. Many users wrote them on sticky notes or reused simple patterns.

Behavioral Redesign
Biometric authentication was introduced, along with short behavioral prompts (“Your access protects critical data”) and after-hours access tracking.

Result
A 70% reduction in repeated passwords and significant improvement in access traceability.

Incorporating This Perspective into Internal Auditing

  • Conduct organizational behavior audits: go beyond documents—observe, interview, analyze
  • In audit reports, include questions such as: Is this control used as intended? Is it understood? Is it helpful?
  • Involve experts in organizational behavior or workplace psychology when redesigning critical controls

Conclusion: From What Should Be to What Actually Is

Internal control is not just a technical structure—it is a social and behavioral construct.
Designing controls that reflect real behavior—not just idealized behavior—is essential to closing the gap between policy and effectiveness.

COSO provides the framework.
Human nature sets the tempo.

Jorge Gutierrez Guillen

Sources

  • COSO Internal Control–Integrated Framework (2013 Edition)
  • Kahneman, D. (2011). Thinking, Fast and Slow
  • Thaler, R. & Sunstein, C. (2008). Nudge: Improving Decisions About Health, Wealth, and Happiness
  • Audittool.org articles on behavioral auditing
  • Reports from the Behavioral Insights Team (UK)

#InternalControl #BehavioralRisk #COSOFramework #AuditInnovation #OrganizationalPsychology

Share This Post
Jorge Gutiérrez Guillén

With over 15 years of experience in auditing and financial consulting, I serve as the founder and managing partner of JGutierrez Auditores Consultores S.A.—a boutique firm dedicated to delivering exceptional, value-driven solutions that consistently exceed industry standards. Our mission is to promote transparency, efficiency, and sustainability by combining international best practices with in-depth knowledge of Costa Rican and regional regulations. We operate under the guiding principles of integrity, innovation, and excellence. Our Expertise At JGutierrez Auditores Consultores, we provide comprehensive audit and consulting services tailored to meet the evolving needs of today’s businesses. Our core areas of specialization include: Financial Audits: Independent evaluations aligned with international standards, ensuring reliability and accuracy in financial reporting. Regulatory Compliance: Expert navigation of complex tax and financial frameworks to ensure full adherence and strategic advantage. Internal Controls: Strengthening governance structures to mitigate risk and boost operational effectiveness. Fraud Prevention: Implementing forward-looking strategies to detect, prevent, and respond to financial irregularities. Process Optimization: Streamlining workflows and improving resource allocation for enhanced productivity and long-term growth. Environmental & Financial Sustainability: Supporting compliance with emerging ESG regulations to reinforce resilience. Information Security: Protecting critical systems and data through robust cybersecurity and risk management measures. Value-Centered Consulting Beyond our audit services, we offer strategic consulting designed to help organizations innovate and compete in an increasingly dynamic environment: Information Systems & Operational Management: Integrating technology and operations to boost performance and scalability. ISO Standards Compliance: Providing expert guidance to achieve and maintain globally recognized certifications. Transfer Pricing Studies: Ensuring compliance with international tax obligations while enhancing cross-border efficiency. Industrial Cost Analysis: Delivering deep insights into cost structures to support sound decision-making and margin improvement. Why Choose JGutierrez Our strength lies in a collaborative, multidisciplinary team that brings together seasoned professionals and next-generation talent, equipped with expertise in emerging technologies. This synergy enables us to deliver innovative, high-impact solutions that support growth, reinforce resilience, and unlock strategic opportunities. As a trusted advisor, I am committed to building lasting partnerships and helping organizations navigate the challenges of today while preparing for the opportunities of tomorrow. Jorge Gutiérrez Guillén Certified Public Accountant | Business Consultant

Related Articles

Traduce »