Todolo
Product
Why Todolo
Cases
Pricing
Blog
Log InGet Started
Language
Swedish flagSvenskaUK flagEnglish
internal controlsICPSMPcompliancequality managementmulti-locationdigital transformation

Internal Controls (ICP): A Practical DIY Guide

Todolo Team2026-02-189 min read
Internal Controls (ICP): A Practical DIY Guide

Internal Controls (ICP): A Practical DIY Guide for Modern Operations

This hands-on guide shows how your team can plan, launch, and continuously improve internal controls yourselves. While you can start on paper, you’ll quickly need a digital tool to connect routines to daily work, ensure the right person is notified, collect evidence, and learn from data across multiple locations.

About terminology

In some regions, like Sweden, this is known as an Egenkontrollprogram (EKP). The closest English abbreviations are:

  • SMP (Self-Monitoring Program): Common in environmental, food safety, or health contexts.
  • ICP (Internal Control Program): Used more in organizational or compliance contexts.

In this article, we’ll use “internal controls” (ICP) to emphasize the practical controls you run.

Want to talk through your internal controls?

In 20 minutes we can discuss how to set up controls, evidence, and follow-up across sites—concrete and at your pace.

Book a 20‑min call View Operations

1) Plan your internal controls: scope, risks, and ownership (do this first)

Define the essentials before you touch any tooling:

  • Purpose and scope: which processes, sites, and teams are in scope.
  • Risk register: top risks per process with severity and likelihood.
  • Controls and critical limits: what to check, acceptable ranges, and who owns it.
  • Evidence: what proves completion (photos, temperatures, confirmations, notes).
  • Frequencies: when and how often (daily/weekly/quarterly/yearly).
  • Escalation paths: what happens when a limit is breached, and how the right person is automatically notified for action.
  • Document control: how procedures are approved and versioned to ensure a single source of truth.

Tip: Planning for a digital platform from the start helps you design controls that are dynamic and scalable, not just static checklist items.

2) Configure your Digital Controls Program (what to set up)

To make controls truly operational, you need a system that brings them to life:

  • Templates and libraries: create a core template, then allow for local variants. This ensures consistency at scale.
  • Roles and permissions: ensure tasks and alerts are assigned to the correct person based on their role.
  • Evidence types: configure your system to capture the right data—be it an image, a temperature reading, or a confirmation.
  • Scheduling: automate the assignment of recurring tasks to individuals or roles.

A digital platform is essential for multi-location businesses to ensure every site is running off the same playbook.

3) Run and follow up: turn checks into insight (do this every week)

Execution generates the data you’ll learn from. A connected system allows you to:

  • Ensure Completion Quality: get real-time visibility into whether controls are done on time, with the right evidence attached.
  • Manage Deviations: let a failed control trigger a deviation report. This helps you capture what happened and assign trackable corrective actions.
  • Get a Full Overview: use dashboards to compare missed checks, deviation rates, and resolution times across all your units at a glance.
  • Detect Patterns: spot recurring mistakes—like the same temperature issue on the same shift—before they become systemic problems.
  • Automate Alerts: automatically notify managers when critical limits are breached or when controls are repeatedly missed.

This transforms routine checks into a continuous feedback loop that surfaces patterns early and prevents repeat issues.

Moreover, this data provides value at every level of the organization. Frontline staff see their immediate tasks, managers can track team performance and address incidents, and leadership gets a high-level view of compliance and risk across the entire business, enabling data-driven decisions for continuous improvement.

4) Handling the Unexpected: A Separate Process for Incidents

Your planned controls are for known risks, but what about the unexpected? A freezer breaks down, a customer has an allergic reaction, or a toilet overflows. These are out-of-the-ordinary incidents that fall outside your daily checklists but require immediate, structured action.

A complete system needs its own dedicated process—an "incident module"—for this:

  • Easy Reporting: Any employee should be able to report an incident instantly from their phone, with photos and details.
  • Automatic Escalation: The system should automatically notify the correct person or team—whether it's the on-duty manager, the maintenance department, or regional leadership—based on the incident type and severity.
  • Track to Resolution: The issue needs to be tracked as a formal case from report to resolution, ensuring accountability and that nothing falls through the cracks.

This separates day-to-day deviations from urgent, unplanned events, ensuring both are handled correctly without creating confusion.

5) Improve continuously: simple cadence that compounds

Adopt a lightweight rhythm that your teams can sustain:

  1. Weekly: review overdue controls and open incidents; ensure the right people are actioning them.
  2. Monthly: use analytics to review trends in both deviations and incidents, looking for patterns.
  3. Quarterly: refresh procedures and training based on data-driven findings.
  4. Annually: conduct formal internal audits across locations, supported by a complete, searchable history.

A capable digital platform makes this cadence sustainable by keeping information centralized, execution structured, and insights visible to the right people.

This structured approach also radically simplifies onboarding. New employees don't have to guess what's expected of them; their daily routines and controls are already defined and assigned from day one, ensuring consistency from the start.

Make Your Internal Controls Work—and Keep Getting Better

Use this guide to design and run your internal controls yourselves. If you want a head start with a platform designed for setting up routines, managing incidents, and scaling operations with correct assignments and follow-up, we can help you set it up.

Talk to Todolo about implementing and scaling internal controls

Frequently asked questions about internal control and self-monitoring programs

Questions & answers

Click a question to show the answer.

What is internal control?

Internal control is a structured way of working that helps organisations make sure processes, routines, and workflows behave as intended. The aim is to reduce risk, improve follow-up, and ensure the business operates in line with internal policies, legal requirements, and operational goals.

Internal control is often used in areas such as quality assurance, compliance, finance, safety, work environment, and day-to-day operations.

Why is internal control important for businesses?

Internal control helps companies build clearer processes, reduce operational risk, and clarify ownership across the organisation.

With clear routines and regular follow-up, you can lower the risk of errors, missed checks, weak documentation, and inefficient workflows. It also becomes easier to scale the business and keep teams working consistently across departments and sites.

What is a self-monitoring program?

A self-monitoring program (for example an Egenkontrollprogram / EKP in Swedish contexts) is a documented set of routines, checks, and processes that helps the organisation follow legal requirements, internal policies, and quality standards in daily work.

Self-monitoring is used in many industries—including restaurants, hotels, food, healthcare, industry, and property. The program can include checklists, deviation handling, safety routines, documentation, and follow-up.

What should an internal control system include?

An internal control system should include clear work routines, defined ownership, documentation, follow-up, and processes to identify and manage deviations.

Many organisations also use checklists, digital documentation, incident reporting, and recurring checks to make sure processes work in practice and are followed across the company.

How do you digitise internal control and self-monitoring?

Digitising internal control means bringing checklists, routines, deviations, documentation, and follow-up into one digital system instead of paper, spreadsheets, or scattered tools.

That makes it easier to:

  • follow workflows in real time
  • ensure traceability
  • keep documentation in one place
  • automate reminders and checks
  • and improve follow-up across teams and sites

Many companies now use digital platforms to build more structured, scalable internal control.

What are the most common problems with manual control processes?

Many organisations still run manual controls through paper, email, or scattered spreadsheets. That often leads to weak traceability, unclear accountability, and difficulty verifying that checks actually happen.

Manual processes can also make it harder to prepare for audits, keep documentation consistent, and align routines across teams and locations.

How do checklists and workflows support internal control?

Checklists and standard workflows help ensure important routines and checks are done consistently in daily operations.

Clear tasks, ownership, and documentation reduce the risk of missed checks while making follow-up and quality assurance simpler.

How does internal control work in multi-site companies?

For companies with several sites or business units, internal control helps standardise processes and clarify routines across teams and locations.

With a central digital system, you can bring checklists, documentation, and follow-up together while giving leadership and operations better visibility across the organisation.

What are the most common mistakes when working on internal control?

A common mistake is that internal control stays theoretical and is not embedded in daily work. Many companies document routines without making sure processes are actually used and followed up in practice.

Other frequent issues include:

  • unclear ownership
  • overly complex documentation
  • weak follow-up
  • manual processes
  • and routines that are not updated when the business changes

Effective internal control is not only about documentation—it is about building working operational workflows across the organisation.

Want to see Workflows in action?

Explore the Operations module and see how Todolo helps you standardize onboarding, daily operations, and incident handling — with clear ownership and real-time follow-up.

Book a demoView Operations

Related Posts

HACCP Implementation: A Comprehensive Guide for Food Businesses
Best Practices

HACCP Implementation: A Comprehensive Guide for Food Businesses

Discover how to implement a Hazard Analysis Critical Control Points (HACCP) system to ensure food safety and comply with regulations.

Read More
NIS2 and the Cybersecurity Act: Why many businesses underestimate what is actually required
Best Practices

NIS2 and the Cybersecurity Act: Why many businesses underestimate what is actually required

What do NIS2 and cybersecurity requirements mean in practice? Learn why compliance is about more than IT and how organisations can work in a more structured way.

Read More
Best Practices

How's the View from the Other Side? A Guide to Auditing Your Customer Experience

Learn how to see your business through your customers' eyes by setting up a systematic process for auditing your own locations to ensure your brand standards are consistently met.

Read More