Importance of internal control for proper management of businesses
Sunday, 17 June 2007
Ashraf Pervez
ROLES and Responsibilities: Internal control over financial reporting has always been a major area in the governance of an organisation, and this importance has been magnified in recent years. Internal control serves as the first line of defence in safeguarding assets of the organisations and preventing and detecting error and frauds. In short, internal control, which is synonym of management control, helps managers and board of directors to achieve its desired results through effective stewardships.
Internal control structure is important to an organisation to become successful; however, an effective system is not a guarantee that the organisation will be successful. An effective internal control structure will keep the right people informed about the organisation's progress (or lack of progress) in achieving its objectives, but it cannot turn a poor manager into a good one. Internal control cannot ensure success, or even survival of an entity.
Internal control is not an absolute assurance to management and the board about the organisation's achievement of its objectives. Due to inherent limitations in all internal control systems, it can only provide reasonable assurance. For example, internal control system can break down due so simple error, mistake and fraudulent activities of the concerned staff or management, as well as due to inadvertent faulty judgements that could be made at any level of management. In addition, controls can be circumvented by collusion or by management override. Finally, the design of the internal control system should be operationally effective and efficient backed by the resources required, meaning that there must be a cost-benefit analysis in the design of the system.
According to Combined Code including other guideline and ICAEW guidance for director on internal control the importance of internal control and risk management are as follows-
1. A company's system of internal control can play the most important role in the management of risks that are significant to achieve its business objectives. A sound system of internal control contributes to safeguarding the shareholders' investment and the company's assets.
2. Internal controls facilitate the effectiveness and efficiency of operations, help ensure the reliability of internal and external reporting and assist compliance with the applicable laws and regulations.
3. Effective financial controls, including the maintenance of proper accounting records, are an important element of internal control. They help ensure that the company is not unnecessarily exposed to avoidable financial risks and that financial information used within the business and for publication is reliable. They also contribute to the safeguarding of assets, including the prevention and detection of fraud.
4. A company's objectives, its internal organisation and the environment in which it operates are continually evolving and, as a result, the risks it faces are continually changing. A sound system of internal control therefore depends on a thorough and regular evaluation of the nature and extent of the risks to which the company is exposed. Since profits are, in part, the reward for successful risk taking
Fundamental concepts for internal control: There are three fundamental concepts, which need to be appreciated in order to understand the internal control and its proper implementation:
i. Internal control is a continuous built in process;
ii. Internal control is effected by management of the organisations;
iii. Internal control can provide only reasonable assurance, but not absolute assurances.
Internal control cannot be one-off event. Rather it, is a series of actions and activities that are implemented throughout the operations of an entity on an on-going basis. For, effective implementation internal control must have to be a part of integral part of each system of operation. In other words, internal control is management control- a built-in process of an entity, which is a part of its infrastructure that helps management to run the entity and achieve its objectives on an ongoing basis.
Management and people of the entity that make internal control works properly: Management is responsible for effective implementation of internal control. Management is responsible to set the objectives, put the control mechanism in place to achieve that objectives and monitor and evaluate the control mechanisms. This monitoring and evaluating is the part of a continuous built-in process. Monitoring and evaluation of control activities actually help management to identify whether the control activities are still effective to the changing circumstances or need adjustment to cope with the changed circumstances.
Successful achievement of entity's objectives depends on number of factors. No matter how well the internal control are designed and operated, it cannot provide absolute assurance that entity's objectives will be achieved. For example, human error, judgmental error or acts of collusion to circumvent control can affect meeting objectives. So internal control can provide only a reasonable assurance but not absolute to meet entity's objectives.
In 1992, the Committee of Sponsoring Organisations (COSO) -- The Committee of Sponsoring Organisations consists of the American Institute of CPAs (AICPA), the Institute of Management Accountants (IMA), the Institute of Internal Auditors (IIA), Financial Executives International (FEI), and the American Accounting Association (AAA) -- of the National Commission on Fraudulent Financial Reporting (also known as the Treadway Commission) published a document called Internal Control-Integrated Framework -- The COSO publication Internal Control-Integrated Framework (Product Code Number 990012), may be purchased through the AICPA store at www.cpa2biz.com. The proceeds from the sale of the Framework are used to support the continuing work of COSO -- which defined internal control as "a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives" in three categories:
1. Effectiveness and efficiency of operations;
2. Reliability of financial reporting; and
3. Compliance with applicable laws and regulations.
However in 2004 Internal Control Standard Committee in their internal control guideline defined internal control as follows-
Internal control is an integral process that is effected by an entity's management and personnel and is designed to address risks and to provide reasonable assurance that in pursuit of the entity's mission, the following general objectives are being achieved:
l Executing orderly, ethical, economical, efficient and effective operations;
l Fulfilling accountability obligations;
l Complying with applicable laws and regulations;
l Safeguarding resources against loss, misuse and damage.
Whatever the ways we define the internal control, the main theme is that "to eliminate error and fraud" in financial reporting. But error and fraud are not two different things. Both are same, both causes misrepresentation of financial statements. Errors are usually unknown and unintentional whereas fraud is intentional and knowingly misrepresenting the financial statements.
According to several researches error or fraud can occur for following reasons- i.) motivational ii.) opportunistic and iii.) personal characteristic. Although motivational and personal characteristics looks like similar, but they are distinct by nature. Motivational error or fraud is situation and circumstances driven. For example "need for money" can lead a person to commit fraud or fraudulent activity.
Opportunity is the scope and access to the scope that fraud can be perpetrated, for instance lack of proper internal control, control environment, management style and corporate culture. Personal characteristic is the willingness to commit fraud. Personal integrity, ethical value and moral standard can play the role at this stage.
To implement internal control, only opportunity can be minimised. It is very difficult to control the motivation to commit fraud. Similarly personal characteristic is difficult to restrict from perpetrating fraud. However, strong control environment "tone at the top" can have significant effect an proper implementation of strong internal control.
According to COSO (the most accepted internal control framework), internal control have five inter related components-
1. Control environment
2. Risk assessment
3. Control activities
4. Information and communication and
5. Monitoring
Similarly, according to Cadbury report internal control depends on the following four components-
1. Control environment
2. Identification of risks, control priorities and objectives
3. Control activities and
4. Monitoring and corrective actions
The above are the only simple elements of internal control. There are also a number of established frameworks for effective internal control. However COSO is the most widely used internal control framework. Frameworks can provide only high-level guideline to implement internal control. In most of the cases, these frameworks need adjustments and customisation based on the industry sector and size and complexity of the organisation. Cost and benefit analysis is also important here.
Other than these internal control guidelines, corporate best practices and in-forced government's authorities rules and regulations can be modified and implemented. The governmental authority, Securities and Exchange Commission, Companies Act etc. can be updated to provide more guideline how to implement effective internal control. Most recent development is this area - is the defining the responsibility of Directors and Management (i.e. Chief Executive Officer or CEO and Chief Financial Officer or CFO).
According to Practical Internal Control Guideline published by KPMG and ICAEW guideline on internal control, responsibilities for maintaining a sound system of internal control are as follows-
1. The board of directors is primarily responsible for the company's system of internal control. They should set appropriate policies and procedures on internal control. They will seek regular assurance that will satisfy them, that the control system is functioning effectively. The board also responsible to ensure that the system of internal control is effective in managing risks that the entity is exposed to.
2. According to KPMG published guidelines, the Board of Directors should consider the following in assessing the effectiveness of existing internal control systems and whether need further modifications.
lThe nature and extent of the risks facing the company;
l The extent and categories of risks which it regards as acceptable for the company to bear;
l The likelihood of the risks concerned materialising;
l The company's ability to reduce the incidence and impact on the business of risks that do materialise; and
l The costs of operating particular controls relative to the benefit thereby obtained in managing the related risks.
3. Board of Directors is primarily responsible that the effective internal control is in place, however, the management is responsible to implement and execute the board's policies on internal control. To execute the board's policies, management and staff can develop operational procedures and routine. It is the responsibility of the CEO and the CFO that the board's philosophy is implemented through the operational procedures.
The CEO will ultimately ensure that the financial statements reflect true and fair view of the company affairs. He will also state that effective internal control is in place and the effectiveness of the control system has been reviewed.
4. All employees and staffs have some responsibility for internal control as part of their accountability for achieving the objectives the entity. They, collectively, should have the necessary knowledge, skills, information and authority to establish, operate and monitor the system of internal control and where applicable execute the control activities. This will require an understanding of the company, its objectives, the industries and markets in which it operates, and the risks it faces.
The writer is an ACCA Affiliate and Audit and Internal Control consultant. He can be reached by email
to- [email protected]
ROLES and Responsibilities: Internal control over financial reporting has always been a major area in the governance of an organisation, and this importance has been magnified in recent years. Internal control serves as the first line of defence in safeguarding assets of the organisations and preventing and detecting error and frauds. In short, internal control, which is synonym of management control, helps managers and board of directors to achieve its desired results through effective stewardships.
Internal control structure is important to an organisation to become successful; however, an effective system is not a guarantee that the organisation will be successful. An effective internal control structure will keep the right people informed about the organisation's progress (or lack of progress) in achieving its objectives, but it cannot turn a poor manager into a good one. Internal control cannot ensure success, or even survival of an entity.
Internal control is not an absolute assurance to management and the board about the organisation's achievement of its objectives. Due to inherent limitations in all internal control systems, it can only provide reasonable assurance. For example, internal control system can break down due so simple error, mistake and fraudulent activities of the concerned staff or management, as well as due to inadvertent faulty judgements that could be made at any level of management. In addition, controls can be circumvented by collusion or by management override. Finally, the design of the internal control system should be operationally effective and efficient backed by the resources required, meaning that there must be a cost-benefit analysis in the design of the system.
According to Combined Code including other guideline and ICAEW guidance for director on internal control the importance of internal control and risk management are as follows-
1. A company's system of internal control can play the most important role in the management of risks that are significant to achieve its business objectives. A sound system of internal control contributes to safeguarding the shareholders' investment and the company's assets.
2. Internal controls facilitate the effectiveness and efficiency of operations, help ensure the reliability of internal and external reporting and assist compliance with the applicable laws and regulations.
3. Effective financial controls, including the maintenance of proper accounting records, are an important element of internal control. They help ensure that the company is not unnecessarily exposed to avoidable financial risks and that financial information used within the business and for publication is reliable. They also contribute to the safeguarding of assets, including the prevention and detection of fraud.
4. A company's objectives, its internal organisation and the environment in which it operates are continually evolving and, as a result, the risks it faces are continually changing. A sound system of internal control therefore depends on a thorough and regular evaluation of the nature and extent of the risks to which the company is exposed. Since profits are, in part, the reward for successful risk taking
Fundamental concepts for internal control: There are three fundamental concepts, which need to be appreciated in order to understand the internal control and its proper implementation:
i. Internal control is a continuous built in process;
ii. Internal control is effected by management of the organisations;
iii. Internal control can provide only reasonable assurance, but not absolute assurances.
Internal control cannot be one-off event. Rather it, is a series of actions and activities that are implemented throughout the operations of an entity on an on-going basis. For, effective implementation internal control must have to be a part of integral part of each system of operation. In other words, internal control is management control- a built-in process of an entity, which is a part of its infrastructure that helps management to run the entity and achieve its objectives on an ongoing basis.
Management and people of the entity that make internal control works properly: Management is responsible for effective implementation of internal control. Management is responsible to set the objectives, put the control mechanism in place to achieve that objectives and monitor and evaluate the control mechanisms. This monitoring and evaluating is the part of a continuous built-in process. Monitoring and evaluation of control activities actually help management to identify whether the control activities are still effective to the changing circumstances or need adjustment to cope with the changed circumstances.
Successful achievement of entity's objectives depends on number of factors. No matter how well the internal control are designed and operated, it cannot provide absolute assurance that entity's objectives will be achieved. For example, human error, judgmental error or acts of collusion to circumvent control can affect meeting objectives. So internal control can provide only a reasonable assurance but not absolute to meet entity's objectives.
In 1992, the Committee of Sponsoring Organisations (COSO) -- The Committee of Sponsoring Organisations consists of the American Institute of CPAs (AICPA), the Institute of Management Accountants (IMA), the Institute of Internal Auditors (IIA), Financial Executives International (FEI), and the American Accounting Association (AAA) -- of the National Commission on Fraudulent Financial Reporting (also known as the Treadway Commission) published a document called Internal Control-Integrated Framework -- The COSO publication Internal Control-Integrated Framework (Product Code Number 990012), may be purchased through the AICPA store at www.cpa2biz.com. The proceeds from the sale of the Framework are used to support the continuing work of COSO -- which defined internal control as "a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives" in three categories:
1. Effectiveness and efficiency of operations;
2. Reliability of financial reporting; and
3. Compliance with applicable laws and regulations.
However in 2004 Internal Control Standard Committee in their internal control guideline defined internal control as follows-
Internal control is an integral process that is effected by an entity's management and personnel and is designed to address risks and to provide reasonable assurance that in pursuit of the entity's mission, the following general objectives are being achieved:
l Executing orderly, ethical, economical, efficient and effective operations;
l Fulfilling accountability obligations;
l Complying with applicable laws and regulations;
l Safeguarding resources against loss, misuse and damage.
Whatever the ways we define the internal control, the main theme is that "to eliminate error and fraud" in financial reporting. But error and fraud are not two different things. Both are same, both causes misrepresentation of financial statements. Errors are usually unknown and unintentional whereas fraud is intentional and knowingly misrepresenting the financial statements.
According to several researches error or fraud can occur for following reasons- i.) motivational ii.) opportunistic and iii.) personal characteristic. Although motivational and personal characteristics looks like similar, but they are distinct by nature. Motivational error or fraud is situation and circumstances driven. For example "need for money" can lead a person to commit fraud or fraudulent activity.
Opportunity is the scope and access to the scope that fraud can be perpetrated, for instance lack of proper internal control, control environment, management style and corporate culture. Personal characteristic is the willingness to commit fraud. Personal integrity, ethical value and moral standard can play the role at this stage.
To implement internal control, only opportunity can be minimised. It is very difficult to control the motivation to commit fraud. Similarly personal characteristic is difficult to restrict from perpetrating fraud. However, strong control environment "tone at the top" can have significant effect an proper implementation of strong internal control.
According to COSO (the most accepted internal control framework), internal control have five inter related components-
1. Control environment
2. Risk assessment
3. Control activities
4. Information and communication and
5. Monitoring
Similarly, according to Cadbury report internal control depends on the following four components-
1. Control environment
2. Identification of risks, control priorities and objectives
3. Control activities and
4. Monitoring and corrective actions
The above are the only simple elements of internal control. There are also a number of established frameworks for effective internal control. However COSO is the most widely used internal control framework. Frameworks can provide only high-level guideline to implement internal control. In most of the cases, these frameworks need adjustments and customisation based on the industry sector and size and complexity of the organisation. Cost and benefit analysis is also important here.
Other than these internal control guidelines, corporate best practices and in-forced government's authorities rules and regulations can be modified and implemented. The governmental authority, Securities and Exchange Commission, Companies Act etc. can be updated to provide more guideline how to implement effective internal control. Most recent development is this area - is the defining the responsibility of Directors and Management (i.e. Chief Executive Officer or CEO and Chief Financial Officer or CFO).
According to Practical Internal Control Guideline published by KPMG and ICAEW guideline on internal control, responsibilities for maintaining a sound system of internal control are as follows-
1. The board of directors is primarily responsible for the company's system of internal control. They should set appropriate policies and procedures on internal control. They will seek regular assurance that will satisfy them, that the control system is functioning effectively. The board also responsible to ensure that the system of internal control is effective in managing risks that the entity is exposed to.
2. According to KPMG published guidelines, the Board of Directors should consider the following in assessing the effectiveness of existing internal control systems and whether need further modifications.
lThe nature and extent of the risks facing the company;
l The extent and categories of risks which it regards as acceptable for the company to bear;
l The likelihood of the risks concerned materialising;
l The company's ability to reduce the incidence and impact on the business of risks that do materialise; and
l The costs of operating particular controls relative to the benefit thereby obtained in managing the related risks.
3. Board of Directors is primarily responsible that the effective internal control is in place, however, the management is responsible to implement and execute the board's policies on internal control. To execute the board's policies, management and staff can develop operational procedures and routine. It is the responsibility of the CEO and the CFO that the board's philosophy is implemented through the operational procedures.
The CEO will ultimately ensure that the financial statements reflect true and fair view of the company affairs. He will also state that effective internal control is in place and the effectiveness of the control system has been reviewed.
4. All employees and staffs have some responsibility for internal control as part of their accountability for achieving the objectives the entity. They, collectively, should have the necessary knowledge, skills, information and authority to establish, operate and monitor the system of internal control and where applicable execute the control activities. This will require an understanding of the company, its objectives, the industries and markets in which it operates, and the risks it faces.
The writer is an ACCA Affiliate and Audit and Internal Control consultant. He can be reached by email
to- [email protected]