Internal control
Overview
Internal control is a broad concept and means different things to different people. In 1992, The Committee of Sponsoring Organisation of the Treadway Committee (“COSO”) develops an internal control – integrated framework (“COSO Framework”), which defines internal control as:
“a process designed to provide reasonable assurance regarding the achievement of business objectives.”
Internal control can be regarded as policies and procedures established in an entity, effected by its Board of Directors or those charged with governance, to provide reasonable assurance regarding the achievement of objectives in the following categories:
- reliability of financial reporting
- effectiveness and efficiency of operations
- compliance with applicable laws and regulations.
“Reliability of financial reporting” relates to the preparation of reliable published financial statements, including company level and consolidated financial statements and selected financial data derived from such statements, such as earnings releases, business segment information, etc.
“Effectiveness and efficiency of operations” addresses an entity's basic business objectives, including performance and profitability goals and safeguarding of assets.
“Compliance with applicable laws and regulations” deals with complying with those laws and regulations to which an entity is subject to.
An organisation’s internal controls consist of the policies and procedures in place that provide a reasonable level of assurance that the above objectives are achieved. Not all of the policies and procedures employed by an organisation would be relevant to an independent auditor performing an audit of the financial statements. Certain controls governing the efficiency of operations, while significant to the ultimate success of the organisation would not be considered in an audit.
It is important to understand that the objective of internal controls is to provide reasonable, but not absolute, assurance that an organisation’s control objectives have been met. Success in achieving control objectives can be limited by circumvention, breakdown of external controls, poor management oversight, the ability to override the system, and the high cost of implementing certain controls. Despite the existence of adequate internal controls, the reliability of financial reporting and compliance with laws and regulations are not ensured.
Responsibilities of internal control
Everyone in the organisation has a responsibility in the internal control structure. The COSO designates each party’s role and responsibility as follows:
- Management – the Chief Executive Officer / General Manager is ultimately responsible and should assume “ownership” of the system.
- Audit committee – management is accountable to the audit committee which provides governance, guidance and oversight.
- Internal auditors – internal auditors play an important role in evaluating the effectiveness of control systems and contribute to ongoing effectiveness. The internal audit function also plays a significant monitoring role.
- Other personnel – internal control is, to some degree, the responsibility of everyone in an organisation and therefore should be part of each person’s job description. Virtually all employees produce information used in the internal control system or take other actions needed to effect control. All personnel should be responsible for communicating problems in operations, noncompliance with the code of conduct, policy violations or illegal acts.
Authoritative guidance
Hong Kong Institute of Certified Public Accountants ("HKICPA"): Internal control and risk management - A basic framework
The Stock Exchange of Hong Kong Limited invited HKICPA to issue guidance to help Hong Kong listed companies understand and implement the Code on Corporate Governance Practices requirements relating to internal control and devise their internal control procedures. This guidance is available at www.hkicpa.org.hk under the "Standards & Technical / Corporate Governance" section.
Learn more
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/cn/en/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
