Internal control is a broad concept and means different things to different people. In 1992, The Committee of Sponsoring Organisation of the Treadway Committee (“COSO”) develops an internal control – integrated framework (“COSO Framework”), which defines internal control as:
“a process designed to provide reasonable assurance regarding the achievement of business objectives.”
Internal control can be regarded as policies and procedures established in an entity, effected by its Board of Directors or those charged with governance, to provide reasonable assurance regarding the achievement of objectives in the following categories:
“Reliability of financial reporting” relates to the preparation of reliable published financial statements, including company level and consolidated financial statements and selected financial data derived from such statements, such as earnings releases, business segment information, etc.
“Effectiveness and efficiency of operations” addresses an entity's basic business objectives, including performance and profitability goals and safeguarding of assets.
“Compliance with applicable laws and regulations” deals with complying with those laws and regulations to which an entity is subject to.
An organisation’s internal controls consist of the policies and procedures in place that provide a reasonable level of assurance that the above objectives are achieved. Not all of the policies and procedures employed by an organisation would be relevant to an independent auditor performing an audit of the financial statements. Certain controls governing the efficiency of operations, while significant to the ultimate success of the organisation would not be considered in an audit.
It is important to understand that the objective of internal controls is to provide reasonable, but not absolute, assurance that an organisation’s control objectives have been met. Success in achieving control objectives can be limited by circumvention, breakdown of external controls, poor management oversight, the ability to override the system, and the high cost of implementing certain controls. Despite the existence of adequate internal controls, the reliability of financial reporting and compliance with laws and regulations are not ensured.
Everyone in the organisation has a responsibility in the internal control structure. The COSO designates each party’s role and responsibility as follows:
Hong Kong Institute of Certified Public Accountants ("HKICPA"): Internal control and risk management - A basic framework
The Stock Exchange of Hong Kong Limited invited HKICPA to issue guidance to help Hong Kong listed companies understand and implement the Code on Corporate Governance Practices requirements relating to internal control and devise their internal control procedures. This guidance is available at www.hkicpa.org.hk under the "Standards & Technical / Corporate Governance" section.