ABSTRACT
The internal control system is an integral part of the company’s overall operations. Internal control systems play a major role in risk management and the achievement of the company’s goals and objectives. In its implementation, the control system should consider and align with the COSO framework. The implementation of an effective management system should begin with an identification assessment of the critical level, appropriate response determination, communication, implementation, and continuous monitoring of controls to ensure the relevance of the controls.
The Institute of Internal Auditors (IIA) defines an internal control system as any action taken by management, the board of directors, and other stakeholders to manage risk and increase the likelihood of achieving established goals and objectives. Management plans, organizes, and directs the implementation of appropriate actions to provide reasonable assurance that objectives and goals will be achieved. In brief, internal control is a process established within an organization to ensure that its systems are secure, reliable, and in compliance with relevant laws and regulations.
The Association of Chartered Certified Accountants (ACCA) explains that the implementation of internal control should help the organization achieve the following objectives:
Efficiency in business operation
Controls must be implemented to ensure that processes flow smoothly and operations are free from disruptions. This will reduce the risk of organizational inefficiencies and threats to value creation.
Safeguarding Assets
Controls should be in place to ensure that assets are deployed for their proper purposes, and are not vulnerable to misuse or theft. A comprehensive approach to this objective should consider all assets, including both tangible and intangible assets.
Preventing and detecting fraud and other unlawful acts
Even small businesses with simple organisation structures may fall victim to these violations, but as organisations increase in size and complexity, the nature of fraudulent practices becomes more diverse, and controls must be capable of addressing these.
Completeness and accuracy of financial records
An organisation cannot produce accurate financial statements if its financial records are unreliable. Systems should be capable of recording transactions so that the nature of business transacted is properly reflected in the financial accounts.
Timely preparation of financial statements
Organisations should be able to fulfil their legal obligations to submit their account, accurately and on time. They also have a duty to their shareholders to produce meaningful statements. Internal controls may also be applied to management accounting processes, which are necessary for effective strategic planning, decision making and monitoring of organisational performance.
Internal Control implementation
Organizations may implement an established internal control framework, such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework, or they may develop their systems and processes by following these steps:
- Assess and Identify the Risks
An effective control could only be developed if the risks that need to be mitigated are clearly identified. An organization need to look closely on all the activities performed by each function, and identify the risks encountered. The risks should include all the risks aroused internally, like mistakes in ordering inventory, as well as external risks such as suppliers’ late delivery. Once all the risks are gathered, it should be categorized by type, such as financial, operational, or strategic.
- Risk Assessment and Response
After the risks are identified, the organization should assess the degree of criticality of the risks. This means to assess the likelihood of the risk to occur (how often) and the impact if it occurs (how severe). Then the organization need to decide on what to do with the risks based on its degree of criticality. The organization can have different response to each risk it encountered:
- Avoid, means the risk will be eliminated completely by eliminating the process. For example, to avoid the risk of cash receipt theft, the organization can only accept cashless payment from customers and eliminate cash receipt as acceptable form of payment.
- Reduce, means trying to minimize the occurrence of the risk. For example, set up a control to make sure all the sales order received from customers have been forwarded to the appropriate functions to be executed.
- Transfer or share, means transferring or sharing the risk with a third party, such as transferring the risk of loss in fire by entering into fire insurance agreement.
- Accept, means acknowledging certain risks will still prevail despite the control implemented. These risks need to be dealt with a case-by-case basis.
- Internal Control Development
The control should be directly aligned to the risks. The organization need to make sure every risk identified in the previous steps has a control to mitigate it, starting from the top to the least critical. The controls should then be translated into standardized procedures to be implemented within the organization. It should be thorough, but provide enough clarity to be implemented by the people doing the activities.
- Control Communication and Implementation
Internal controls could only achieve its objectives if followed by the employees. The top management of the organizations need to communicate the importance of implementing the controls, and make sure that the new controls will not only burden the employees work, but the employees will also gain advantages from following the control procedures, like more efficient process of work and reducing risk of theft within the organization. Developing an internal control, especially in the early phase of the implementation, should be adaptive. The organization should consider the inputs from the direct users and discuss together to ensure that the procedures will run smoothly, while still be able to mitigate the risks intended by the control.
- Continuous control monitoring
The organizations’ environment evolves, and so does the risks it needs to face. Even if an effective internal control has been implemented, the management should reassess and evaluate the risks and controls continuously to ensure the controls are still adequate to mitigate emerging risks or compliance with new regulations.
Professional business advisors can be a reference with his/her experience helping clients create a blueprint for an internal control system. Professional services include the development of standard operating procedures (SOPs) and assistance with their implementation.
