Effective internal control gives reasonable assurance, though not a guarantee, that all business objectives will be achieved. It extends much beyond the aim of ensuring that financial reports are reliable. It includes the efficient achievement of operational objectives and ensuring that laws, regulations, policies, and contractual obligations are complied with.
There is growing appreciation that effective internal control does not evolve naturally. It requires concerted effort on an ongoing basis.
Often initially stimulated by the requirements of the Sarbanes–Oxley Act (2002), many more businesses are now systematically documenting, testing, evaluating, and improving their internal control processes. We show how to do this.
In a large organization this more rigorous focus on internal control is likely to encourage greater standardization of similar processes in use in different parts of the organization.
More effective internal control does not necessarily cost more. Aside from reducing costly risks of avoidable losses and business failures, it is often no more costly to organize business activities in ways that optimize control.
Better internal controls may enable a business to engage safely in more profitable activities that would be too risky for a competitor without those controls.
In some jurisdictions law or regulation may require effective systems of internal control, with serious penalties for irresponsible failure. The Sarbanes–Oxley Act (2002) requires CEOs and CFOs of companies with listings in the United States to certify their assessment of the effectiveness of internal control over reported disclosures (s302) and financial reporting (s404), with penalties of up to $1 million and ten years imprisonment for unjustified certification, or up to $5 million and 20 years imprisonment for wilful breach of the requirements (s906). The Public Companies Accounting Oversight Board’s Auditing Standard No. 5 (2007) requires the company’s external auditors themselves to assess the effectiveness of their client’s system of internal control over financial reporting, in order to meet the audit requirements of s404 of the Sarbanes–Oxley Act.
Japan and Canada have laws broadly similar to the Sarbanes–Oxley Act. Although not reinforced by the risk of criminal sections, provision C.2.1 of the United Kingdom’s Combined Code on Corporate Governance (2008) requires that the board of a company listed on the main market of the London Stock Exchange should, at least annually, conduct a review of the effectiveness of the group’s system of internal controls and should report to shareholders that they have done so. The review should cover all material controls, including financial, operational, and compliance controls, and risk management systems. In addition, the UK Financial Services Authority’s Disclosure and Transparency Rule DTR 7.2.5 R requires companies to describe the main features of the internal control and risk management systems in relation to the financial reporting process (see Schedule C).
- Page 1 of 6
- Next section What “Effective” Means