|
Evaluating and Improving Internal Control in Organizations
The Professional Accountants in Business (PAIB) Committee of the International Federation of Accountants (IFAC) has issued new International Good Practice Guidance (IGPG), Evaluating and Improving Internal Control in Organizations, highlighting areas where the practical application of existing internal control standards and frameworks often fails in many organizations.
This new guidance is important to a professional accountant in business who works with his/her organization to continuously evaluate and improve internal control, and ensure that internal control is an integrated part of the organization’s systems of governance and risk management.
In this guidance, internal control is defined as “an integral part of an organization’s system of governance and ability to manage risk, which is understood, effected, and actively monitored by the governing body, management, and other personnel to take advantage of the opportunities and to counter the threats to achieving the organization’s objectives.” Better integrated internal control can save the organization time and money, and promote the creation and preservation of value.
At the heart of the IGPG are nine key principles for evaluating and improving internal control systems (see Key Principles) complemented by guidance on how to implement them. Questions that the guidance is designed to help answer are:
What should be the scope of internal control?
Who should be responsible for internal control?
How should controls be selected, implemented, and applied?
How can internal control be better ingrained into the DNA of the organization?
How should the organization report on internal control performance?
Evaluating and improving internal control are among the core competencies of many professional accountants in business. Therefore, professional accountants can play a leading role in ensuring that internal control forms an integral part of an organization’s governance system and risk management. With an integrated, organization-wide approach to risk management and internal control, professional accountants in business also encourage the practice that risks be viewed and treated in a more holistic way; that is, with improved internal control.
The guidance concludes with a limited list of relevant resources from IFAC, its member bodies, and other relevant organizations.
Key Principles of Evaluating and Improving Internal Control
The principles below represent good practice for evaluating and improving systems for internal control.
Internal control should be used to support the organization in achieving its objectives by managing its risks, while complying with rules, regulations, and organizational policies.
The organization should therefore make internal control part of risk management and integrate both in its overall governance system. The organization should determine the various roles and responsibilities with respect to internal control, including the governing body, management at all levels, employees, and internal and external assurance providers, as well as coordinate the collaboration among participants.
The governing body and management should foster an organizational culture that motivates members of the organization to act in line with risk management strategy and policies on internal control set by the governing body to achieve the organization’s objectives. The tone and action at the top are critical in this respect.
The governing body and management should link achievement of the organization’s internal control objectives to individual performance objectives. Each person within the organization should be held accountable for the achievement of assigned internal control objectives.
The governing body, management, and other participants in the organization’s governance system should be sufficiently competent to fulfill the internal control responsibilities associated with their roles.
Controls should always be designed, implemented, and applied as a response to specific risks and their causes and consequences.
Management should ensure that regular communication regarding the internal control system, as well as the outcomes, takes place at all levels within the organization to make sure that the internal control principles are fully understood and correctly applied by all.
Both individual controls as well as the internal control system as a whole should be regularly monitored and evaluated. Identification of unacceptably high levels of risk, control failures, or events that are outside the limits for risk taking could be a sign that an individual control or the internal control system is ineffective and needs to be improved.
The governing body, together with management, should periodically report to stakeholders the organization’s risk profile as well as the structure and factual performance of the organization’s internal control system.
Source: International Federation of Accountants
|
