IFAC Issues New Guidance to Help Organizations Improve Internal Control
– Part II


The Professional Accountants in Business (PAIB) Committee of the International Federation of Accountants (IFAC) has issued new International Good Practice Guidance, Evaluating and Improving Internal Control in Organizations, on 28 June 2012. In the last issue, we have gone through the 9 key principles that represent good practice for evaluating and improving internal control systems. Now, let’s focus on the practical guidance on implementing the principles.


What should the scope of internal control be?

Internal control is not only served for compliance but also enables an organization to improve its performance by taking on additional opportunities and challenges in a more controlled way.

Internal control can be most effective when it is integrated with risk management and both are embedded in all the governance processes of an organization; risk management focuses on the identification of threats and opportunities, while controls are designed to effectively counter threats and take advantage of opportunities. Effective integration provides an organization a wider governance system as an integral part of its overall activities and decision-making processes, which helps to achieve its strategic, operational, and other objectives.



Who should be responsible for internal control?

Responsibilities in respect of internal control should not only reside with “owners” of an organization but also with those who have the highest level of authority and power for delegations.

Governing body of an organization is assumed with overall responsibility for its internal control strategy, policies, and system by defining the risk management strategy and approving the risk taking limits as well as the criteria for internal control. At the same time, management is responsible for designing, implementing, maintaining, monitoring, evaluating, and reporting on its internal control system in accordance with the requirements set forth by governing body; while “owners” are held accountable for proper understanding and execution of risk management and internal control within their span of authorities on the basis of internal control plan set and approved by the management.

Last but not least, the roles and responsibilities of risk officers (if any), internal and external assurance services providers cannot be forgotten; they play an important role in the internal control system of an organization by monitoring and evaluating the effectiveness of internal control while being independent and providing re-assurance to the governing body. 



What other internal control responsibilities/ actions should be expected from the governing body and management?

“Tone at the top” and the ethical framework of an organization are essential to an effective internal control system. The governing body and management of an organization should always acknowledge the importance of its internal control system as well as lead by example with respect to good governance, risk management, and internal control.

A code of conduct indicates the desired types of employee behavior and points out the consequence of violating the principles of its code of conduct or ethics. It helps the governing body and management of an organization to provide clear standard to the entire entity regarding acceptable business practice, conflict of interest and expected standards of ethical and moral behavior. In order to better convey the management expectation on above issues, the code of conduct should always be accessible by all employees.


How could management’s genuine attention on internal control objectives be obtained?

Recognizing positive performance on the internal control system of an organization can have a huge impact on strengthening internal control. Achieving organization’s objectives and maintaining effective controls are inextricably linked.

The governing body and management should link achievement of the organization’s internal control objectives to individual performance objectives, as sustainable success is seized by people who create opportunities and properly control their business.



How should those involved in the internal control system live up to their responsibilities?

Effectiveness of internal control system of an organization can be seriously weakened and even jeopardized if there is a lack of proper evaluation.

People assigned with internal control responsibilities should be competent with sufficient knowledge, experience, skills or time to adequately fulfill those responsibilities in order to ensure that the effectiveness of internal control system is well maintained.



How should internal controls be selected, implemented, and applied?

Internal controls of an organization are often implemented without adequate assessment of the external and internal environment, as well as their objectives, activities, processes, or systems that are sources of risk.

Organizations should be aware that various risks can create an aggregated effect of uncertainty on the achievement of their objectives. How a control be designed, implemented, applied and assessed should always get back to the root of the question that what risk or combination of risks that the control is supposed to modify. Appropriate controls should then be put in place to modify risk so that the level becomes acceptable.


How can internal control be better ingrained into the DNA of the organization?

Internal control system does exist in many organizations with written instructions and procedures; however they may not be sufficiently adopted or followed in everyday management or actual operations.

Internal controls can only work effectively when they, together with the risks they are supposed to modify, are clearly understood by those involved. Proper documentation and communication are vital for effective internal control that attention should be paid to the usability and understandability of the various policies, procedures, etc as well as meeting the professional and technical standards.


How should internal control be monitored and evaluated?

Organizations should become aware as soon as possible when a problem occurred with either an individual control or within the internal control system, in order to immediately respond, to prevent further damage or rectify the issue.

An individual control might seem to be effective, but it should also be evaluated in the context of how the overall internal control system is intended to work. Both individual controls and the overall internal control system should be regularly monitored and evaluated in conjunction with each other.

“Control owners” are responsible for the continued suitability and effective operation of the related controls, while independent monitoring and evaluation through internal and external audit should be performed periodically and continuously, as to provide additional, and more objective, assurance on maintaining the effectiveness of the internal control system.



How should the organization report on internal control performance?

The various internal and external stakeholders have a justified interest in the existence and performance of the organization’s risk management and internal control system.

Organizations should transparently report on the structure and performance of their governance, risk management, and internal control system in their various reports to internal and external stakeholders; not only report the existence of their system, but also major risks the organization faces, what controls it has established, how internal control is monitored and evaluated. A better understanding as to how an organization manages risks creates trust and the necessary reassurance to its stakeholders.



If there are any aspects which we may assist, please do not hesitate to contact our partner Mr. Roy Lo at 3583 8048 (roy.lo@shinewing.hk) or our Risk Manager Ms. Gloria So at 3583 8517 (gloria.so@shinewing.hk).


SHINEWING Risk Services Limited