top of page

Evaluating the effectiveness of internal control:

Requirement for annual review of internal control

The board of directors is responsible for the effectiveness of the system of internal control and risk management and there should be regular reviews of internal control and risk management.

  • The UK combined code states that the board of directors at least once each year should conduct a review of the effectiveness of the company's system of internal controls.

  • The singapore code of corporate governance states that the audit committee should ensure that a review of the effectiveness of the company's internal controls should be conducted at least annually.It adds that the review can be conducted by either internal accountants or public accountants.

  • The requirements of the sarbanes-oxley act in the US which are stricter have been described earlier.

 

When the requirement for a review of the effectiveness of internal control was introduced by the UK combined code in 1998,there was uncertainity about what this meant in practice.How should a review of the effectiveness of internal control be conducted?

 

Responsibility for the review of internal control effectivenss

The responsibility for the annual review of the effectiveness of the internal control system should be clearly identified.

  • In singapore the audit committee has the responsibility although the audit committee reports to the board of directors.

  • In the US management have the responsibility,Management includes the CEO and CFO.

  • In the UK the Turnbull Report (or Turnbull Guidelines as they are also called states that:

       -The board of directors has the responsibility for reviewing the effectiveness of internal control.

       -Management is responsible for monitoring the system of internal control and reporting to the board on this work.

      -The board should decide whether its own review process should be carried out by the board as a whole or by a committee of the board(the audit committee or a risk committee).If the review process is delegated to a committee,the committee must report to the board on its review.

 

The review Process:

The Turnbull Report(Turnbull Guidance provides useful guidance to directors about the process for reviewing effectiveness.The nature of the board's review will depend on the nature of the company such as it size and the nature and complexity of its operations.

  • There should be a monitoring process within the system of internal control.For example the company might have an internal audit department which regularly monitors internal controls and risk management processes.However,the board cannot rely entirely on embedded monitoring processes.

  • The board should receive and review regular reports from management on internal control.

  • In addition for the purpose of reporting to the shareholders on internal control in the annual report,the board should assess each year whether it has considered all significant aspects of internal control.

 

The board should specify the process that it will use to conduct its review of the effectiveness of internal control.The process should cover:

  • The frequency and content of the reports it should receive from management on internal control, and

  • The method it will use to make it's annual assessment of the effectiveness of internal control.

 

The board must be able to justify any statments on internal control and risk management that makes to the shareholders.The review process should therefore ensure that the board is provided with documentary evidence to support the statements on internal control that it makes.

 

  1. Management reports to the board on internal control

       Reports from management to the board on internal control should provide a balanced assessment of the significant risks and the effectiveness of the system of internal control in managing those risks(Turnbull Guidance).The Report Should:

  • the effect that these have had,and

  • the actions taken by management to deal with the problem.

  • discuss any significant weaknesses or failings in internal control that management have identified.

 

There must be open and honest communication between management and the board on these matters so that the board is given reliable information.A culture of blame for weaknesses in controls should be avoided.If managers are criticised for weaknesses they report they will probably choose not to report weaknesses and leave the board members in ignorance about what is actually happening.The board should use the management reports on internal control to make an assessment of the effectiveness of the internal control system and risk management system.It should:

  • consider the significant risks that are reported to them and assess how they have been identified,evaluated and managed.

  • assess the effectiveness of the related internal controls for managing the significant risks particularly when significant weaknesses in internal control are reported.

  • consider whether management have taken the appropriate measures to deal with the weaknesses in internal control that they have reported.

  • Consider whether there is a need for more extensive monitoring of the system of internal control(for example consider whether the internal audit department should be increased in size).

 

2.  Annual assessment of the effectiveness of internal control:

      In addition to conducting reviews on the basis of management reports the board should make an assessment each year for the purpose of making its annual report to shareholders on internal control.The annual assessment should be based on the management reports it has reviewed during the year together with anyother relevant information.It considers necessary for the assessment.The Turnbull Guidance suggests that the annual assessment should consider:

  • Changes since the board's previous annual assessment in the nature and size of the significant risks faced by the company.

  • the company's ability to respond to changes in the business and in its external environment.

  • the scope and quality of the system of monitoring risks by management and of the internal control system:this should include where appropriate an assessment of the scope and quality of the work of the internal auditors.

 

Whenever the board becomes aware of a significant weakness or failing in internal control,it should:

  •  Find out the reason why weakness or failure occured,and

  • re-assess the effectiveness of the processes used by management for designing,operating and monitoring the system of internal control.

 

The annual assessment by the board should consider all aspects of the internal control and risk management system.This should include an assessment of the control environment risk identification and assessment,internal controls,information and communication and monitoring systems.The table below indicates the issues that the board might consider.

 

      Control Environment:

  • Is there an appropriate control environment?Do codes of conduct,human resources policies and performance reward systems support the company's risk management system and internal control system?

  • Is there a clea definition of management responsibilities and accountability for control and risk management?

  • Does the company communicate to its employees their responsibilities for risk management and control?

 

       Risk Assessment:

  • Do management understand clearly what level of risks is acceptable to the board?

  • Does company have clear objectives about risk?Have these objectives been communicated clearly to employees?

 

       Control Activities:

  • How are processes and controls adjusted when new risks occur or when risks change in significance?

  • How are processes and controls adjusted when weaknesses or failings in processes and controls are discovered?

      

      Information and Communication:

  • Does the board receive timely,relevant and receive reports on the same issues from management?

  • Are information needs and related information systems re-assessed as objectives and related risks change,or as deficiencies in reporting are identified?

  • Are there established channels of communication for employees(as whistle blowers) to report suspected breaches in the law or regulations or other improper activities?

 

      Monitoring:

  • Do these processes monitor the company's ability to re-assess risks and adjust controls in response to changes in the company's objectives,its business and its external environment?

  • Are there effective processes and procedures for making changes to controls when weaknesses or failings in the control system are identified?

 

 

 

 

 

 

 

 

bottom of page