Good corporate governance, by its nature, demands effective systems of internal control. Shareholders expect those charged with governance of the company to manage the risks the company faces and to put controls in place to deal with such risks.
The UK Corporate Governance Code and Internal Control
A principle of the UK Corporate Governance Code is that a company's board should "maintain sound risk management and internal control systems".
The Code requires the board to conduct a review of the effectiveness of the group's system of internal controls and report to shareholders that they have done so. "Internal Control: Revised Guidance for Directors on the Combined Code" (Turnbull guidance) supports this aspect of the Combined Code.
The Turnbull guidance strongly favours a principles-based approach to internal control rather than focusing on detailed processes. It links internal control clearly to risk management and views internal control as a system which encompasses the policies, processes, tasks, behaviours and other aspects of a company that, taken together:
- Facilitate its effective and efficient operation by enabling it to respond appropriately to significant business, operational, financial, compliance and other risks;
- Help ensure the quality of internal and external reporting; and
- Help ensure compliance with applicable laws and regulations, as well as internal policies with respect to the conduct of business.
US Sarbanes-Oxley Act 2002 and Internal Control
The Sarbanes-Oxley Act (SOX) applies to all companies worldwide that are registered with the US Securities and Exchange Commisssion (SEC).
The requirements are prescriptive focusing on internal controls over financial reporting specifically and on compliance and accountability. Section 404 of SOX requires an annual report to contain an "internal control report" which shall:
- State the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
- Contain an assessment of the effectiveness of the internal control structure and procedures of the company for financial reporting.
SOX also requires that the organisation's auditor shall "attest to, and report on the assessment made by management" in respect of the internal control assessment.
SOX requires judgements regarding the effectiveness of material controls over financial reporting to be made in the context of a suitable framework. The SEC has identified the Turnbull guidance as one such suitable framework. The FRC has published a guide which aims to help non-US companies that are SEC registered who have elected to adopt the Turnbull guidance as a framework for SOX Section 404(a) purposes. The use of the Turnbull guidance in the context of SOX Section 404(a) is solely as a framework within which to address the section's requirements. Nothing in the Turnbull guidance reduces SEC registrants' obligations to comply with US rules and regulations
Other International Frameworks on Internal Control
US
Committee of Sponsoring Organisations of the Treadway Commission, US (COSO)
Control Objectives for Information and Related Technology (COBIT) (2005), IT Governance Institute and the Information Systems, Audit and Control Foundation
Hong-Kong
Internal Control and Risk Management - A Basic Framework (2005)
Further Reading on Internal Control
Discussion Paper on the Financial Reporting and Auditing Aspects for Corporate Governance (2003), Federation des Experts Comptables Europeens (FEE)
Discussion Paper on Risk Management and Internal Control in the EU (2005) FEE
Internal Control from a Risk-Based Perspective - August 2007, IFAC
Internal Controls - A Review of Current Developments - August 2006, IFAC