Accounting

Internal Control System: Structure And Benefits

Accounting scandals are frequently the result of internal control failures which can inflict significant financial and reputational damage. 

In 2020, for example, an investigation found that German payment tech provider Wirecard had falsified its accounts by up to €1.9 billion: the fraud led to the collapse of the company and arrest of its CEO. In 2023, the UK’s serious fraud office charged four people for the collapse of bakery chain Patisserie Valerie: the incident involved the misstatement of up to £28 million in funds and the concealment of £10 million of debt, and resulted in the loss of almost 1000 jobs. 

Internal control systems are not only a bulwark against incidents of fraud and accounting error but help to ensure a company’s ongoing integrity, reliability, and reputation in a crowded, competitive global marketplace. Implementing effective internal controls can be challenging, and so it’s critical that CFOs and their accounting teams understand how to develop a system that serves their organization’s profile 

What Is An Internal Control System?

Internal control system (ICS) refers to the checks and balances that a company puts in place to ensure compliance with both internal policy and external regulatory requirements, including financial reporting. The ICS is intended to protect a company from risk, safeguard assets, and support operational effectiveness. 

AN ICS is typically made up of individual controls that include policies and procedures, and the practical actions that employees must carry out as part of their duties and responsibilities. The level of detail involved in an ICS may affect its complexity and, in turn, the administrative challenge of applying controls effectively. WIth that complexity in mind, many companies seek to automate as much of their ICS as possible in order to build speed and accuracy into the compliance process. 

When and Why Does a Company Need an ICS?

An ICS is integral to a company’s risk management strategy and essential to addressing emerging criminal threats and regulatory change. In the wake of recent accounting scandals, many jurisdictions have made having an ICS a legal requirement for public companies – with those that fail to comply facing strict penalties.  

An ICS is not just about avoiding compliance fines. Applied effectively, the ICS can help a company identify and assess risks, and mitigate or even eliminate their impact. With that in mind, an ICS contributes to the smooth-running of business operations, shores up brand reputation, and strengthens public confidence in products and services. 

Requirements for an Internal Control System

Each ICS should be unique to the risks and business needs of a given company but should meet a number of fundamental requirements. Companies should develop their ICS in consideration of the following factors: 

ICS Components

The Committee of Sponsoring Organizations (COSO) has put forward a model framework for the application of corporate controls in corporate environments. The framework is built around the following components of internal control:

Control environment: Internal controls must help companies comply with jurisdictional rules and regulations – and so should be developed with those legal requirements in mind. Companies with a global footprint may need to consider multiple control environments as part of their ICS. 

Risk assessment: The level of risk that a company faces will inform the controls that it must apply. Accordingly, the accounting team should conduct a detailed risk assessment as it develops and implements an ICS to ensure that controls are aligned with compliance and business objectives. 

Control activities: Companies should think about the practical actions that will make up the controls they develop to address risks. Controls may be applied as policies or procedures, or as individual tasks – all of which serve to review or verify financial data and information, and facilitate compliance objectives. 

Information and communication: ICS are typically cross-departmental and may also require input from Board members or external third-parties. With this in mind, companies should implement effective communication and information sharing systems to facilitate access to critical documents and resources, and ensure that team members can respond quickly to control delays.

Monitoring: Companies must monitor the effectiveness of their controls on an ongoing basis, reviewing and testing regularly. CFOs should think about horizon scanning to identify potential risks emerging from the introduction of new technology or as a result of regulatory change. 

ICS Structure

The structure of an ICS will play a part in its effectiveness. Companies should keep the following in mind as they develop and implement their own system: 

Framework: Companies may develop their ICS under the COSO model, focusing on the 5 key components of control (listed above). That framework should be considered a starting point and not a limiting factor, and CFOs should seek to implement it with regard to the unique business challenges that their organization faces. 

Fundamentals: The Board should think about the fundamental objectives of their ICS. This means implementing controls that meet both the regulatory and ethical standards the company expects – and doing so in a way that meets business needs such as budget, skill, and resource limitations. 

Transparency: Internal controls should be as transparent as possible – in the sense that employees are able understand why they are being applied, how they fit into the wider framework, and how they function. This means that companies should integrate their communication infrastructure with their ICS, focusing on visibility and information-sharing functionalities such as instant messaging and secure document access.

Four eyes principle: A widely-applied risk management mechanism, the four eyes principle is the requirement for a given activity to be reviewed by two people – essentially, double-checked. In an ICS, the four eyes principle typically involves the assignment of two reviewers to a control, and may be supported by software verification. 

Segregation of duties:  The integrity of an ICS often relies on the segregation of certain duties to prevent conflicts of interest, fraud, and other potential failures. For example, companies should implement a control that ensures that an employee responsible for receiving client payments is not also responsible for issuing invoices. Similarly, accounting responsibilities should be split to ensure different team members are responsible for individual processes, such as audits and book-keeping. 

Minimum information: Internal controls rely on a minimum amount of accurate, timely information in order to facilitate effective decision-making. With this in mind, companies should think carefully about how they capture the relevant data to feed their controls, with a focus on accuracy and efficiency. Similarly, the ICS should provide stakeholders with mutual visibility into control application – not only to promote accountability but to offer early indications of potential obstructions and delays. 

Planning and Implementation

While the detail and structure of each ICS is different, the planning and implementation process should include the following key steps:

• Control review: In coordination with the accounting team, CFOs should conduct a review of existing controls to identify compliance gaps, or opportunities to integrate new technology tools. 
• Development: Following the review, CFOs must develop new controls to address the risks that they face. The process should account for the need to integrate controls into existing workflows as seamlessly as possible. 
• Policy and procedure: The ICS should be supported by detailed documentation, including written policy and procedure, and instructions on how to apply specific controls. 
• Employee training: The ICS’ success depends on the ability of employees to use it effectively. Accordingly, employees should receive training on how to apply controls and on their role and importance within the wider framework. 
• Control testing: The ICS must be tested prior to deployment to ensure it meets its compliance objectives, and then on a regular schedule to ensure ongoing effectiveness. 
• Ongoing monitoring: CFOs should monitor the effectiveness of their ICS carefully, and maintain a perspective on incoming regulatory changes and emergent risks that might necessitate adjustments or new controls. 

Implementing a new ICS may involve a degree of administrative friction and even disrupt the delivery of products and services. Companies should account for potential disruption during the development process and, if possible, come up with mitigation strategies. 

Internal Audits of the ICS

Internal audits ensure the ongoing effectiveness of an ICS. An internal audit team will have unique insight into the company’s compliance objectives and of wider factors that might be supporting or impeding the application of controls. To this end, it’s worth  implementing a regular ICS audit schedule and team to conduct internal audits and report to the Board on the current state of controls. 

ICS and Financial Reporting 

One of the principal functions of an ICS is to ensure the accuracy and completeness of financial reports – a practice known as internal control over financial reporting (ICFR). Some jurisdictions have implemented regulations that assign legal responsibility for ICFR to persons within a company. In the US, for example, the SOX Act makes company executives responsible for ICFR, while in Europe, the EU’s Corporate Sustainability Reporting Directive (CSRD), and the UK’s updated Corporate Governance Code confer similar executive responsibilities. 

Accordingly, both the Board and senior management employees should be familiar with the details of their ICS, and be involved in the process of:

• Establishing effective controls over financial reporting.
• Assessing the functionality of internal financial reporting controls using appropriate criteria, such as COSO. 
• Creating evidence and documentation that internal and external auditors may use to evaluate and verify controls.
• Providing a written assessment of the functionality of controls at the end of the financial year. 

ICS Efficiency With FloQast

Build effective, efficient, accurate controls into the heart of your business. FloQast compliance management software helps companies of every size implement their ICS, with automated controls integrated into day-to-day accounting workflows in order to reduce costs and administrative friction, and increase operational flexibility.  

Learn more about FloQast Compliance Management: get in touch today. 

Hugh O'Neill

Hugh O'Neill is a Chartered Accountant and Senior Sales Engineer based in the UK. Prior to joining FloQast, Hugh served in several senior accounting and financial operations positions.