Primary navigation:

QFINANCE Quick Links
QFINANCE Reference

Home > Auditing Best Practice > Implementing an Effective Internal Controls System

Auditing Best Practice

Implementing an Effective Internal Controls System

by Andrew Chambers

Executive Summary

  • Effective internal control gives reasonable assurance, though not a guarantee, that all business objectives will be achieved. It extends much beyond the aim of ensuring that financial reports are reliable. It includes the efficient achievement of operational objectives and ensuring that laws, regulations, policies, and contractual obligations are complied with.

  • There is growing appreciation that effective internal control does not evolve naturally. It requires concerted effort on an ongoing basis.

  • Often initially stimulated by the requirements of the Sarbanes–Oxley Act (2002), many more businesses are now systematically documenting, testing, evaluating, and improving their internal control processes. We show how to do this.

  • In a large organization this more rigorous focus on internal control is likely to encourage greater standardization of similar processes in use in different parts of the organization.

  • More effective internal control does not necessarily cost more. Aside from reducing costly risks of avoidable losses and business failures, it is often no more costly to organize business activities in ways that optimize control.

  • Better internal controls may enable a business to engage safely in more profitable activities that would be too risky for a competitor without those controls.


In some jurisdictions law or regulation may require effective systems of internal control, with serious penalties for irresponsible failure. The Sarbanes–Oxley Act (2002) requires CEOs and CFOs of companies with listings in the United States to certify their assessment of the effectiveness of internal control over reported disclosures (s302) and financial reporting (s404), with penalties of up to $1 million and ten years imprisonment for unjustified certification, or up to $5 million and 20 years imprisonment for wilful breach of the requirements (s906). The Public Companies Accounting Oversight Board’s Auditing Standard No. 5 (2007) requires the company’s external auditors themselves to assess the effectiveness of their client’s system of internal control over financial reporting, in order to meet the audit requirements of s404 of the Sarbanes–Oxley Act.

Japan and Canada have laws broadly similar to the Sarbanes–Oxley Act. Although not reinforced by the risk of criminal sections, provision C.2.1 of the United Kingdom’s Combined Code on Corporate Governance (2008) requires that the board of a company listed on the main market of the London Stock Exchange should, at least annually, conduct a review of the effectiveness of the group’s system of internal controls and should report to shareholders that they have done so. The review should cover all material controls, including financial, operational, and compliance controls, and risk management systems. In addition, the UK Financial Services Authority’s Disclosure and Transparency Rule DTR 7.2.5 R requires companies to describe the main features of the internal control and risk management systems in relation to the financial reporting process (see Schedule C).

What “Effective” Means

Although similar requirements exist in many countries, the principal driver for implementing an effective internal controls system should be the enlightened self interest of the company.

Effective internal control is intended to give reasonable assurance of the achievement of corporate objectives at all levels. An internal control framework should be used for the design and evaluation of an internal control system. The COSO framework is the most widely applied of three published frameworks.1 COSO (the Committee of Sponsoring Organizations of the Treadway Commission) defines internal control as follows:

“Internal control is broadly defined as a process, effected by the entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  1. Effectiveness and efficiency of operations.

  2. Reliability of financial reporting.

  3. Compliance with applicable laws and regulations.”

Other definitions of internal control categorize the objectives of internal control differently, but fundamentally, effective internal control gives reasonable assurance that all of management’s objectives will be achieved. For instance, the King Report2 defines internal control as follows:

“The board should make use of generally recognized risk management and internal control models and frameworks in order to maintain a sound system of risk management and internal control to provide a reasonable assurance regarding the achievement of organizational objectives with respect to:

  1. Effectiveness and efficiency of operations;

  2. Safeguarding of the company’s assets (including information);

  3. Compliance with applicable laws, regulations and supervisory requirements;

  4. Supporting business sustainability under normal as well as adverse operating conditions;

  5. Reliability of reporting;

  6. Behaving responsibly towards all stakeholders.”

Before a conclusion can be reached that internal control is effective, both results and processes must be considered. For the former, the test is whether there have been any known outcomes attributable to significant breakdowns in internal control. Absence of these does not lead automatically to the conclusion that internal control is effective: it is possible that there may have been breakdowns of internal control yet to be discovered; it is also possible that serious weaknesses exist within the system of internal control that have not yet been exploited. So the second test must also be applied, which is to assess the quality of the control processes or “components.”

Back to Table of contents

Further reading


  • American Institute of Certified Public Accountants (AICPA). Internal Control over Financial Reporting: Guidance for Smaller Public Companies. Institute of Internal Auditors (IIA) Research Foundation, 2006. Order from:
  • Chambers, Andrew. Tolley’s Internal Auditor’s Handbook. 2nd ed. London: LexisNexis Butterworths, 2009. See especially chapter 6.
  • Committee of Sponsoring Organizations of the Treadway Commission (COSO). Internal Control—Integrated Framework. 2 vols, 1992. Order from:
  • COSO. Guidance on Monitoring Internal Control Systems. To be published in 2009. See exposure/review link at:




Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share