Internal Control is a company's effort to execute the business appropriately and efficiently and to make sure that the reporting to the concerned parties is appropriately done.
Overview of Internal Control
|What is COSO?|
|COSO is the abbreviation of the Committee of Sponsoring Organization of the Treadway Commission. In Japanese, it is called “Treadway-Iinkai-Soshiki-Iinkai.” It is an organization in the U.S., which devises measures to prevent fraudulent financial reporting.|
Internal Control defines standards and procedures to prevent illegal activities, dishonest activities, and mistakes in company's business, and it aims to ensure the correctness of the information concerning business execution results by managing and monitoring the business execution based on those standards and procedures. Internal Control consists of Application Control to appropriately define and execute the business and General Control to ensure the environment in which Application Control works effectively. They are supposed to be practiced by all employees, including board directors and executive officers.
In the U.S., the importance of Internal Control is more and more emphasized after Enron Case and Worldcom Case, and SOX Act defines the strict standards. In Japan, the execution of strict Internal Control is required by J-SOX. Originally Internal Control was excercised to ensure the appropriateness of financial reports, but nowadays its scope is much broader, and it is working more like Governance.
|What is Framework?|
|Framework is a fundamental structure for concepts. When you try to understand a target issue, it is better to arrange it from a certain viewpoint, rather than to display it vaguely.|
Various models and standards related to Internal Control adopt the framework for Internal Control proposed by COSO (COSO Framework), and it is currently regarded as the de facto global standard. Therefore, the execution of Internal Control should also follow it.
Elements of Internal Control
Elements of Internal Control are the guidelines about what to do for execution of Internal Control. COSO framework proposes five elements, "control environment," "risk assessment," "controlling activity," "information and communication," and "monitoring." In Japan, "Execution criteria of evaluation and supervision concerning internal control over financial reports" published by Financial Service Agency further adds "adaptation to IT" and proposed six elements of Internal Control.
Control environment determines the character of the organization. It affects mentality of all members of the organization under the control and works as a basis of other elements. E.g. organizational structure, custom, business policy
Risk Assessment and Response
Risk Assessment aims to, in company activities, analyze and evaluate factors that could disturb the accomplishment of goals as risks and to take appropriate measures according to the results. E.g. increase frequency of internal audits concerning purchasing tasks
Controlling activity is an activity to establish the environment in which executive officers' orders or directions are appropriately executed by defining the procedures and policies. E.g. "create documents" of the business by using business flow diagrams to clarify the separation of privilege
Information and Communication
Information and communication ensure that necessary information is provided to entities inside and outside of the organization. E.g. enable participants to inform directly the super-supervisor of dishonest activities without going through the immediate supervisor
Monitoring is to continuously check whether Internal Control is effectively functioning or not. E.g. establish Internal Control department that monitors by picking samples periodically
Adaptation to IT
Adaptation to IT means using IT in business processes by following the pre-determined appropriate procedures and policies. E.g. record the update history and original data upon data update related to financial information conducted by using IT systems
Purpose of Internal Control
Regarding the reasons why Internal Control is required, COSO Framework presents three reasons, "effectiveness and efficiency of business," "credibility of financial reports," and "observance of laws." In Japan, Financial Service Agency further adds the fourth reason, "protection of assets," in its "Execution criteria of evaluation and supervision concerning internal control over financial reports."
Effectiveness and Efficiency of Business
Enable effective and efficient corporate activities that produce many output with small input
Credibility of Financial Reports
Ensures the credibility of the information in financial documents disclosed
Appropriately execute the business by observing related laws and standards.
Protection of Assets
Protect assets by appropriately obtaining, using, and disposing corporate assets under the legitimate procedures
Laws Related to Internal Control and Compliance
In Japan, laws related to Internal Control are enacted by following the contents of SOX Act. Specifically, they are Companies Act and Financial Instruments and Exchange Law.
Companies Act explicitly shows the obligation to establish Internal Control systems, which were acknowledged by court precedents in the past. The establishment of Internal Control systems is the basic principle regarding the establishment of Internal Control, which is supposed to be determined by board directors. Moreover, the abstract of the decision must be written in "business reports," and the business reports must be authorized by auditors.
- Large company
- Corporation with committees
Companies Act does not specify any concrete contents about Internal Control systems or execution plans, but only enumerates items to be established in Internal Control systems. As for the compliance, Internal Control systems in Corporation with Committees, which was mandated to establish Internal Control in advance of the enforcement of Companies Act, should be referred. Concrete information is shown below.
- System concerning preservation and management of information related to task execution by executive officers
- Clarify the participants in charge of creation of document management standards, creation, preservation, and management of meeting minutes and approval documents
- Standards concerning the management of risk of loss
- Creation of in-house standards, such as risk management standards, standards about all kinds of trades, profit standards, etc.
- System to ensure the effective task execution by executive officers
- Reexamination of business plans and standards about administrative authority
- System to ensure the employees' compliance
- Creation of compliance manuals, establishment of the dedicated department to monitor Internal Control, etc.
- System to ensure an appropriate business of corporations and company groups
- Establishment of management and audit of group companies, maintenance of organizational systems, etc.
- Regulations regarding employees working on the supporting task for auditors
- Establishment of an auditor office, auditor room, etc.
- Independence of the forementioned employees from executive officers
- Establishment of auditors' privileges regarding the employee evaluation, employee movement, and so on.
- System for executive officers and employees to report to auditors
- Reporting to auditors and execution of important meetings
- System to ensure the effective execution of other auditors' monitoring tasks
- Appointment of external advisors through regular meetings with the internal audit department or audit corporations or auditor meetings
Financial Instruments and Exchange Law
Internal Control Reporting System in Financial Instruments and Exchange Law mandates the execution of Internal Control regarding business related to financial reports of companies. This system is called J-SOX. The specific contents are shown below.
- Establish and maintain Internal Control regarding financial document creation processes
- Have third-party auditors (certified accountants or audit corporations) audit the processes
- Submit, as "Internal Control reports", the results of evaluation done by executive officers about Internal Control concerning the financial document creation processes
- Listed company
However, in case there are consolidated subsidiaries and affiliate companies 20%-50% of whose shareholder voting rights are owned by the company (equity method affiliates), the listed company's evaluation should include those companies.
The following three tools (Three-piece Set) are exemplified as the guideline of Internal Control Reporting System introduction. (These are not mandatory.)
- "Business Description Document (Task Description Document)"
- "Risk Control Matrix (RCM)"
- "Business Flow Diagram (Flowchart)"
Specific compliance procedures are shown below.
- Determination of basic plans and policies
- Executive officers determines basic plans and policies of Internal Control concerning financial reports (the scope, participants in charge, schedule, procedures, etc.) in company-wide level and business-process level based on the decision of board directors.
- Establishment of Internal Control
- Execute Internal Control concerning financial reports in company-wide level and business-process level based on the plans and policies
- Evaluation of Internal Control
- Check if the executed Internal Control is effectively working or not
- Improvement of the flaws and deficiencies
- If any flaws or deficiencies of Internal Control are detected in the evaluation phase, appropriate countermeasure should be taken. If those flaws and deficiencies of Internal Control are fixed by the evaluation date of the Internal Control reports (the last day of the term), we can conclude that Internal Control is effectively working.
- Audit by auditors (certified accountants and audit corporations)
- Get audited by auditors concerning the execution status of Internal Control
- Creation and submission of Internal Control report
- Internal Control report must be created for each business year and submitted to the prime minister. The specific contents are shown below.
- Corporate information, such as the company name, the name of the representative of the company, etc.
- Framework for Internal Control
- Scope of the evaluation, the date of the evaluation, the procedure of the evaluation, etc.
- Evaluation result
- Evaluation results are created based on the following categorization and perspectives.
- Internal Control concerning financial reports is valid.
- Although some part of the evaluation was not able to be executed, Internal Control concerning financial reports is valid. The information about the evaluation procedures that were not executed and the reasons.
- Significant flaws are found, and Internal Control concerning financial reports is not valid. The detail of the significant flaws and the reasons why those flaws was not able to be fixed by the end of the term.
- The evaluation result of Internal Control concerning financial reports can not be manifested because some of the important evaluation procedures was not able to be executed. The information about evaluation procedures not executed and the reasons.
- Special affairs
Utilization of BPM in Internal Control Execution
Monitoring, one of the elements of Internal Control, requires to monitor "who, when, and to which information did what," "who evaluated and authorized" etc. and to store the information. To do that, BPM tools are helpful. BPM tools help us log the business such as executed authorization and decision, and store the contents in the database with the timestamp. Also, we can prevent unfavorable information flows by defining the information flow in advance and managing the flow by using BPM tools. Furthermore, we can prevent access to the information by inappropriate participants by configuring the privileges of each process.
In addition, since business flow diagrams created in BPM are also included in Three-piece set defined in Internal Control Reporting System, we can reduce the cost to do all kinds of audits and to create documents to be submitted.