Business Process Library Q Business Process Management

Internal Control

From Q-BPM
(Redirected from Internal control)
Jump to: navigation, search

Internal Control is a company's effort to execute the business appropriately and efficiently and to make sure that the reporting to the concerned parties is appropriately done.


Overview of Internal Control

What is COSO?
COSO is the abbreviation of the Committee of Sponsoring Organization of the Treadway Commission. In Japanese, it is called “Treadway-Iinkai-Soshiki-Iinkai.” It is an organization in the U.S., which devises measures to prevent fraudulent financial reporting.

Internal Control defines standards and procedures to prevent illegal activities, dishonest activities, and mistakes in company's business, and it aims to ensure the correctness of the information concerning business execution results by managing and monitoring the business execution based on those standards and procedures. Internal Control consists of Application Control to appropriately define and execute the business and General Control to ensure the environment in which Application Control works effectively. They are supposed to be practiced by all employees, including board directors and executive officers.

In the U.S., the importance of Internal Control is more and more emphasized after Enron Case and Worldcom Case, and SOX Act defines the strict standards. In Japan, the execution of strict Internal Control is required by J-SOX. Originally Internal Control was excercised to ensure the appropriateness of financial reports, but nowadays its scope is much broader, and it is working more like Governance.

What is Framework?
Framework is a fundamental structure for concepts. When you try to understand a target issue, it is better to arrange it from a certain viewpoint, rather than to display it vaguely.

Various models and standards related to Internal Control adopt the framework for Internal Control proposed by COSO (COSO Framework), and it is currently regarded as the de facto global standard. Therefore, the execution of Internal Control should also follow it.

Elements of Internal Control

Elements of Internal Control are the guidelines about what to do for execution of Internal Control. COSO framework proposes five elements, "control environment," "risk assessment," "controlling activity," "information and communication," and "monitoring." In Japan, "Execution criteria of evaluation and supervision concerning internal control over financial reports" published by Financial Service Agency further adds "adaptation to IT" and proposed six elements of Internal Control.

Control Environment

Control environment determines the character of the organization. It affects mentality of all members of the organization under the control and works as a basis of other elements. E.g. organizational structure, custom, business policy

Risk Assessment and Response

Risk Assessment aims to, in company activities, analyze and evaluate factors that could disturb the accomplishment of goals as risks and to take appropriate measures according to the results. E.g. increase frequency of internal audits concerning purchasing tasks

Controlling Activity

Controlling activity is an activity to establish the environment in which executive officers' orders or directions are appropriately executed by defining the procedures and policies. E.g. "create documents" of the business by using business flow diagrams to clarify the separation of privilege

Information and Communication

Information and communication ensure that necessary information is provided to entities inside and outside of the organization. E.g. enable participants to inform directly the super-supervisor of dishonest activities without going through the immediate supervisor


Monitoring is to continuously check whether Internal Control is effectively functioning or not. E.g. establish Internal Control department that monitors by picking samples periodically

Adaptation to IT

Adaptation to IT means using IT in business processes by following the pre-determined appropriate procedures and policies. E.g. record the update history and original data upon data update related to financial information conducted by using IT systems

Purpose of Internal Control

Regarding the reasons why Internal Control is required, COSO Framework presents three reasons, "effectiveness and efficiency of business," "credibility of financial reports," and "observance of laws." In Japan, Financial Service Agency further adds the fourth reason, "protection of assets," in its "Execution criteria of evaluation and supervision concerning internal control over financial reports."

Effectiveness and Efficiency of Business

Enable effective and efficient corporate activities that produce many output with small input

Credibility of Financial Reports

Ensures the credibility of the information in financial documents disclosed

Legal Compliance

Appropriately execute the business by observing related laws and standards.

Protection of Assets

Protect assets by appropriately obtaining, using, and disposing corporate assets under the legitimate procedures

Laws Related to Internal Control and Compliance

In Japan, laws related to Internal Control are enacted by following the contents of SOX Act. Specifically, they are Companies Act and Financial Instruments and Exchange Law.

Companies Act


Companies Act explicitly shows the obligation to establish Internal Control systems, which were acknowledged by court precedents in the past. The establishment of Internal Control systems is the basic principle regarding the establishment of Internal Control, which is supposed to be determined by board directors. Moreover, the abstract of the decision must be written in "business reports," and the business reports must be authorized by auditors.


  • Large company
  • Corporation with committees


Companies Act does not specify any concrete contents about Internal Control systems or execution plans, but only enumerates items to be established in Internal Control systems. As for the compliance, Internal Control systems in Corporation with Committees, which was mandated to establish Internal Control in advance of the enforcement of Companies Act, should be referred. Concrete information is shown below.

  1. System concerning preservation and management of information related to task execution by executive officers
    Clarify the participants in charge of creation of document management standards, creation, preservation, and management of meeting minutes and approval documents
  2. Standards concerning the management of risk of loss
    Creation of in-house standards, such as risk management standards, standards about all kinds of trades, profit standards, etc.
  3. System to ensure the effective task execution by executive officers
    Reexamination of business plans and standards about administrative authority
  4. System to ensure the employees' compliance
    Creation of compliance manuals, establishment of the dedicated department to monitor Internal Control, etc.
  5. System to ensure an appropriate business of corporations and company groups
    Establishment of management and audit of group companies, maintenance of organizational systems, etc.
  6. Regulations regarding employees working on the supporting task for auditors
    Establishment of an auditor office, auditor room, etc.
  7. Independence of the forementioned employees from executive officers
    Establishment of auditors' privileges regarding the employee evaluation, employee movement, and so on.
  8. System for executive officers and employees to report to auditors
    Reporting to auditors and execution of important meetings
  9. System to ensure the effective execution of other auditors' monitoring tasks
    Appointment of external advisors through regular meetings with the internal audit department or audit corporations or auditor meetings

Financial Instruments and Exchange Law


Internal Control Reporting System in Financial Instruments and Exchange Law mandates the execution of Internal Control regarding business related to financial reports of companies. This system is called J-SOX. The specific contents are shown below.

  • Establish and maintain Internal Control regarding financial document creation processes
  • Have third-party auditors (certified accountants or audit corporations) audit the processes
  • Submit, as "Internal Control reports", the results of evaluation done by executive officers about Internal Control concerning the financial document creation processes


  • Listed company

However, in case there are consolidated subsidiaries and affiliate companies 20%-50% of whose shareholder voting rights are owned by the company (equity method affiliates), the listed company's evaluation should include those companies.


The following three tools (Three-piece Set) are exemplified as the guideline of Internal Control Reporting System introduction. (These are not mandatory.)

  • "Business Description Document (Task Description Document)"
  • "Risk Control Matrix (RCM)"
  • "Business Flow Diagram (Flowchart)"

Specific compliance procedures are shown below.

  1. Determination of basic plans and policies
    Executive officers determines basic plans and policies of Internal Control concerning financial reports (the scope, participants in charge, schedule, procedures, etc.) in company-wide level and business-process level based on the decision of board directors.
  2. Establishment of Internal Control
    Execute Internal Control concerning financial reports in company-wide level and business-process level based on the plans and policies
  3. Evaluation of Internal Control
    Check if the executed Internal Control is effectively working or not
  4. Improvement of the flaws and deficiencies
    If any flaws or deficiencies of Internal Control are detected in the evaluation phase, appropriate countermeasure should be taken. If those flaws and deficiencies of Internal Control are fixed by the evaluation date of the Internal Control reports (the last day of the term), we can conclude that Internal Control is effectively working.
  5. Audit by auditors (certified accountants and audit corporations)
    Get audited by auditors concerning the execution status of Internal Control
  6. Creation and submission of Internal Control report
    Internal Control report must be created for each business year and submitted to the prime minister. The specific contents are shown below.
    • Corporate information, such as the company name, the name of the representative of the company, etc.
    • Framework for Internal Control
    • Scope of the evaluation, the date of the evaluation, the procedure of the evaluation, etc.
    • Evaluation result
    Evaluation results are created based on the following categorization and perspectives.
    1. Internal Control concerning financial reports is valid.
    2. Although some part of the evaluation was not able to be executed, Internal Control concerning financial reports is valid. The information about the evaluation procedures that were not executed and the reasons.
    3. Significant flaws are found, and Internal Control concerning financial reports is not valid. The detail of the significant flaws and the reasons why those flaws was not able to be fixed by the end of the term.
    4. The evaluation result of Internal Control concerning financial reports can not be manifested because some of the important evaluation procedures was not able to be executed. The information about evaluation procedures not executed and the reasons.
    • Appendices
    • Special affairs

Utilization of BPM in Internal Control Execution

Monitoring, one of the elements of Internal Control, requires to monitor "who, when, and to which information did what," "who evaluated and authorized" etc. and to store the information. To do that, BPM tools are helpful. BPM tools help us log the business such as executed authorization and decision, and store the contents in the database with the timestamp. Also, we can prevent unfavorable information flows by defining the information flow in advance and managing the flow by using BPM tools. Furthermore, we can prevent access to the information by inappropriate participants by configuring the privileges of each process.

In addition, since business flow diagrams created in BPM are also included in Three-piece set defined in Internal Control Reporting System, we can reduce the cost to do all kinds of audits and to create documents to be submitted.

In J-SOX, risk management is emphasized, and introducing BAM, which monitors in real time, enables us to make appropriate arrangement smoothly.

Related Articles

What links here
Related changes
Upload file
Special pages
Printable version
Permanent link
Questetra BPM Suite
Workflow Sample:Hints on Defining Workflows for Business Analysts and Managers.

General nouns | Proper nouns | General-purpose business process | Core business process | Business process for support administration
Q-BPM This website was started by Questetra, Inc. for businesspeople all over the world, who are interested in BPM, but spend a great amount of time on the search of a lot of books, documents, and difficult terms. By saving the trouble of looking up a number of related terms or the time of searching documents, Questetra, Inc. hopes to contribute to businesspeople, interested in BPM, all over the world. Questetra Inc. Q-BPM exemplifies various Sample Processes regarding Business Flow in companies, and support Business Flow Diagram making. (* Business Flow Diagram: Business Flow Chart/Business Diagram/Business Process Diagram) This is Cloud-Source type information sending website that invites collaborators all over the world. In principle, contents in this website are public on the basis of the license called “CC-By SA,” which means “possible to copy under specific conditions.”

Powered by MediaWiki CreativeCommons By SA