An internal control system (ICS) is a set of policies, procedures, and processes implemented within a company to provide reasonable assurance that its objectives will be achieved.
The structure and content of an ICS vary from company to company and depend on the size of the business, its specific nature, and its organizational structure.
Components of an Internal Control System (COSO 2013)
According to the COSO model, an internal control system includes five interrelated components.
Control Environment
Maintaining integrity and ethics;
Oversight of the internal control system;
Organizational structure, authority, and responsibility;
Personnel competence;
Establishing accountability.
Risk Assessment
Formulating and refining objectives;
Identifying and analyzing risks;
Assessing fraud risks;
Identifying and analyzing significant changes.
Control Procedures
Selection and implementation of control activities;
Implementation of general IT controls;
Application of policies and procedures.
Information and Communication
Use of relevant and timely information;
Internal communication;
External communication.
Monitoring
Conducting ongoing and/or periodic assessments of the internal control system;
Analyzing results and communicating identified deficiencies.
Developing an effective, risk-based internal control system is the responsibility of the company’s senior management.
Internal Control System Objectives
The internal control system is a set of processes implemented by the Board of Directors, management, and employees of the company, aimed at providing reasonable assurance that the following objectives will be achieved:
Accuracy of financial and management reporting;
Efficiency of operations and optimal use of resources;
Implementation of company strategy;
Compliance with legal requirements;
Fraud prevention and asset security.
Each of these objectives entails associated risks, the management of which requires the implementation of control procedures.
3 key areas of Internal Control System:
Corporate-Level Controls;
General Computer Controls;
Business Process Control Procedures.
Corporate-Level Controls
Company-Level Controls are management mechanisms implemented by management to ensure the application of control procedures throughout the company, including individual business units. These controls are implemented first and can be considered effective after at least one year of operation.
Key corporate controls include:
Code of Ethics (if necessary, a separate code for financial experts);
Audit Committee;
Disclosure Committee;
Senior Management Compensation Committee;
IT Committee;
Internal Audit Service;
Whistleblower Hotline;
HR Policy;
Financial Period Closing Procedure;
Procurement Regulations;
Risk management function;
Compliance function;
Business continuity plan (if necessary);
Critical authority delineation system.
General Computer Controls
General computer controls (IT General Controls) are a set of IT controls, policies, standards, and procedures that ensure the reliability and integrity of a company’s information environment.
Key areas of IT controls:
IT control environment;
Software development and implementation;
Software change management;
Computer operations;
System and data access management.
Process control procedures
Implementation of process controls is carried out according to the following algorithm:
Determining the level of materiality and identifying significant reporting indicators;
Identifying business processes that generate material data;
Identifying processes with increased or specific risks;
Risk identification and implementation of key control procedures (design, operational effectiveness, regulations, instructions, test plans);
Development of fraud scenarios and corresponding controls;
Development of critical authority delineation matrices.
Internal Control System Participants
The following participate in the assessment and development of the ICS:
The Audit Committee, which may assign internal audit to conduct assessments in individual departments and processes;
Internal Audit is an independent function providing assessments and consultations on ICS, risk management, and corporate governance;
External Audit, which formulates recommendations on individual ICS elements;
The Risk Management Service, which ensures the integration of risk management into the company’s activities;
The Internal Control Department, which provides methodological guidance and coordination;
Business Process Owners, responsible for the development and effective operation of control procedures.
Compliance function
Compliance is a function aimed at managing compliance risks and fostering a sustainable compliance culture within a company.
According to the Basel Committee recommendations, compliance risk is the risk of regulatory sanctions, financial losses, or reputational damage due to non-compliance with laws, regulations, standards, and codes of conduct.
The compliance process includes ongoing monitoring of a company’s activities and assessing its compliance with laws, industry standards, internal policies, and contractual obligations. Every company employee is a participant in the compliance process and is responsible for ensuring compliance with established requirements.
Types of Compliance Control
Compliance covers a wide range of areas, including:
Specialized compliance areas (banking, insurance, pharmaceutical, telecommunications, energy, etc.)
Corporate law;
Securities and derivatives markets;
Exchange and listing requirements (including SOX);
Disclosure;
AML/CFT;
Currency and sanctions control;
Accounting and tax accounting;
Anti-corruption requirements;
Fraud prevention;
Personal data protection;
Labor, immigration, and customs legislation;
Antitrust regulation;
Consumer protection and advertising;
Environmental and industry requirements;