IFAC: Evaluating and improving internal control in organisations

11 September 2012

The PAIB Committee of the IFAC has issued new International Good Practice Guidance (IGPG), 'Evaluating and Improving Internal Control in Organisations', highlighting areas where the practical application of existing internal control standards and frameworks often fails in many organisations.

This new guidance is important to a professional accountant in business who works with his/her organisation continuously to evaluate and improve internal control, and ensures that internal control is an integrated part of the organisation’s systems of governance and risk management.

In this guidance, internal control is defined as “an integral part of an organisation’s system of governance and ability to manage risk, which is understood, effected, and actively monitored by the governing body, management, and other personnel to take advantage of the opportunities and to counter the threats to achieving the organisation’s objectives”. Better integrated internal control can save the organisation time and money, and promote the creation and preservation of value.

Evaluating and improving internal control are among the core competencies of many professional accountants in business. Therefore, professional accountants can play a leading role in ensuring that internal control forms an integral part of an organisation’s governance system and risk management. With an integrated, organisation-wide approach to risk management and internal control, professional accountants in business also encourage the practice that risks be viewed and treated in a more holistic way; that is, with improved internal control.

At the heart of the IGPG are nine key principles of evaluating and improving internal control systems complemented by guidance on how to implement them.

The principles below represent good practice for evaluating and improving systems for internal control.

  1. Internal control should be used to support the organisation in achieving its objectives by managing its risks, while complying with rules, regulations, and organisational policies. The organisation should therefore make internal control part of risk management and integrate both in its overall governance system.
  2. The organisation should determine the various roles and responsibilities with respect to internal control, including the governing body, management at all levels, employees, and internal and external assurance providers, as well as coordinate the collaboration among participants.
  3. The governing body and management should foster an organisational culture that motivates members of the organisation to act in line with risk management strategy and policies on internal control set by the governing body to achieve the organisation’s objectives. The tone and action at the top are critical in this respect.
  4. The governing body and management should link achievement of the organisation’s internal control objectives to individual performance objectives. Each person within the organisation should be held accountable for the achievement of assigned internal control objectives.
  5. The governing body, management, and other participants in the organisation’s governance system should be sufficiently competent to fulfil the internal control responsibilities associated with their roles.
  6. Controls should always be designed, implemented, and applied as a response to specific risks and their causes and consequences.
  7. Management should ensure that regular communication regarding the internal control system, as well as the outcomes, takes place at all levels within the organisation to make sure that the internal control principles are fully understood and correctly applied by all.
  8. Both individual controls as well as the internal control system as a whole should be regularly monitored and evaluated. Identification of unacceptably high levels of risk, control failures, or events that are outside the limits for risk taking could be a sign that an individual control or the internal control system is ineffective and needs to be improved.
  9. The governing body, together with management, should periodically report to stakeholders the organisation’s risk profile as well as the structure and factual performance of the organisation’s internal control system.

Press release


© IFAC