I have been frequently asked about the difference between Internal Control and Internal Audit.
The logical approach to this topic starts with Internal Control, which is defined by several specialist professional institutes such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the Institute of Internal Auditors (IIA), and the American Institute of Certified Public Accountants (AICPA), etc. We will quote here the COSO definition, which states the following:
“Internal Control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide “reasonable assurance regarding the achievement of objectives in the following categories: operations, reporting and compliance”.
A part of the philosophy in this definition purports that internal control can never be limited to financial and accounting activities only since it covers all aspects of the organization and encompasses all levels of employees, the executive management, and the board of directors.
Apart from engaging in theoretical details, the internal controls include but are not limited to:
- The integrated Report (IR).
- Strategic plan (strategic objectives and business plan).
- Organizational structure manual (designed according to the corporate governance rules and includes risk committee and management function).
- Job structure manual (including compliance function).
- The framework of competencies and integrity that incumbents should have.
- Delegation of authority matrix.
- Policies and procedures manual for the organizational units (designed according to four eyes principle for a single activity).
- Clear-cut job descriptions.
- Regular reporting systems for organizational units.
- Appraisal system for the executive management and board of directors.
- Board of directors charter.
- Code of professional conduct and ethics for the executive management (which should include a whistleblowing channel for the employees along with ensuring protection for them).
- Annual training plan for the board of directors and the executive management.
- Employee guide.
- Deployment of IT systems for operations based on the cost-benefit principle.
Responsibility for updating and maintenance of internal controls
Each incumbent of jobs in the organizational structure will be responsible for updating and maintaining the internal controls. An employee shall report to the head of an organizational unit and the head of an organizational unit shall report to the CEO who in turn shall report to the board of directors.
Internal control is a preventive tool employed to achieve specific objectives, namely:
These are related to the effectiveness and efficiencies of operations including financial and operations performance objectives, and protection of assets against loss.
These are related to internal and external financial and non-financial reports, which would include reliability, compliance with deadlines, transparency and any other requirements set by the organizational authorities, regulators or recognized standard setters or set forth in the organization’s policies.
These are related to compliance with laws and regulations governing the organization’s business.
The Institute of Internal Auditors (IIA) defines the internal audit as:
“An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes”.
Further, the Association of Chartered Certified Accountants (ACCA) defines the internal audit – the control of controls – as the independent and objective evaluation of an organization’s internal controls to effectively manage risk within its risk appetite.
It is worth mentioning that the internal audit activity is carried out by an organizational unit reporting to the audit committee, which in turn reports to the board of directors. The internal audit function develops an annual action plan, which should be approved by the audit committee, and submits periodic reports on the internal audit activities.
It should be also noted that the internal audit assessment report shall contain a section on the review and evaluation of the internal controls, and assurance of its adequacy or requirement to introduce further controls, which achieve an adequate level of internal control.
An internal audit is a detective tool employed to verify the extent of executive units’ compliance with established controls.
Relationship between Internal Control and Internal Audit
In light of the above highlights of internal control and internal audit, it is clear that there is a complementary relationship where internal control establishes the controls based on which a business entity should be managed while the internal audit represents a detective activity, which verifies the implementation of internal controls. This complementary relationship is further confirmed by the matching objectives of internal control and internal audit as both disciplines are ultimately intended to protect the shareholders – the entity’s owners.