Internal control​

Boards are responsible for their organization's internal control and management information systems. To do that, they first need to determine what internal control will encompass, and how they will address their responsibilities for it.

The Canadian Securities Administrators National Policy 58-201, Corporate Governance Guidelines, states that "the board should adopt a written mandate in which it explicitly acknowledges responsibility for the stewardship of the issuer, including responsibility for the issuer's internal control and management information systems."

The question facing boards, therefore, is: what does internal control encompass and how should the board address its responsibilities for it?

The CPA Canada offers the following definition of control in its guidance:

Control comprises those elements of an organization (including its resources, systems, processes, culture, structure and tasks) that, taken together, support people in the achievement of the organization's objectives. These objectives may fall into one or more of the following general categories:

  • Effectiveness and efficiency of operations includes objectives related to an organization's goals, such as customer service, the safeguarding and efficient use of resources, profitability and meeting social obligations. This includes the safeguarding of the organization's resources from inappropriate use or loss and ensuring that liabilities are identified and managed.
  • Reliability of internal and external reporting includes objectives related to matters such as the maintenance of proper accounting records, the reliability of information used within the organization and of information published for third parties. This includes the protection of records against two main types of fraud: the concealment of theft and the distortion of results.
  • Compliance with applicable laws and regulations and internal policies includes objectives related to ensuring that the organization's affairs are conducted in accordance with legal and regulatory obligations and internal policies.

In May 2013, the Committee of Sponsoring Organizations of the Treadway Commission's (COSO) released an updated version of its Internal Control – Integrated Framework. The 2013 COSO Framework further emphasizes the board's role in creating an effective control environment and having a robust risk assessment process, including identifying and addressing fraud risks. The framework increases the level of rigor required to evaluate the design and effectiveness of internal control. In accordance with the 2013 COSO Framework, all principles must be present and functioning in order to conclude that internal control over financial reporting is effective.

In performing its duties, the board should take a broad view of control and ensure that it provides oversight of all aspects of the control environment, and does not concentrate solely on internal control.

Taking such a view of control requires the board to provide oversight of disclosure controls and procedures – the controls pertaining to all reports, documents and filings the organization is required to provide under securities legislation. Internal control over financial reporting (ICFR) is a subset of disclosure controls and procedures, since they are related to the preparation and filing of financial statements, required under securities laws and regulations.

The overall purpose of ICFR is to provide reasonable assurance that the financial statements prepared for external purposes are in accordance with the issuer's financial reporting framework.

The implementation of the updated COSO framework provides a good opportunity to take a fresh look at internal control and create value for the organization, regardless of how mature a company's system of internal control may be. Improvements in the effectiveness of internal control can lead to more efficient operations, greater compliance rates, and more effective internal and external financial reporting.

Authoritative guidance
Thought leadership