Internal control

(Part 1)

CNSNews.com ran the following story on Nov. 19, 2012: “Treasury Secretary Timothy Geithner said Friday that Congress should stop placing legal limits on the amount of money the government can borrow and effectively lift the debt limit to infinity.” 

A limit to infinity. It sounds a bit poetic, like a good irony quote.

The debt limit was an internal control feature put in place by US Congress to rein in out-of-control spending and to encourage fiscal discipline. And so, one might ask: is such an internal control feature – a nation’s debt limit – still expedient under current economic conditions? There are those in favor and there are those who oppose.  But one thing is for certain. Internal control is something that cannot be ignored.

As business owner or manager, if you want to be able to sleep at night, knowing in confidence that no letter would arrive in the mail alleging that your company violated laws and regulations; if you want to be assured that when you look at the balances in your books, they are correct; if you want comfort that there is no wastage being incurred in your business operations, then you are yearning for internal control.

What and why internal control?

Philippine Standards on Auditing (PSA) defines internal control as the process designed and effected by those charged with governance and management to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations. This is also the definition provided by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), an organization involved, among others, in the development of frameworks and guidance on internal control and fraud deterrence. Let it be emphasized that the Philippines complies with global standards on internal control.

So, based on the definition, internal control:  (i)  is something that takes place on a continuing basis (i.e., a process);  (ii) is from top down, with those in charge of governance (i.e., owners, Board of Directors and elected officials) setting the tone ; and  (iii)  provides comfort that everything is working properly as designed to further an entity’s endeavours. 

Driven by new business regulations, standards, as well investor expectations, internal control at now in the forefront of each and every audit and ought to be the concern of regulators, accountants, and management.

Add to this, internal control is a key element of the Foreign Corrupt Practices Act (FCPA) of 1977 and the Sarbanes–Oxley Act of 2002 as well as that of the UK Bribery Act of 2010.

The FCPA, specifically in its Section 102, provides that all corporations required to file with the US SEC are legally required to keep records that accurately and fairly reflect their transactions and assets in reasonable detail. They must also devise and maintain an internal accounting control system sufficient to provide reasonable assurance that (1) transactions are properly authorized and recorded; (2) assets are safeguarded and protected from unauthorized access; and (3) recorded asset values are periodically compared with actual assets and any differences corrected. The significance of this statutory requirement is two-fold: (1) it represents for the first time, historically, that the US Congress has legislated an accounting rule, when in past times the promulgation of accounting principles and practices (GAAP) has always been developed by private sector authorities, i.e., the AICPA, the Financial Accounting Standards Board, among others; and (2) it emphasizes the explicit statutory recognition given by the US Federal Government to accounting controls and control systems.    

On the other hand, Section 302 of the Sarbanes-Oxley Act mandates a set of internal procedures designed to ensure accurate financial disclosure. The  principal executive and financial officers, or persons performing similar functions must certify that they are “responsible for establishing and maintaining internal controls” and “have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared.” The officers must “have evaluated the effectiveness of the entity’s internal controls as of a date within 90 days prior to the report” and “have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date.”

The UK Bribery Act of 2010 Consultative Guidance further gives weight to internal control: stating that “businesses should also consider how their existing internal company procedures can be used for bribery and corruption prevention.”.

Indeed, based on the foregoing, internal control is a big concern  for government and businesses alike.

Who is responsible for internal control? 

Everyone in the organization has responsibility for internal controls: management, board of directors, internal auditors, and other personnel. The chief executive officer is ultimately responsible and should assume ownership of the internal control system, providing leadership and direction to senior managers. The board of directors provides governance, guidance, and oversight. A strong, active board is best able to identify and correct management attempts to override controls or ignore or stifle communications from subordinates. Also of particular significance in internal control are financial officers and their staff. Internal control should be an explicit and implicit part of everyone’s job description.

Internal control in the bigger scheme of things

One can reasonably argue that international accounting standards, regulations and fairness opinions hinge on internal control.  Internal control is the front liner in the thrust for reliability of financial statements and investor confidence in both the local and international levels.

An illustration may be gleaned from the financial crisis of 2008 during which time credit markets froze in the United States. Some argue that the root of the subprime mortgage meltdown can be traced back to government policy.  Thomas Sowell, an American economist, wrote, “government regulators … imposed lower mortgage lending standards – and it was members of Congress (of both parties) who pushed the regulators, the banks and the mortgage-buying giants Fannie Mae and Freddie Mac into accepting risky mortgages, in the name of affordable housing and more home ownership.  Presidents of both parties also jumped on the bandwagon.”  This is a case of the “top” setting the tone, which, in this case, meant the lowering of mortgage lending standards to help citizens from lower income brackets have a house of their own.  It seems all good intentions.  But it created a lot of the subprime debt which became the main ingredient of the subprime mortgage fiasco that has up to now left US homeowners gutted of their major source of wealth.

As 2013 sets in, the world is still being shaped by regulations that can either make or break us. Observing good internal control in our businesses, our nations and even our personal lives is very much a critical matter.

Arthur Z. Machacon is an Audit partner of Manabat Sanagustin & Co. (MS&Co.), the Philippine member firm of KPMG International. He has more than 18 years of external audit experience covering a wide spectrum of industries. He has also a significant experience in the audit of publicly-listed companies. 

This article is for general information purposes only and should not be considered as professional advice to a specific issue or entity.The views and opinions expressed herein are those of the author and do not necessarily represent the views and opinions of KPMG International or MS&Co. For comments or inquiries, please email manila@kpmg.com or rgmanabat@kpmg.com.

 

Show comments