Internal control: same words different meanings yet again

ByGrant

I was taught that internal control was the processes around the safeguard of company assets. But that was in the 1970’s, and life has become more complicated since then. So complicated that accountants now disagree on what internal control really is. Or to be more precise British accountants have a different definition to American ones. Now I find this quite ludicrous but by now you will realise that this is not ludicrous at all but normal. They differ all the time.

The main reference for internal control in the UK is the Turnbull Report. Here is their definition:

“The policies, processes, tasks, behaviours and other aspects of an organisation that taken together:

Facilitate effective operation by enabling it to respond in an appropriate manner to significant business, operational, financial, compliance and other risks to achieve its objectives. This includes safeguarding of assets and ensuring that liabilities are identified and managed.

Ensure the quality of internal and external reporting, which in turn requires the maintenance of proper records and processes that generate a flow of timely, relevant and reliable information from both internal and external sources.

Ensure compliance with applicable laws and regulations and also with internal policies.” [1]

What a mouthful!

You will notice that the ‘safeguarding of assets’ is only a part of the definition. Internal control has been promoted to include achieving the company’s objectives and much more. This is an exaggeration. Thousands of companies do not meet their objectives, yet their internal controls are adequate even excellent.

The other reference in the UK for everything accounting is the Financial Reporting Council. They wrote a ‘Guidance’ on risk management and internal control, [2] but they have not included their definition of internal control.  In paragraph 37, page 9, they do, however, make this statement:

“Effective controls are an important element of the systems of risk management and internal control and can cover many aspects of a business, including strategic, financial, operational and compliance.”

But not the safeguard of assets.

With this statement, they sort of abandon Turnbull and go for something simpler. But they put Risk Management and Internal Control as equal partners. This is not the same approach as in the USA whose reference originates from the Treadway Commission and is now managed by the COSO with their Framework in 2013. Here is their definition of internal control:

“Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance. [3]

Note how close the two are with ‘operations, reporting and compliance’ in America and ‘strategic, financial, operational and compliance’ in Britain. Financial is close to reporting with an added strategic in Britain and a common operations and compliance.  But no, they are far apart in structure. Risk management and internal control are separate and complimentary in the UK with the Financial Reporting Council. Whereas the COSO consider that Risk Assessment is an integral part of internal control, and only one of five other components:

“Risk is defined as the possibility that an event will occur and adversely affect the achievement of objectives.” [3]

So we follow the usual approach in accounting on both sides of the Atlantic: make things as different as possible, use a different methodology, but use the same words: ‘internal control’ but of course with different meanings. As usual complicated and nobody wins.

[1] Internal Control: Guidance for Directors on the Combined Code (1999) also known as the “Turnbull Report” was a report drawn up with the London Stock Exchange for listed companies. The report was superseded by a further FRC guidance issued in September 2014. See [2] below.

[2] Guidance on Risk Management, Internal Control and Related Financial and Business Reporting, September 2014, Financial Reporting Council, Page 9, paragraph 37.

[3] Internal Control – Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), 2013 framework.