Strong internal controls – it just makes good business sense

/, SOX/Strong internal controls – it just makes good business sense

There is a large body of literature, rules, and regulations regarding internal controls. This brief article does not delve into that detail. Instead, hopefully this synopsis will bridge internal control theory with some practical realities.

Why is it so important to design and implement strong internal controls in all organizations small and large, and to check regularly to make sure they are working as intended? Some of the more obvious reasons include fraud prevention and compliance with regulations, but in my humble opinion, it just boils down to good business sense to do so. I will by-pass some of the more technical aspects, and present this internal control summary from a business person’s point of view.

The benefit of strong Internal Controls:

Authorizing contracts and transactions in accordance with company policy and procedures – this is probably the most obvious – every organization has, or should have some guidelines for such basic processes as purchasing goods / services and paying bills to suppliers etc. It’s very important that these internal controls are designed effectively, as they provide the rules for processing transactions. Strong internal controls begin with proper design, and then follow with them operating effectively – that is – are they being followed. In other words, does the organization have sufficient oversight to ensure that controls are actually being followed? I’ve seen it so many times where a control is thought to be in place, but in fact it is not being adhered to. Periodic reviews of internal controls (at least annual or more if there are changes in the business) can identify these issues. Consider it similar to ongoing maintenance of equipment or regular health check – you can catch and resolve problems before they develop into something much more serious.

Maintaining and increasing efficiencies in business processes – internal controls do not in of themselves translate into productivity and business efficiencies, but the design and in particular the ongoing review of them will highlight changes in processes which may provide opportunities for instance to eliminate redundancies, or implement an automated solution, which in turn can have cascading effects throughout other areas. For instance, in one company that I worked with recently on review of internal controls, we noted several “legacy” excel spreadsheet applications, which as it turned could be migrated into the company’s ERP system due to some recent enhancements. This not only saved time but also increased the timeliness of management reporting.

Ensuring adequate review of financial statements and management reports to detect errors – the internal controls involved here pertain to what is referred to as Entity Level controls or mitigating controls. These are controls such as variance reports (actual results compared to budget / forecast / prior year etc) which are designed to detect “out of line” transactions or balances. Most companies would have variance reports for revenue, pricing, costs, gross margin and expenses. These are a critical part of the organization’s overall internal control framework as they serve to provide an additional layer of review and oversight. Without them you might not “see the forest because of the trees”. They are sometimes viewed as the last line of defence, and present an opportunity to detect errors, omissions and operating issues. Accordingly, for this internal control to function effectively, it is important that the reporting be designed properly and reviewed on a timely basis. Weekly reporting and daily “Dashboard” metrics can also serve to provide similar oversight.

Segregation duties – fraud prevention – safeguarding assets – one of the most basic premises of internal controls is to ensure that an organization’s physical and financial assets are adequately safeguarded. This runs a wide gamut of things and includes separation of duties such that one person cannot complete an entire transaction themselves, without involvement / oversight from someone else – classic example is the set up of vendors, processing invoices, issuing & signing cheques, and reconciling the bank statement. Imbedded within this is fraud detection and prevention. It also includes ensuring that physical assets such as inventory and equipment are secure and that any transactions are accurately recorded. All of which seems obvious to do, but staff within lean organizations are extremely busy and may tend not have the necessary time or expertise to take this into consideration, especially if changes to personnel or processes occur. In these situations, it might be best to garner assistance from external resources.

Reducing external audit time and fees – as part of every audit planning, external auditors will decide whether or not, and to the extent that they can rely upon the organization’s internal controls to reduce “substantive testing” (analytical procedures and audit of details of transactions and balances). A reduction in substantive testing is typically associated with an organization having strong internal controls, and has a direct impact on the external audit fees – strong internal controls can reduce audit testing, which in turn can reduce audit fees. Not to mention time and effort by the organizations’ staff in obtaining the audit evidence and supporting the auditors.

Canadian Auditing Standards (CAS-620) allow external auditors to rely upon the work of internal auditor (or equivalent) as part the external audit testing. However, the external auditor must determine whether and to what extent to use the work of the internal auditors, and if using the specific work of the internal auditors, to determine whether that work is adequate for purposes of the audit. On the latter point of adequacy, there are several requirements including; objectivity, technical competence, due professional care, and effective communication between the auditors. Therefore, external auditors can consider relying on internal controls to reduce substantive testing, including the work done by internal audit, but the internal audit work must be of sufficient quality.

Publicly TSX listed companies – CEO / CFO Certifications – as required by Bill 198 (aka MI 52-109), all publicly traded non-venture companies on the Toronto Stock Exchange – TSX – Canada’s largest stock exchange, are required to implement disclosure controls and procedures (DC&P) and internal controls over financial reporting (ICFR). This is equivalent to SOX 302 in the USA. Combined, DC&P and ICFR provide a level of assurance to investors that internal controls are designed properly and operating effectively such that financial statements are presented fairly and do not contain any errors so significant (material) that they cannot be relied upon. The CEO and CFO of these companies must sign and publicly disclose quarterly and annual “Full Certificates” to this end. Underlying the certifications is a body of work which basically tests and documents the internal controls. For these companies, strong internal controls are not an option – they are required by law.

Summary – as mentioned previously, there is a great deal of technical information about internal controls and sometimes the overall importance and benefits of them to businesses can be lost in the details. Bottom-line – it’s always wise for organizations to invest ongoing in strong internal controls.

I hope this information about the importance and business benefits for strong internal controls is helpful. For further information about Internal Controls, Interim Controlling, Business Improvement, and other accounting matters, please contact Edelkoort Smethurst Schein CPA’s LLP at 905-630-1607 or send a message to me at

Edelkoort | Smethurst | Schein CPAs LLP is located in Burlington Ontario servicing the Golden Horseshoe and Greater Toronto Area and beyond. The firm is fully licensed with CPA Ontario to provide assurance, tax and accounting services as well as registered as tax preparers with the Canada Revenue Agency (CRA) & Internal Revenue Service (IRS). The firm is also registered as an IRS Certified Acceptance Agent.

All blog posts published on this site are for informational purposes only and do not constitute professional advice. Readers should contact a professional to discuss their individual situation. Neither the author or the accounting firm shall accept any liability for any reliance placed on the information posted.


Leave A Comment