• We are pleased to announce that the winner of our Feedback Prize Draw for the Winter 2024-25 session and winning £150 of gift vouchers is Zhao Liang Tay. Congratulations to Zhao Liang. If you fancy winning £150 worth of gift vouchers (from a major UK store) for the Summer 2025 exam sitting for just a few minutes of your time throughout the session, please see our website at https://www.acted.co.uk/further-info.html?pat=feedback#feedback-prize for more information on how you can make sure your name is included in the draw at the end of the session.
  • Please be advised that the SP1, SP5 and SP7 X1 deadline is the 14th July and not the 17th June as first stated. Please accept out apologies for any confusion caused.

internal control report

M

Martina Shan

Member
Hi,

Could anyone please explain what’s internal control report for and what contents should be included?

Thanks very much
Martina
 
Hi Martina

An internal controls report may be required under either legislation (such as Sarbanes Oxley in the USA) or under a Corporate Governance Code (such as The UK Corporate Governance Code).

The term 'Internal Controls' is quite a wide ranging term that refers to any processes that a company establishes to:

- safeguard its assets (in particular to prevent fraud) and to ensure the reliability / accuracy of financial statements and reports (REPORTING)
- ensure compliance with regulation / legislation (COMPLIANCE)
- promote efficient operations (OPERATIONS)
- ensure the company meets its objectives (STRATEGIC)

Examples of internal controls might include setting out how the company:

- segregates duties (ie to prevent one person having too much power and fraud)
- authorises transactions (eg over a certain size)
- retains records / documentation
- supervises its operations
- employs physical safeguards (eg access to buildings, cameras to protect property and contents)
- employs IT controls (eg security, access rights, data back up, change management, user testing before production, validation checks for data entry, reconciliations / comparisons)
- reviews its strategy and operations against objectives (eg comparing actual results vs expected, KPIs/KRIs vs limits)

Many companies in the USA use the COSO cube as a structure for their Sarbanes Oxley Internal Controls Report, making sure that:

- there are internal controls in respect of each of the four areas given above (strategic, operational, compliance, reporting)
- each aspect of the risk management framework is considered (ie What is the control environment (eg attitude to controls, responsibilities, integrity)? What are the objectives of the company in relation to controls? How does the company identify and assess its risks? What are the internal controls (see examples above)? How will information be reported and communicated on risks and controls? How with the control process be reviewed and monitored)
- controls are considered for each section of the business (the whole entity, divisions, subsidiaries, business units).

There are various examples on the internet of internal control reports if you want to look further, eg:

https://ubistatic19-a.akamaihd.net/comsite_common/en-US/images/2469_tcm99-27496_tcm99-196733-32.pdf
http://www.hysan.com.hk/wp-content/...sk-Management-and-Internal-Control-Report.pdf
https://www.rpmi.co.uk/docs/default...aaf-report-2014-added-27-05-2015.pdf?sfvrsn=2

Does this help Martina?
Anna
 
You must log in or register to reply here.
Back
Top