Internal control

Internal Control is the company’s effort to execute the business appropriately and efficiently and to make sure that reporting to the concerned parties is appropriately done.


1. Overview

Internal Control defines standards and procedures to prevent illegal activities, dishonest activities, and mistakes in the company’s business, and it aims to ensure the correctness of the information concerning business execution results by managing and monitoring the business execution based on those standards and procedures.

Internal Control consists of

  • Application Control to appropriately define and execute the business, and
  • General Control to ensure the environment in which Application Control works effectively.

They are supposed to be practiced by all employees, including board directors and executive officers.

In the U.S., the importance of Internal Control has been emphasized more and more after the Enron Case and Worldcom Case, and strict standards are defined in the SOX Act. In Japan, the execution of strict Internal Control is required by J-SOX.

In addition, various models and standards related to Internal Control adopt the framework for Internal Control proposed by COSO (COSO Framework), and it is currently regarded as the de facto global standard.


2. Elements

Elements of Internal Control are the guidelines about what to do for execution of Internal Control. COSO framework proposes five elements, “control environment,” “risk assessment,” “controlling activity,” “information and communication,” and “monitoring.” In Japan, the “Execution criteria of evaluation and supervision concerning internal control over financial reports” published by Financial Service Agency further adds “adaptation to IT” therefore proposing six elements of Internal Control.

2-1. Control Environment

The Control environment determines the character of the organization. It affects the mentality of all members of the organization under its control and works as a basis for other elements. For example, organizational structure, practices, and business policy.

2-2. Risk Assessment and Response

Risk Assessment aims to, in company activities, analyze and evaluate factors that could disturb the accomplishment of goals as risks and to take the appropriate measures according to the results. For example, increase the frequency of internal audits concerning purchasing tasks.

2-3. Controlling Activity

Controlling activity is an activity to establish the environment in which executive officers’ orders or directions are appropriately executed by defining procedures and policies. For example, “creating documents” of the business by using business flow diagrams to clarify the separation of privileges.

2-4. Information and Communication

Information and communication ensure that the necessary information is provided to entities inside and outside of the organization. For example, enabling participants to jump ranks and inform of dishonest activities without going through the immediate supervisor.

2-5. Monitoring

Monitoring is to continuously check whether Internal Control is functioning effectively or not. For example, to establish an Internal Control department that monitors by picking samples periodically.

2-6. Adaptation to IT

Adaptation to IT means using IT in business processes, following the pre-determined appropriate procedures and policies. For example, record the update history and original data upon data update related to financial information conducted through the use of IT systems

  • Use of IT to guarantee the effectiveness of Control Environment
  • Use of IT to guarantee the effectiveness of Risk Assessment and Response
  • Use of IT to guarantee the effectiveness of Controlling Activity
  • Use of IT to guarantee the effectiveness of Information and Communication
  • Use of IT to guarantee the effectiveness of Monitoring
  • + IT Control Objectives
  • + Establishment of IT Control (General Control of IT/ Application Control of IT)


3. Purpose

The COSO Framework presents three reasons regarding why Internal Control is required: “Effectiveness and efficiency of business,” “Credibility of financial reports,” and “Observance of laws”. In Japan, the Financial Service Agency further adds a fourth reason: “Protection of assets” in its “Execution criteria of evaluation and supervision concerning internal control over financial reports.”

3-1. Effectiveness and Efficiency of Business

Enable effective and efficient corporate activities that produce a lot of output with small input.

3-2. Credibility of Financial Reports

Ensures the credibility of the information in the financial documents disclosed.

3-3. Legal Compliance

Appropriately execute the business by observing related laws and standards.

3-4. Protection of Assets

Protect assets by appropriately obtaining, using, and disposing of corporate assets under legitimate procedures.


4. Laws in Japan

In Japan, laws related to Internal Control are enacted by following the contents of SOX Act. Specifically, these laws are the Companies Act and Financial Instruments and the Exchange Law.

4-1. Companies Act

Companies Act explicitly shows the obligation to establish Internal Control systems, which were acknowledged by court precedents in the past. The establishment of Internal Control systems is the basic principle regarding the establishment of Internal Control, which is supposed to be determined by the board of directors. Moreover, the abstract of the decision must be written in “business reports,” and the business reports must be authorized by auditors.

Target: Large companies, Corporations with committees

the Companies Act does not specify any concrete contents of Internal Control systems or execution plans, but only enumerates items to be established in Internal Control systems. (System concerning preservation and management of information related to task execution by executive officers , Standards concerning the management of risk of loss, Systems to ensure the effective task execution by executive officers, etc.)

4-2. Financial Instruments and Exchange Law

Internal Control Reporting System in Financial Instruments and Exchange Law mandates the execution of Internal Control regarding business related to financial reports of companies. This system is called J-SOX. The specific contents are shown below.

  • Establish and maintain Internal Control regarding financial document creation processes.
  • Have third-party auditors (certified accountants or audit corporations) audit the processes.
  • Submit, as “Internal Control reports”, the results of evaluations done by executive officers about Internal Control concerning the financial document creation processes.

Target: Listed companies (However, in case there are consolidated subsidiaries and affiliate companies 20% – 50% of whose shareholder voting rights are owned by the company (equity method affiliates), the listed company’s evaluation should include those companies.)

* The Three tools (Three-piece Set) which is “Business Description Document (Task Description Document)”, “Risk Control Matrix (RCM)”, and “Business Flow Diagram (Flowchart)” are exemplified as the guideline of Internal Control Reporting System introduction. Moreover, specific compliance procedures are as follows. 1) Determination of basic plans and policies, 2) Establishment of Internal Control, 3) Evaluation of Internal Control 4) Improvement of the flaws and deficiencies, 5) Audit by auditors (certified accountants and audit corporations), 6) Creation and submission of Internal Control reports.


5. Role of Management

Internal Control Reporting System imposes obligation of creating reports by the management itself. In other words. it can be said that the ‘Internal Control Activity’ is an activity to monitor the internal business process by the management itself. Desirable in the following situations:

  • Business Process has been defined and clarified.
  • Business instances are controlled according to the defined Business Process.
  • Results of the business are recorded as is without being modified.

X. Related Articles

  • Cloud BPM Glossary > BPM
  • Cloud BPM Glossary > Business Process Improvement
  • What is Questetra? > How to Improve the Process?
    • 1. How to draw a Business Process Diagram?
    • 2. What kinds of business can we improve remarkably?
    • 3. How to Exercise Knowledge Management?
    • 4. How to Balance Productivity and Customers’ Trust?


Y. External Links