Internal Control Framework

Google+ Pinterest LinkedIn Tumblr +

By CPA Robert Keng’ara

A Basic Refresher Foundation Imagine being tasked with the responsibility of designing an Internal
Control System (ICS) from scratch either in a newly formed public entity or department. It can be a daunting, highly monumental task but it is possible to deliver within a reasonable span of time.

What is ICS?
These (ICS) may generally be referred to as accounting and auditing processes designed to be applied in
an organization’s activities/functional areas to ensure the integrity of financial reporting and regulatory compliance. Internal controls help companies to comply with laws and regulations, and prevent fraud. It is a therefore a basis adopted by organizations to establish a functional Internal Control System for
an organization’s activities.

What are the various critical components of such system? According to American Institute of Certified Public Accountants (AICPA) and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2012, the five main components of the ICS framework are described below:

a) Control Environment
The control environment relates to a set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors causes the organization’s top management to formulate the processes, structure and standards within which the activities of the organization are set for approval. For the control to be established, one must consider the following;
i. All members of the firm must uphold high levels of honesty and ethics. This is critical in creating all round atmosphere of confidence both internally and externally. The board and management must for
instance adhere to requirements of Chapter Six of the Constitution of Kenya 2010 and other relevant
legislations on the same.
ii. As a governance requirement, there must be independence between the board of directors and management. This facilitates a strong foundation between for the former to oversight the latter and eliminate any potential conflict between the two. The Mwongozo Code of Governance and Code of Regulations come in handy.
iii. Each and every individual in the firm must be accountable for the internal control activities in their
respective functional areas. This tends to eliminate dodging and passing of the buck. The common reporting structure in public entities is the line structure.
iv. The recruitment/human resource activity must be aligned towards attracting, developing and retention
of competent staff capable of aligning personnel to organizations ICS aspirations for realization of organizational objectives. The human resource function is key in realizing goals and must be
supported by all.
v. The reporting and organization structure, authority and responsibilities must be designed in a clear and precise manner.

b) Risk Assessment
The various (existing and potential) facing the risks must be identified and analyzed continuously. Risks are impediments that can derail the organization’s objectives and risk assessment helps an organization
to plan and mitigate/manage the said risks. In doing this, one must critically scan the external environment for any possible risks and how they impact on the organization’s activities and hence
its objectives. The following are elements to consider while performing risk assessment;
i. A review of an organization’s objectives in reference to identification of possible risks therein. A risk register is developed for this purpose and is regularly reviewed and updated.
ii. Identification of changes that that may significantly affect the internal control system
iii. Consideration of areas of high fraud likelihood that can negatively affecting the attainment of
organization’s objectives.
iv. Risk identification and analysis and crafting a risk management profile. Many organizations have come up with a Risk Management Strategy in which the Risk Management Framework is comprehensively
defined and documented.

c) Control Activities
These are actions stemming from policies and procedures instituted by management to contain/manage risks. These are carried out at all levels in the entire organization especially within business processes and technology areas. Any partial application of control activities may have catastrophic effect on the organization’s activities.
i. The organization must develop and deploy relevant technology to support the internal control
system for example manual revenue collection can be replaced by use of electronic means e.g. mobile
money. Most public entities use robust Enterprise Resource Planning systems to support operations (ERP);
common platforms being IFMIS, E-Citizen, GIMIS, e-procurement, etc.
ii. Linking policies to procedures for and definition of action points for smooth attainment of organization
goals. This involves mainstreaming matters such as gender, anticorruption, whistle blowing, code of
conduct, etc
iii. Based on risks identified, an organization develops control activities that mitigate against the risks.

e) Information and Communication
Information is relevant for the organization to carry out internal control responsibilities in support of achievement of set objectives. Communication takes place at both internal and external levels and gives the organization information required to carry out routine internal control activities. Communication on the other hand enables personnel to understand internal control responsibilities and their importance to the achievement of objectives.

To attain this;
i. An organization defines and structures communication with external parties (stakeholders) regarding matters affecting the functioning of other components of internal control. These stakeholders need to be profiled for meaningful engagement and one must bear in mind that public participation in all these processes is key. A number of public entity policies have been suspended by courts due to lack of
public participation by stakeholders.
ii. The firm must generate quality and accurate information to facilitate interrelated working of other aspects of internal control. The consumers of these information are the Board of Directors, Management, Donors, Government and the public.
iii. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control.
f) Monitoring Activities
This takes the form of current/ongoing evaluations, separate evaluations, or a combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, are present and functioning. Results are evaluated and deficiencies are communicated in a timely manner, with more impactful/ heavy issues forwarded top management and board of directors. The following principles relate to this;
i. The organization timely evaluates and communicates internal control deficiencies to those parties responsible for taking corrective action, including senior management and the board of
ii. The organization selects, develops, and performs current or separate evaluations to ascertain whether the components of internal control are existent and functional.


  1. Constitution of Kenya 2010
  2. Internal Control Integrated Framework COSO (2012); American Institute of Certified Public Accountants (AICPA)


About Author

Leave A Reply