Who is responsible for implementing internal controls?

Amanda White

In most government regulations, the people responsible for implementing internal controls within a business are usually stated as “those charged with governance” – a term that you’ve likely never heard before! Let’s start with what is corporate governance.

Concept of corporate governance

There is no legal definition of corporate governance in Australia’s corporations law, but the most commonly cited definition is one provided by Justice Owen at the HIH Royal Commission

the framework of rules, relationships, systems and processes within and by which authority is exercised and controlled within corporations. It encompasses the mechanisms by which companies, and those in control, are held to account

(Justice Owen in the HIH Royal Commission, The Failure of HIH Insurance Volume 1: A Corporate Collapse and Its Lessons, Commonwealth of Australia, April 2003 at page xxxiv.)

It sounds very much like a description of the systems of internal controls that we have previously discussed. It also includes that there are mechanisms by which those who are in control are held accountability. Essentially – those in charge should develop strong systems of internal control, and should be held accountable when those systems are shown to be poor.

An excellent example is from Chapter 1 where you will have read about the CEO of Westpac Bank who lost his job because the internal controls at the bank failed to detect extremely high levels of money laundering.

A question commonly asked by students, however, is who is actually responsible for corporate governance and implementing internal controls?

Those charged with governance

For those of you who may choose to go into the accounting field, the phrase ‘those charged with governance’ is one you’ll become familiar with (accountants even shorten it to TCWG).

Those charged with governance varies depending on firm size. In a sole proprietorship, the owner and only employee is responsible for internal controls over their own actions. In a larger business with owners and employed managers – both owners and managers are responsible for ensuring adequate systems of internal control are implemented.

Shifting to publicly listed corporations – then those charged with governance includes Directors of the Board (who are the representatives of owners/shareholders) and Management – the Chief Executive Officer, Chief Financial Officer and however many other “chief” officers there are. A board of directors for a publicly listed company will also have smaller sub-boards called “Committees” – common committees include the Audit Committee (responsible for external reporting and liaising with the external auditor) and a Risk and Governance Committee (responsible explicitly for overseeing internal controls).

Because internal controls do protect the integrity of financial statements, large companies have become highly regulated in their implementation. Some industries also more than others – for example, financial institutions in Australia (banks, superannuation funds) are required by their regulator (APRA – the Australian Prudential Regulation Authority) to have internal controls to ensure that the financial system in Australia is strong and stable.

Are there any reports produced on a business’s internal controls?

The short answer is No. Within Australia, our regulation does not require businesses to report on the quality of their internal controls. Auditors and regulators do investigate the quality of internal controls for other purposes (such as verifying or auditing the financial statements and information of a business) – but there is no regular formal reporting about businesses and their internal controls.

Within businesses, large firms will have internal audit teams who assess the design and test the operating effectiveness of internal controls and report to the audit committee (a sub-committee of the Board of Directors). However, these reports are not made public.

The matter is slightly different in the USA where the Sarbanes-Oxely Act of 2002 (brought in after the corporate collapses of Enron and WorldCom) and specifically section 404(b) requires the auditors of publicly listed companies to report on the quality of internal controls. What does that mean for Australian businesses? For those whose shares are publicly traded on the ASX and also on a US exchange (such as the NYSE or NASDAQ) – they will need to engage their auditor to evalute their internal controls and report to US regulators – the Securities Exchange Commission. This also applies to Australian businesses that are subsidiaries of a US corporation.

Has the increased accountability in the USA made a difference?

Those charged with governance over US publicly listed companies have had increased accountability imposed on them with the implementation of section 404(b) of the Sarbanes-Oxley Act of 2002 (commonly known as SOX 404). This resulted in an increased focus on internal controls to prevent and detect fraud. However, this piece of legislation is also incredibly expensive with auditors required to conduct many more hours of work to produce the additional reporting on internal controls. The big question is “did this legislation make a difference?”

A review by Schroeder and Shepardson (2016) is the most recent review of the research on the impact of SOX 404 and found that by having auditors regularly review and report on internal controls, the internal controls by managers were likely to be of higher quality. And Nagy (2010) found that firms with good internal controls and no material weaknesses were more likely to have higher quality financial information presented to shareholders.

Would Australian regulations ever change to require reporting on internal controls?

There appears to be no appetite within the Australian regulatory landscape to adopt legislation similar to the Sarbanes Oxley Act of 2002. This is likely due to a number of factors:

  • The Australian audit landscape is very different – our audit firms are unlikely to have the human capital required to conduct such additional work
  • Australia has experienced less massive corporate failures and therefore regulators may see the risk of large companies having very poor internal controls as low
  • The massive corporate collapses in the USA that drove the creation of the Sarbanes Oxley Act of 2002 were partially caused by poor auditor independence and low quality audit work. The research into the quality of Australian audits indicates that Australian auditors are conducting high quality work and their independence is not impaired (Ruddock, Taylor and Taylor, 2006)

In summary

It is owners (or their representatives) and management who are responsible for implementing internal controls. This includes identifying risks, designing controls, implementing those controls and monitoring them to ensure that employees are following all of the policies, procedures and processes.


Nagy, Albert L. (2010) Section 404 Compliance and Financial Reporting Quality. Accounting Horizons 1 September 2010; 24 (3): 441–454. doi: https://doi.org/10.2308/acch.2010.24.3.441

Schroeder, Joseph H., Shepardson, Marcy L. (2016) Do SOX 404 Control Audits and Management Assessments Improve Overall Internal Control System Quality?. The Accounting Review 1 September 2016; 91 (5): 1513–1541. doi: https://doi.org/10.2308/accr-51360

Ruddock, C., Taylor, SJ., Taylor SL. (2006). Nonaudit services and earnings conservatism: Is auditor independence impaired?, Contemporary Accounting Research23(3), 701-746, https://doi.org/10.1506/6AE8-75YW-8NVW-V8GK