Who is primarily responsible for internal control?

The primary responsibility for internal control lies with management because they are directly involved in the day-to-day operations and have the authority to establish, implement, and monitor control processes. Management is tasked with setting the tone at the top, which involves creating a culture that prioritizes ethics and compliance. They ensure that sufficient resources are allocated to develop effective internal controls to mitigate risks associated with their operations and financial reporting.

While the governing body plays a significant role in overseeing the internal control system, primarily by providing strategic direction and ensuring that adequate risk management practices are in place, it is ultimately management that must execute these controls. The internal auditor is responsible for evaluating the adequacy and effectiveness of the internal controls, offering insights for improvement; however, they do not own the responsibility for their design or implementation. The independent auditor, on the other hand, assesses the financial statements of the organization and provides an opinion on their fairness, but this role does not extend to the responsibility of establishing internal control systems.

Therefore, management's overarching responsibility encompasses creating a robust internal control environment that aligns with the organization's objectives and ensures compliance with relevant regulations, highlighting why they hold the primary accountability in this area.