What is internal control? Many people only understand it from a legal perspective. This is correct but not sufficient. To apply it in practice, you need a more comprehensive view. In this article, KMC will explain what comprehensive internal control means and how to apply it in practice for FDI enterprises.

What is the Concept of Internal Control from a Legal Perspective?

According to Article 39 of the 2025 Accounting Law, internal control (IC) means establishing and implementing mechanisms, policies, processes, and internal regulations in compliance with legal provisions. The purpose is to promptly detect, prevent, and address risks while ensuring that the enterprise can achieve its set objectives.

Simply put, the concept of internal control is a “set of rules circulated within the company” to help the business stay on the right track. It enables early detection of issues (such as errors or fraud) and prevents them before causing serious damage. At the same time, this set of rules ensures that the enterprise operates smoothly, complies with the law, and achieves its business objectives.

Current Situation of FDI Enterprises

Employees may make mistakes due to lack of knowledge, negligence, or even intentional violations.
In some cases, employees, including management, may “collude” to bypass control procedures.
Investing in a robust internal control system requires considerable costs, from employee training and technology implementation to maintaining monitoring processes. If management believes that these costs outweigh the benefits, they may cut back, causing the control system to lose its comprehensiveness.

COSO Framework – Global Standard for the Concept of Internal Control

The COSO framework, developed by the Committee of Sponsoring Organizations (COSO) in the U.S., is a set of standards that helps businesses establish and maintain an effective internal control system. This common framework allows companies to self-assess and improve risk management and operations. Below are the five key components of the COSO framework:

Control Environment

moi-truong-kiem-soat

The control environment is like the “spirit” of the business, reflecting the attitude and commitment of both management and employees toward internal control. A strong control environment is built upon:

  • Ethics and integrity: Management must lead by example, be honest, and adhere to the company’s core values for employees to follow.
  • Clear organizational structure: Tasks, authorities, and responsibilities must be transparently defined so that everyone knows their role.
  • Written policies: Business rules and processes should be clearly documented in a simple manner for all employees to understand.

When everyone in the company understands and values the importance of internal control, a positive control environment is created, enabling other components of the system to operate effectively.

Risk Assessment

danh-gia-rui-ro

Risk assessment is the process by which management and employees identify and analyze potential “pitfalls” that may prevent the business from achieving its objectives. Examples include market fluctuations, regulatory changes, system errors, and internal fraud.

After evaluating the level of risk, management develops measures to minimize potential damage. Note that you should set specific and detailed goals so employees have a clear direction in performing their tasks.

Control Activities

hoat-dong-kiem-soat

These are concrete actions within processes and policies that prevent risks and ensure smooth operations. Examples include:

  • Management of expenditures: Identify financial indicators (revenue, expenses) and operational indicators (productivity, efficiency) for planning and monitoring progress.
  • Inspection and adjustment: Regularly consolidate results, compare them with objectives, and make timely adjustments if deviations occur.
  • Clear delegation of authority: Clearly define who has the authority to approve financial transactions, ensuring separation of roles such as accounting and controlling.
  • Transparent recordkeeping: All transactions must be carefully recorded and stored so the company can easily trace and assign responsibility if errors occur.

Information and Communication

truyen-thong

An effective internal control system must deliver information quickly, accurately, and securely.

For successful internal communication, you should establish clear policies and rules on how information is collected, stored, and shared to ensure confidentiality and integrity. Businesses can use modern IT systems such as management software and data encryption to safeguard important information.

Employees must then be trained to understand the processes and comply with information-related regulations.

Tip: Companies can set up reporting channels for employees to raise unusual issues, helping detect and address risks early.

Monitoring

Monitoring involves regularly checking the internal control system to promptly identify and fix weaknesses, ensuring everything operates as planned.

Once deviations or weaknesses are detected, they should be reported directly to management, along with proposed solutions.

Practical Example for FDI Enterprises
When expanding operations in Vietnam, an FDI enterprise can:

  • Build a professional working environment in compliance with local laws.
  • Assess risks stemming from cultural and legal differences.
  • Establish strict control processes aligned with international standards.
  • Ensure effective communication between headquarters and the Vietnamese branch.
  • Continuously monitor to make timely adjustments when needed.

Building an Effective Internal Control System

Clearly Define the Objectives

First, the enterprise must clearly identify: “What do you want to achieve from the internal control system?” Some specific objectives may include asset protection and ensuring the accuracy of financial information.

For FDI enterprises, objectives may involve complying with both local and international legal requirements, or producing transparent financial reports to maintain credibility with shareholders and partners. Objectives should be specific so that everyone in the company can understand them clearly.

Identify Risks to Prevent Them

Do not deny the existence of negative aspects. No business operates without facing risks. Ask yourself: “What could harm your business?” These may include financial risks such as accounting errors, operational risks such as inefficient production processes, or legal risks from non-compliance.

For FDI enterprises, risks may also stem from differences in business culture or legal regulations between countries. Thorough risk analysis helps the business identify weak points that need to be controlled.

Design Clear and Practical Processes

Once risks are understood, the enterprise needs to “set the rules of the game” — by establishing clear processes and control policies for everyone to follow. Examples include invoice verification procedures before payment, clearly defined delegations of authority to prevent abuse of power, or periodic reporting systems.

For FDI enterprises, these processes should be designed to align with international standards while meeting local requirements. Most importantly, they must be simple and easy to understand so that every employee can follow them.

Implement the System

To put the system into operation, you need to train employees and provide sufficient resources. For instance, the company can organize training sessions to ensure employees understand their responsibilities, or invest in financial management software to make operations easier and faster.

Since employees may come from multiple countries, training should account for cultural and language diversity to ensure all staff can grasp the processes.

Monitor and Regularly Inspect

There must be continuous supervision to track performance indicators. If errors occur, the company can detect and address them promptly. For example, if an unusual expense is detected, the enterprise should immediately investigate the cause and find corrective measures.

Continuously Improve

The business environment is constantly changing, so the internal control system must also evolve to adapt. Enterprises need to regularly update and improve their systems based on changes in laws, technology, and the business environment. Continuous improvement ensures the internal control system does not become outdated and is always ready to address new challenges.

The concept of internal control is essentially a set of rules that helps a company minimize risks and increase profitability. If you need a professional and effective solution to help build your internal control system, KMC can provide consultation on Effective Business Operations Organization. We apply the COSO framework not only to help your enterprise reduce risks but also to enhance overall business efficiency.