July 2018 – Revised
I have come to realize that many just don’t understand what an internal control is or does. For example, I recently a professional of twenty years told me that internal control starts with a strong set of policies and procedures. Clearly, that’s incorrect. Internal control starts with a strong control environment. Here are some other inaccuracies –
- Internal controls are Internal Audit’s problem. No, management is the owner of internal controls.
- Internal controls bog down our efforts. Internal controls should be built into and not onto business processes.
- Strong internal controls prevents fraud. No, Internal controls provide reasonable, and not absolute assurance the organization’s objectives will be met!
Last week I was speaking at an ethics and compliance event in Houston, where one of the other speakers stumped the crowd with a deceptively simple question: What is a control?
After all, compliance officers talk about controls constantly. Effective controls are the lifeblood of what makes a compliance program work. Most of us can rattle off examples of controls, or recognize a control when we see one.
So my fellow speaker asked the audience: What is a control?
Nobody dared answer. We all, me included, were suddenly uncertain that we could define a control correctly.
The speaker who posed this question is Jonathan T. Marks, partner at Baker Tilly and a prolific thinker on all things forensics, audit, and internal control. Lately Marks has been asking audit and compliance audiences to define a control — and to his dismay, most people can’t.
Before I give you Marks’ definition, let me offer what raced through my head when he put the question to me.
An internal control is something a company uses that’s intended to reduce the chance of an unwanted risk outcome.
I deliberately kept my definition broad, because a control can take many forms: a software routine that blocks a payment to unapproved parties; a policy (with certification required) against bribing foreign government officials; a speech from the CEO assuring employees that it’s better to miss your monthly sales quota than fix a contract.
Those examples are all different in form and substance — but controls they all are. In sequence, they are a transaction control (block the payment), a process control (train employees), and an entity control (senior executive issues guidance on corporate priorities). They all work together toward the objective of reducing corruption risk.
Still, my definition is based on example and practicality more than anything else. I know a control when I see it — but is that the same as understanding the abstract concept of a control, and how it fits into a compliance program?
I mumbled my one-line definition of a control when Marks posed the question to our Houston audience. Then he asked me to read aloud his definition, which he had graciously emailed to me minutes before.
What we didn’t discuss, but is important to mention are the enemies of internal controls and what a control could do. Marks describes the enemies in the following graphic.
Controls can be –
Proactive management actions and controls include prevention but go beyond it. Proactive management actions and controls should be used to encourage desirable conditions, events, or some outcome, and prevent those which are undesirable (errors or irregularities)
Detective management actions and controls determine progress toward objectives and identify the actual or potential occurrence of desirable and undesirable conduct, conditions, and events.
Responsive management actions and controls do more than correct errors. They help the organization to recover from undesirable conduct, events, and conditions; fix identified weaknesses; execute necessary discipline; recognize and reinforce desirable conduct and deter future undesired conduct or conditions.
Some things a control could do…
- Approve – Authorization to execute a transaction by someone empowered to do so (e.g., approval of a write-off).
- Calculate – Computing or re-computing an amount from other data obtained in the process (e.g., using historical write-off data to compute a bad debt reserve, or checking a depreciation calculation to ensure the systematically computed amount is reasonable).
- Document – Preserving source information or documenting the rationale behind judgments made for future reference (e.g., scanning receiving documentation, invoices, and checks to support a payment or writing a memorandum to the files that outlines the judgments used in determining an accrual).
- Verify – Verification that an attribute exists (e.g., goods being paid for were in fact received).
- Match– Comparing two different attributes to verify they agree (e.g., a payment amount agrees the invoice amount).
- Monitor– Checking to ensure an action is occurring (e.g., ensuring that a trader does not exceed his or her limits).
- Restrict – Not allowing an unacceptable action (e.g., prohibiting speculation on interest rate fluctuations or not allowing unauthorized individuals to access certain data within key systems).
- Segregate – Separating incompatible duties that would create the potential for an undesirable action (e.g., separating check signing and invoice approval authority).
- Supervise– Providing direction and oversight to ensure actions and tasks are carried out as designed (e.g., supervisor approving a batch before computer processing).
It’s a mouthful, but Marks’ definition [and his detail] hits on all the right points, and emphasizes the most important point right in the top line. An internal control is a process of interlocking activities designed to support the policies and procedures. The rest is all correct, but more helps you to understand what a control does; his opening lines explain what an internal control is.
It’s a process. It does something.
That might be why people hesitate to define a control when Marks asks. Our brains hear “define a control” and instinctively envision a noun — a thing unto itself. In everyday language, we say sentences like, “This control isn’t working” or “We need stronger internal controls in our accounting process.” As if we could deliver an extra shipment of internal controls to the door of some weak business process, like relief workers air-dropping supplies onto a suffering population.
That’s not what really happens, however. What really happens is that we adjust the weak business process to (ideally) make it stronger. If the process is particularly bad — one might even call it materially weak — we make multiple adjustments at once.
That’s what Marks captures in his opening line: an internal control is a process rather than a thing, and the raw material the process uses are policies and procedures. The mission of the audit or compliance executive is to see that those raw materials are properly designed so that they work together effectively and the internal control then fulfills its mission.
Other Control Definitions
Marks’ definition of internal control didn’t emerge from a vacuum. The COSO framework for internal control and federal securities law have their own definitions, too; and those definitions long preceded Marks.
For example, Section 13(b)(2)(B) of the Exchange Act defines for elements of internal control:
Those four elements are good as far as they go, but they only pertain to financial reporting and accounting fraud. Do they work for books-and-records expectations around the Foreign Corrupt Practices Act? Yes, although you have to consider materiality thresholds: what’s material for corporate financial statements (a few percentage points of a line item’s total value) will generally be much larger than a bribe that could lead to FCPA enforcement.
The greater problem with the SEC’s definition is that it only applies to financial concerns. It won’t much help you to define internal control for, say, cybersecurity, harassment, or reputation risk — although effective internal control is crucial for all three.
COSO, meanwhile, has this definition from its internal control framework:
Marks’ definition clearly descends from COSO’s concept. COSO’s definition is more versatile than the statutory definition in the Exchange Act. Still…
What I like about Marks’ definition is that it frames internal control as interlocking activities — that is, multiple steps the company takes, all reinforcing each other to reduce a risk to some acceptable level. That’s something compliance officers can easily grasp. Especially if, say, you’re rolling out a new policy stressing ethical values, while the CEO is peppering his or her emails with the importance of hitting sales targets at all costs.
Marks also stresses the importance of properly designed policies and procedures. By saying those words, he helps the reader ask: does this policy or procedure fit the objectives and risks I have? That point matters, especially to compliance officers who come from a legal background and might not be as versed in control design as someone from an audit background.
We use shorthand phrases in ethics and compliance all the time, “internal control” perhaps more than any other. It’s good to know what that phrase actually means before we go putting it to use in organizations all over the place.
By Matt Kelly–
The original post appears here.
Marks , “I also need to stress that internal controls are management’s responsibility! Management must be held accountable for their actions or inactions.”