Internal Controls – A Process to Help Ensure Internal Controls are Designed Consistently and Appropriately

Developed by: Jonathan T. Marks with Robert Mainardi

Background

The concept of Internal Control appeared as a practice in the USA at the beginning of the 20th century, whereas in the economic literature began to be extensively approached after the ‘50s.

The internal control concept originated in 1949 from the American Institute of Certified Public Accountants (AICPA), with a plan to coordinate organizations’ activities to increase effectiveness in organizational operations (Lakis & Giriunas 2012). Internal controls denote the rules or standards by which the objectives of an organization are attained. Through compliance, to the set procedures, the organization ensures that employees implement these standards in an optimistic manner to accomplish the business maximize the competency of the organization (Flair 2017).

Hightower 2009 refers to internal controls as operational procedures and processes to establish efficiency and effectiveness of operations within an organization’s procedures and compliance with applicable laws. Providing an auditors view, Mihaela and lulian 2012 explain that internal controls and procedures form part of an organization’s control system and mention that internal control is not only for accounting purposes but also a system through which people interact with one another. Mihaela and Iulian 2012 stress the importance of an effective leadership plan for the long-term achievement of effective internal controls.

I have realized that many don’t understand what internal controls are or what they are supposed to do. For example, Recently, a twenty-year professional told me that internal control starts with a strong set of policies and procedures. That’s incorrect.  Internal control starts with a strong control environment based on a clear understanding of the business process objectives.  Here are some other inaccuracies –

  • Internal controls are Internal Audits or Compliance problems. No, management is the owner of internal controls, and they must be held accountable.
  • Internal controls bog down our efforts.  Internal controls should be built into and not onto business processes.
  • Strong internal controls prevent fraud. No, Internal controls provide reasonable and not absolute assurance the organization’s objectives will be met!

It’s no secret the regulators continue to scrutinize compliance.  There are many deferred prosecution, non-prosecution, and enforcement releases that hammer companies for poor internal controls. The regulators don’t seem to realize that companies need a methodology to have properly designed internal controls; everyone consistently follows without exception. Many are treating the symptom and not the ROOT CAUSE!

Definition of Internal Control

An “internal control” is an action or a process of interlocking activities designed to support the policies and procedures detailing the specific preventive, detective, corrective, directive, and corroborative actions required to achieve the desired process outcomes or the objective(s).

This, along with CHECKS AND BALANCES that could include continuous monitoring, continuous auditing, and training, reasonably assures:

  • The achievement of the process objectives linked to the organization’s objectives
  • Operational effectiveness and efficiency
  • Reliable (complete and accurate) books and records (financial reporting)
  • Compliance with laws, regulations, and policies
  • The reduction of risk: fraud, waste, and abuse
  • Aids in the decline of process and policy variations leading to more predictive outcomes

Enemies of Internal Controls

  • People or the Human in the Loop – no matter how detailed, inclusive, and illustrative the policies and procedures may be over a particular process, there will still be a reliance on people to execute the process steps per the established policies and procedures. There are multiple challenges when it comes to this enemy. First, there is no certainty or confirmation that all team members have been given, read, and understand the process requirements. They may say they know what to do but do not truly grasp all of the process requirements. Second, tenure impacts compliance with policy and procedure requirements in that experienced personnel develop their own techniques to complete a task that may not specifically comply with all process requirements. And lastly, process personnel develop workarounds to expedite the process, which inherently leads to specific policy requirements being excluded. There is a potential for critical, required steps to be skipped during the newly created workaround. In the end, it is critically important that all process team members understand that the policies and procedures are not a guide but a mandatory requirement for department compliance.
  • Time – one commodity that can never be purchased is time. When time requirements are altered in a business process, it puts additional pressure on the process personnel to achieve the business objective more quickly. When there is no way to properly execute the process requirements according to the policies and procedures, steps are rushed or even skipped to make the new time requirements to complete assigned tasks. Be aware of the budgeted or allotted time for all required process steps and verify that those requirements are never altered because it will result in a weakened control environment. Be cognizant the policies and procedures were built with specific step requirements that included the associated time needed to complete them effectively. Any alteration in the time requirement usually results in errors or additional rework.
  • Judgment – every person has their unique way of executing their job responsibilities which usually develops over time and experience. While, on the one hand, this can be advantageous to a department, it can also be detrimental. Policies and procedures are built specifically with the objective in mind and contain detailed internal and external compliance requirements. When judgment or discretion is allowed into the processing requirements, it weakens the control environment because it usually means that basic (or even critical) processing steps are being inadvertently omitted due to individual judgment. Experience on a team is great, but it will not take the place of process requirements for departmental and regulatory compliance. If a process judgment must be made, ensure there is sufficient documented evidence to explain the reason and the corresponding steps taken to address the process change.
  • Workarounds/Overrides – as mentioned in the “people” element included with the enemies of control, workarounds are common within a process as individuals seek ways to expedite their job requirements. In this effort to save time, the process itself may suffer because most self-developed workarounds are bypassing an established control in the policies and procedures. While the result of the process may be correct, often, these workarounds omit critical documentation and verification steps detailed in the established policies and procedures. Discretion and override capabilities should only be placed in the most experienced hands in the department and have strict documentation requirements showing why this particular item deviated from the standard process requirements and detail/document what alternate steps were taken to complete the process.
  • Incentives – while incentives are an excellent motivator for anyone, there can be an associated danger that is often overlooked within the ecosystem.   When incentives are linked to the completion of work, there is a greater risk that specific process requirements will not receive the proper attention to detail and will lack the appropriate documentation as outlined in the established policies and procedures. Established process incentives require a detailed monitoring control to ensure that the particular requirements of the incentive are achieved and that no controls were circumvented or overrode to receive the incentive. Believe it or not, when incentives are used, the control environment demands an additional level of checks and balances to ensure performance integrity. All incentive monitoring should be detailed and included in the first line of defense responsibilities.

Control Design Steps

BACKGROUND

  • identification and business partner validation of the key business objective(s)
  • review the objective(s) and determine the “true process risks,” which represent the barriers, obstacles, or hurdles to achieving the objective(s)
  • if there is no evidence and confirmation of a true process risk, does a control need to be implemented
  • research and verify the corresponding laws, rules, regulations, and policies surrounding each identified objective
  • identify and obtain all required compliance business documentation as well as the filing date requirements
  • discuss and document (flowchart) the process steps from start to finish
  • identify and document all corresponding systems utilized in the process requirements as well as current access and edit rules
  • identify and obtain examples of all required documentation needed to process a transaction from start to finish
  • understand and compile a listing of all process approvers along with their corresponding approval authority and dollar limits (if applicable)
  • understand the effect that systems and technology have on a control
  • identify all internal and external third parties which could impact the control
  • understand the process requirements and corresponding level of risk and exposure
Fraud, including financial reporting, misappropriation of assets, bribery
Poor or inappropriate accounting
Business interruption
Loss or destruction of assets
Incorrect management decisions
Statutory sanctions
Excessive or high costs
Competition
Recordkeeping
  • consider the enemies of a control (See above)
  • determine process access and auditability
  • ask and determine if the control conforms to the definition

A variety of actions make up a process.  All may have a role in achieving the final result, but only a few are truly critical to the outcome; that is, their absence would make it difficult, if not impossible, to achieve the desired result.  These critical actions are referred to as key or critical controls.  This step focuses on identifying and documenting the key controls in a process.

PROCESS

  • select the process stage-gate (critical) steps and determine what, if any, controls are currently in place to ensure all step requirements are met
  • verify the current controls address the identified and confirmed true process risks and are not unnecessary process steps
  • determine if the current controls meet the five pillars of effective controls (design, build, implement, execute, and report) to deliver the intended outcome
  • document any of the five pillars which are missing from the current control environment
  • for every identified objective, determine what action(s), aka controls, would be expected in a strong control environment to achieve the desired outcome(s)
  • compare the expected strong control environment controls to the current controls and note any differences
  • identify the critical process steps which are directly linked to the achievement of the business objectives
  • verify “proper” controls are in place for the critical process steps or develop the necessary controls for process efficiency and effectiveness
  • consider the enemies of controls (people, time, judgment, workaround, overrides, and incentives) when developing a new control
  • determine which type of control(s) would be the most effective and cost-prohibitive (preventive, directive, detective)
  • review the control consideration table below for suggested controls and their purpose
  • design the new controls based on the process needs and select a sample of transactions to run through the new process
  • after control validation, implement the enhanced process controls

VALIDATION

  • 30 days after the revised controls have been implemented, select a representative sample, and determine if the process is more efficient, has increased productivity, and/or reduced rework
  • analyze each of the revised or newly implemented controls and evaluate their individual performance
  • document the selected control tested, the sampling technique, the testing performed, and the results
  • determine if the correct type of control was implemented and if any enhancements need to be made
  • ensure you consider the control enemies when evaluating the effectiveness of the enhanced control(s)
  • document the testing results and conclusion on the overall effectiveness of the new control environment as it directly relates to the achievement of the business objective(s)
  • consider implementing a continuous auditing program to validate that the new controls were not only implemented but also adopted by the business team

REPORTING

  • document and distribute the control performance summary report
  • update the risk assessment (at the individual audit and annual level) documentation related to the validated business unit and processes
  • share the results of the review with the appropriate control groups – audit, compliance, enterprise risk management, legal, investigations, business management, the audit committee

CONTROL CONSIDERATIONS

CONTROL CONTROL TYPE
APPROVAL PREVENTATIVE
CHECK or (RE)CALCULATE DETECTIVE/DIRECTIVE
DOCUMENT DETECTIVE/DIRECTIVE
MATCH OR COMPARE CORROBORATIVE/CORRECTIVE/DETECTIVE
MONITOR DETECTIVE/DIRECTIVE
OBSERVE PREVENTATIVE/DETECTIVE
REPORTING DETECTIVE
RESTRICT DIRECTIVE/PREVENTATIVE
SEGREGATE DIRECTIVE/PREVENTATIVE
SUPERVISE PREVENTATIVE
VERIFY DIRECTIVE/DETECTIVE

There are undoubtedly many other categories and examples of controls, all of which are necessary to achieve the desired result.  Control models (e.g., COSO, COCO, COBIT) have been developed to focus on the roles controls play in a business environment.  For further information, readers should consult these control frameworks as well as introductory auditing books.

Also, controls can be –

PROACTIVE

Proactive management actions and controls include prevention but go beyond it. Proactive management actions and controls should encourage desirable conditions, events, or outcomes and prevent undesirable errors or irregularities.

DETECTIVE

Detective management actions and controls determine progress toward objectives and identify the actual or potential occurrence of desirable and undesirable conduct, conditions, and events. These controls are the most common type of mitigating or compensating controls.

RESPONSIVE

Responsive management actions and controls do more than correct errors. They help the organization recover from undesirable conduct, events, and conditions; fix identified weaknesses; execute necessary discipline; recognize and reinforce desirable conduct and deter future undesired conduct or conditions.

Lastly, when designing a control, always consider the EcoSystem and your objective(s)!

Copyright 2021 Jonathan T. Marks

Closing

We hope you find this information useful. I don’t believe guidance like this exists anywhere, and that is why I embarked on developing something useful.

Thoughts and comments are always welcome and appreciated!

Best,

Jonathan T. Marks, CPA, CFF. CFE

Robert Mainardi 

Please follow and like us:
Tags:
%d bloggers like this:
Skip to toolbar