Internal control is the foundation of good corporate governance.
Anonymous
This is the age of risk. Executives want a better way to control the risks within their enterprise as well as the extended enterprise of the supply chain.
How should this be done? The development of internal and external controls is becoming the preferred method to achieve continued profitability as well as manage risks.
Internal and external controls allow an organization to deal with rapidly changing competitive environments, shifting customer requirements, restructuring for growth, and managing the supply chain. Controls offer a number of mission critical benefits to an organization, specifically to:
- Improve corporate governance.
- Promote operational efficiency and effectiveness.
- Manage risks.
- Ensure reliability of financial statements.
- Ensure compliance with regulations and laws.
WHAT ARE INTERNAL CONTROLS?
The concept of Internal control means different things to different people. Regulatory authorities as well as lay people use the concept. For example, the concept of internal control has been written into law, such as Sarbanes-Oxley Bill.
In terms of this book, we use the COSO Integrated Framework of Integrated Control, specifically:
Internal control is broadly defined as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations.
- Compliance with applicable laws and regulations.
- Reliability of financial reporting[i]
The first category addresses the enterprise’s ability to meet its business critical objectives, including performance, profitability, reliability and other goals and metrics. The second category deals with complying with applicable laws, regulations, and standards.
VALUE ADDED AUDITING
We call risk based auditing ‘value added auditing.’ What’s the role of the value added auditor in internal control? Internal control systems operate at different levels effectiveness, efficiently and economy.
The value added auditor is responsible for providing senior management and even the board of directors ‘reasonable assurance’ that:
- Objectives had been deployed down the organization and into the supply chain.
- Mission critical objectives are being achieved.
- Applicable laws are regulations are being complied with.
COMPONENTS OF INTERNAL CONTROL
Internal control consisted of five interrelated components:
- Control environment.
- Risk assessment.
- Control activities.
- Information and communication.
- Monitoring.[ii]
Control Environment
The control environment is basically the culture of the organization. The environment establishes the ethic of the organization. Senior management sets the ‘tone at the top,’ which permeates the organization; guides, role models, and reinforces behaviors; and influences the control ethic of all stakeholders. The control environment is the foundation of all elements of the control system
The control environment includes:
- Core values.
- Oversight by the board of directors.
- Credibility of the board of directors and senior management.
- Integrity of the organization.
- Ethical values.
- Senior management’s operating style and philosophy.
- Management deployment of authority and responsibility.
Risk Assessment
All organizations have mission critical strategies, objectives, tactics, and plans, which are deployed down the organization and into the supply chain. One definition of risk is the ability to meet these objectives consistently. In other words, the ability to assess and ultimately manage risks reflects on the ability of an organization to meet its business objectives.
Risk is the key filter for senior management decision-making. An organization faces risk from many sources; form within and outside the organization. How it identifies, monitors, controls, mitigates, and ultimately manages overall risk indicates how successful and profitable it will be.
Risk assessment includes:
- Determining critical business objectives.
- Identifying risks that impact the ability to meet objectives.
- Developing a system to manage the risks.
- Developing mechanisms for managing change.
Control Activities
Controls activities occur through the organization and into the supply chain. There are basically two types of controls: 1. soft controls and 2. hard controls. Soft controls deal with the messages and reinforcers that the board of directors and senior management want to communicate. These is sometimes called ‘tone at the top.’
‘Hard controls include policies, procedures, and work instructions that detail how management directives and work is carried out. These help ensure that the necessary actions are anticipated and taken to address the risks of not meeting an organization’s objectives.
Information and Communication
Reliable and accurate data and information are required to control processes and activities. Without them, there is no control. So critical control information must be identified, captured, and communicated to the right parties so it’s relevant for informed decision making and external reporting. The information must also be in a form and timeframe so process owners and primes can meet their responsibilities.
Information should be captured based on critical needs of the organization. Risk points are identified throughout the organizational value chain and externally into the supply chain. Communication is also reported externally to customers, suppliers, regulators, and shareholders. Risk points become organizational points of control. Information from these points, nodes, or areas may be communicated up, across and down the organization.
Monitoring
Once processes are stable, capable of meeting business requirements/objectives and improving, these processes must be monitored. Monitoring may mean first party, real time monitoring; second party evaluations such as internal auditing; or third party audits such as by regulatory authorities.
Monitoring ensures critical system, process, and product performance over time. Management should Pareto (80 – 20 rule) critical risk-control points within the organization. The scope and frequency of monitoring depends on the evaluation of the control effectiveness to manage critical risks. Then, control deficiencies are reported to process owners, senior management, or the board of directors depending on the risk, materiality, or explore to the organization.[iii]
This framework is an integrated system of controls and should be flexible to react dynamically to changing business conditions. These ‘built in’ controls are the essence of good management practices. For example all 5 integrated control components should exist, be documented, and functioning effectively for the value added auditor to conclude that internal controls are working properly to “provided reasonable assurance regarding the achievement of objectives” in the “effectiveness and efficiency of operations.”
INTERNAL CONTROL BENEFITS
The internal control framework is an excellent framework for achieving performance and profitability target. Internal control is a transparent model that can be used in many industries and businesses. Controls can be used to manage risks throughout the organization and into the supply chain. Internal controls are also fundamental to many recent corporate governance laws and regulations.
However, even an integrated system of internal control:
- Cannot guarantee absolute or one hundred percent (100%) assurance.
- Cannot ensure success or profitability.
- Cannot guarantee meeting business objectives.
- Cannot change improve systemic or chronic problems.
- Cannot evaluate or change the fundamental business model.
- Cannot ensure customer satisfaction.
- Cannot modify or change people or management behaviors, fundamentally the biggest source of variation or risk.
- Cannot impact external variables, such as changing customer requirements, regulatory mandates, and macro economic conditions.
Finally, the threshold of professionalism for value added auditors is to provide ‘reasonable assurance’ to the board, senior management, process primes, process owners, or other report stakeholders. The best conceived, deployed, and operating control system can still be circumvented, be misused, not understood, overridden, waived, colluded, tainted, or have diminished effectiveness for any number of reasons.
Bio:
Greg Hutchins PE and CERM (503.233.101 & GregH@QualityPlusEngineering.com) is the founder of:
CERMAcademy.com
800Compete.com
QualityPlusEngineering.com
WorkingIt.com
He is the evangelist behind Future of Quality: Risk®. He is currently working on the Future of Work and machine learning projects.
He is a frequent speaker and expert on Supply Chain Risk Management and cyber security. His current books available on all platform are shown below: