06 Nov Four Surprising Reasons to Love Internal Controls
The mere mention of internal control often conjures images of red tape and bureaucracy preventing people from getting things done. And understandably so, the word control is right there in the name, and generally people don’t like things that try to influence or direct their behavior. Unfortunately, internal control has gotten a bad rap as a necessary evil that disrupts the work that needs to get done. Done right, however, internal controls are immensely valuable to an organization by helping to ensure that the company, its teams, and its employees meet their desired objectives.
Internal Control Components
According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), internal control frameworks should have five components at their core.
- Control environment. The control environment is the company’s attitude towards risk. It starts with the tone at the top, but permeates through the entire organization.
- Risk Assessment. Risk comes in all shapes and sizes. Companies have risks outside of areas that we typically think of in terms of internal controls (data breach, fraud, etc.). Organizations face risk that employees aren’t trained properly to adequately do their jobs, that new products won’t meet market demands, that customers will quit using their products or services, and that they won’t have enough cash to meet their obligations. Including all areas of risk in the assessment leads to creating the right control objectives to help the business flourish.
- Control activities. Control activities are the policies, procedures, and actions that are taken to help ensure that the control objectives are met. They include things like approvals, authorizations, and reconciliations.
- Information and Communication. Companies need to have mechanisms in place to provide, share, and obtain information. That information should be communicated to the right people at the right time.
- Monitoring. Internal control frameworks aren’t something that are built and then put on autopilot. The control environment should be continuously reviewed to ensure that the design of the control objectives is suitable to meet the business’s key objectives and that the control activities are operating effectively.
Why Build an Internal Control Framework?
All companies have internal controls, whether they are documented or not. For example, if a business owner sets the expectation that the last employee who leaves the building locks the door, an internal control has been established. Just establishing the expectation is not enough though. Sometimes information doesn’t get passed on when new employees are hired, and sometimes there is room for misunderstanding of informal controls. Formalizing internal controls into a framework is an important step and involves much more than compiling checklists. A complete framework requires detailed analysis and documentation of the five interrelated components listed above. And, just as no two businesses are exactly alike, internal control frameworks are unique to each business and can’t be copied and pasted from one organization to the next.
The process of building a complete internal control framework can be both time consuming and eye opening because it requires leaders to take a deep dive into the inner workings of their organization end to end. The fact is, however, that this exercise is among the most important activities most any business can undergo. It is critical in order to properly communicate management’s expectations regarding integrity and ethical values, to identify the control objectives that best mitigate risk across the entire organization, to align the right control activities with the control objectives so that everyone knows what to do, to evaluate the framework and use that information for continuous improvement, and to have a mechanism to monitor and modify the framework on an on-going basis.
Not only is building an internal control framework a business necessity to help ensure that risks are addressed in the best way possible, but in today’s world of outsourcing, customers often demand assurance from service providers that their control design is suitable and operating effectively. This assurance can be provided in the form of a Service Organization Controls (SOC) report in which an independent auditor issues an opinion about a company’s control environment. And, building an internal control framework is the first step towards obtaining a SOC report.
Surprising Side Effects of Internal Control Frameworks
In addition to mitigating risk and providing a basis on which to have a SOC report issued, internal control frameworks have many positive side effects that challenge traditional thinking about internal controls.
1. Employee Engagement. It is counterintuitive that more internal control would lead to higher levels of employee engagement. It is true that just throwing layers of bureaucracy into a process when something goes wrong without organizing the activities into a framework can demoralize employees. They may not have access to all the information that led up to the introduction of the control. Or, they may not know how the control activity supports the business’s key objectives. On the other hand, having a formalized internal control framework can boost employee engagement levels in the following ways:
- Communicating expectations regarding integrity and ethical values, managements philosophy and operating style, the organizational structure, and assignment of authority and responsibilities is part of an internal control framework. This information will give employees parameters in which to make decisions when unexpected things happen, because unexpected things will happen. When employees know what is expected of them, and are empowered to make the decisions necessary to do their jobs, they are more exponentially more engaged with the company.
- Good internal control frameworks align internal control with the business’s key objectives. Every company should take the time to create their mission and vision. Once those are articulated, the important things that need to be done, or objectives to succeed, should be defined. A good set of objectives is relatively short and should come from multiple perspectives. Robert Kaplan and David Norton developed and coined the Balanced Scorecard strategic planning methodology in the early 1990’s and it has been widely adopted by many successful organizations across the world since then. The Balanced Scorecard methodology suggests viewing success from 4 primary perspectives: employees, business processes, customers, and financial. For example, a company may determine that in order to succeed, it needs to increase employee engagement (employee), implement DevOps to more quickly deploy software (business processes), increase customer loyalty (customers), or increase operating margins to generate more cash to reinvest in the company (financial). The control objectives and activities in the internal control framework are closely aligned with the business’s key objectives and move in tandem with them as strategies evolve. This means that employees have a clear understanding of how the work they are doing contributes to the company’s success, which has been proven to increase employees’ commitment to the company.
2. Overall Cost Savings. By building an internal control framework, companies are also streamlining processes and saving money because things are running more efficiently. Not only that, but savings are also realized because things are more often done correctly the first time, thus avoiding costly corrections.
3. Customer Loyalty. In today’s business environment, where customers can often defect with the click of a mouse, it is critical that businesses are able to respond to customer needs quickly, completely, and correctly the first time. When companies have good processes which are supported by strong internal controls, they have the foundation to give customers the exceptional experiences that they demand.
4. Customer Confidence. When user organizations outsource business functions to a service provider, the risks of the service organization become risks of the user entities. Organizations that use service providers want to ensure the integrity and security of the system and company to which they are entrusting their data. Having a sound internal control framework on which a service auditor has issued an opinion is a competitive necessity for many service providers.
With the right perspective, internal controls can be viewed as enablers of a company’s business strategy. When a company defines their key business objectives, internal controls can be right there by their side, underpinning the business objectives and helping to ensure that they are carried out. The key to a successful relationship between internal controls and business strategy is to formalize the controls into a comprehensive internal control framework, complete with articulation of the control environment, management’s risk assessment and control objectives, control activities, information and communication mechanisms, and a monitoring plan. This can be a daunting task. Management Stack can help.
Management Stack Internal Control Framework Program – An Essential Solution for Your Business
- The current internal control environment is analyzed through discussions and interviews with executives, managers, and employees.
- Risks that threaten the achievement of business objectives are assessed.
- Controls objectives and activities are identified.
- Communication and monitoring plans are established.
- Gaps between the current and desired internal control environment are determined.
- A remediation plan is developed.