Good Recipe For Corporate Failures: Effective Internal Controls
Fikret SebilcioğluThere is overwhelming evidence that most of the times the root causes of corporate governance failures are breakdowns of internal control system. Good lessons from bad examples show that effective internal controls are key elements of corporate governance and crucial to sustaining an organization.
Changing stakeholders’ behavior
Internal controls are essential to the effective operation of companies. Simply put, internal controls are activities or procedures designed to provide reasonable assurance that operations are “going according to plan.” Without adequate internal controls, management has little assurance that its goals and objectives will be achieved. Properly designed and functioning controls reduce the likelihood that significant errors or fraud will occur and remain undetected. Internal controls also help ensure that departments (other than the main finance office) are performing as expected.
Over the past few decades, business and operating environments have changed dramatically, becoming increasingly complex, technologically driven, and global. At the same time, stakeholders are more engaged into the business, seeking more transparency and accountability for the integrity of systems of internal control that support business decisions and governance of the organization. Stakeholders’ behavior is understandable because many corporate governance failures stemmed from lack of properly designed and effectively functioning controls.
Many companies have internal control systems in place for many years in different forms. However, recently the various stakeholders have come to expect much more when it comes to internal controls and the way they are monitored. In addition to external stakeholders, who see effective internal control systems as an integral part of good corporate governance, a company’s board of directors and senior executives need transparent and reliable information on the effectiveness of internal controls. In addition, more and more companies are realizing that taking a good look at their internal processes and controls is a great opportunity to make their internal organization more efficient.
Lessons learned from the collapses
We have seen the damaging effects of many large and small-scale governance and internal control collapses. These breakdowns have taught valuable lessons around a number of themes such as ineffective board oversight, the effects of management override, conflicts of interest, lack of segregation of duties, lack of delegation of authorities, poor or non-existent transparency, siloed risk management and unbalanced compensation structures.
What should be done to respond to these expectations?
We believe that in order to respond to the stakeholders’ expectations regarding internal controls, you should follow a methodology to ensure that your steps are complete to achieve the best results. We recommend the following 8 steps approach that could be a good roadmap for your company to follow while assessing the design and operational effectiveness of your internal controls:
- Process Documentation: Documentation of processes should include a process flowchart and, if necessary, should be supported by narrative. It is expected that supporting narrative will be needed for complex processes as a minimum.
- Risks and Controls: Upon completion of the process documentation, each department needs to identify and document relevant risks for each sub-process within the flowcharts, together with the key and non-key controls that mitigate them. These risks and controls must be formally recorded within a “Risk and Control Matrix”.
- Segregation of Duties: Management should ensure that significant duties are appropriately segregated.
- Walkthrough: A walkthrough will confirm the accuracy and completeness of the process documentation and the existence of the controls identified. The walkthrough may be performed and documented by an independent individual of the related cycle to ensure the objectivity.
- Design Effectiveness Assessment: Once the draft “Risk and Control Matrix” has been prepared and the walkthrough performed, the Design Effectiveness Assessment phase should be finalized confirming that the key controls described in the draft RACM are designed in a manner that mitigate the risks that have been identified.
- Test Plans: Once the process has been documented, the risks identified and key controls identified and assessed for design effectiveness, the key controls need to be tested for operational effectiveness. The key to this stage is preparing test plans that allow for an efficient and effective testing plan for these key controls.
- Operational Effectiveness Assessment: Once the test plan has been prepared, the test plan to assess operational effectiveness should be performed. Testing results must be documented properly with appropriate supporting documentation.
- Deficiency Assessment and Reporting: As a result of testing of operational effectiveness of controls, deficiencies and related remediation should be identified and reported. Of course the management should prepared action plan to remediate deficiencies.
Who is responsible for internal controls? – “Tone at the top”
This may come as a surprise to some readers, but external auditors are not responsible for an entity’s internal controls. External auditors evaluate internal controls as part of their audit planning process, but they are not responsible for the design and effectiveness of your controls. Board of directors and senior executives are responsible for making sure that the right controls are in place, and that they are performing as intended.
The board and senior executives shape the organization’s tone-at-the-top by demonstrating integrity, honesty and ethical behavior in its handling of decisions and sensitive issues. Finance officers and operational managers support the internal control initiatives of the senior executives in daily operations. All levels of management must work together to create an integrated framework that lowers risk to an acceptable level and assists the organization in meetings its goals and objectives.
The attitudes and behavior of board of directors and senior executives are essential to a healthy system of internal control. An internal control environment consists of management’s philosophy and operating style. The control environment should also include:
- The organization demonstrates a commitment to integrity and ethical values.
- The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
- Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
- The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with objectives.
- The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
It is utmost important to recognize that If board of directors and senior executives do not demonstrate strong support for integrity, honesty and ethical behavior, the organization as a whole will be unlikely to practice good internal controls. As the title suggests, if a fish rots from the head down, it would be meaningless to put efforts to design and implement internal controls because they would not function effectively anyway!
Internal controls: Assurance of a safe and profitable business environment
When the subject of internal control is discussed, the conversation frequently centers on costs sides of the efforts rather than the whole consequences of an effective and efficient internal controls.
Profitability is not only achieved through high sales and meeting consumer demand, but also managing business risks, controlling costs (including losses due to fraud) and limiting excessive spending. Management should on a regular basis review all aspects of their company and insert internal controls that will strengthen the company’s operations and increase profitability. These controls are normally instituted through the formation of policies. Companies use policies to ensure a safe and profitable business environment. These policies are internal controls that help management in areas including human resources, community awareness, and business-to-business relations.