A risk is anything that can harm an organization. The concept of internal control includes all processes that mitigate the risks an organization faces. The risks an organization faces are numerous.
- Assets belonging to an organization can be stolen, mishandled or misused.
- Misused resources can result in inefficiencies and losses. Sometimes, they can even cause failure in reaching the organizational goals.
- Erroneous, inaccurate, misleading financial reports can lead to wrong decisions by the management. The errors can be unintentional or deliberate.
- Poor compliance and governance can lead to huge penalties when the laws, rules and regulations of the land are not respected or followed.
In 1985, the Committee of Sponsoring Organizations (COSO), USA, a joint initiative of the five professional associations, sponsored a commission to study the causes of fraudulent financial reporting. This National Commission on Fraudulent Financial Reporting made recommendations for public companies, auditors and regulators including the SEC (US Security & Exchange Commission).
COSO, as the thought leader, provides guidance in risk and control. It lists five broad foundations of internal control.
- Control environment or the foundation on which an organization raises the control awareness and sensibility of its employees. It demonstrates the organization’s commitment to ethical values and integrity, ensures that the board exercises it oversight responsibility and holds employees accountable.
- Risk assessment and management.
- Information and communication processes enabling employees to carry out their internal control functions and communicating the control information internally and externally.
- Control functions that include the development and use of activities to mitigate risks.
- Monitoring to evaluate the effectiveness of internal control. You will notice that even the internal control performance is evaluated. Inadequacies or deficiencies of internal control are also communicated.
After all, an old Latin proverb famously enquires ‘Who will guard the guards?’
Designing an internal control system
The way human ingenuity and greed work, it is impossible to design internal controls that are hundred percent foolproof. But, there are ways to minimize the risks.
Segregation of duties is one important way to reduce the risk of fraud and malpractices. If an employee is solely in charge of all the tasks in a business process, chances are that in a ‘conflict of interests’ situation, he may be tempted to choose self interest over the good of the organization. Segregation of duties divides the tasks among employees, so that no one employee is responsible for all the tasks or every part of the business process. A Store Manager is not responsible for auditing the inventory in his store. The Store Auditor audits the store and does a reconciliation of stocks in that store. Discrepancies are more likely to be caught this way. This is one of the most important ways of detecting theft or fraud as deterrence is inbuilt into the system with checks and balances.
One employee processes the vendor’s invoices. A different employee issues the vendor’s payment. In payroll management, one person does the accounting portion of the task. A different person issues the checks. To summarize, segregation of duties requires the separation of duties such as authorization, custody of assets, recording and reconciliation in each business process.
Where there are chances of two employees coming together and colluding, the organization can outsource a part of the task.
Building both preventive and detective activities into the control system is crucial. Examples of preventive activities include authorization and documentation. The focus here is on prevention of undesirable events from happening by doing complete risk identification and designing processes that have been thought through as rigorously as possible. Detective control activities such as reconciliations, reviews, and checks happen after the event has happened.
Documentation is crucial in the design of internal control systems as it provides evidence of transactions. It could be paper based or in electronic form and should cover all stages of the transaction with a record of who performed which task in the lifecycle of the transaction and when. It is important for tracking deviations.
Reconciliation has to be inbuilt into every internal control system. Without it, the accuracy of the financial reporting cannot be confirmed or discrepancies caught.
Assets and records should be secured against theft, destruction or manipulation. The design should incorporate aspects like access and distribution of data, password protection, and theft of data when employees leave the organization, access levels by authority and the need to know. Security ensures that the cookie jar is not left open.