First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

What is an internal control, really?

internal controlEthics and compliance professionals, myself included, talk about the importance of effective internal control all the time. We document controls, we test them, we strengthen them when they’re weak, we retire them when they’re obsolete.

That’s not the same as understanding what a control actually is, at an abstract level: what it’s supposed to achieve, and how it’s supposed to operate within an organization. But that understanding is crucial if ethics and compliance officers want to design a system of internal control that is actually effective — one that works with whatever facts of business life your particular organization has.

Let’s start with an “official” definition of a control.

First, the auditing definition

A control has its own definition from the federal securities law. Section 13(b)(2)(B) of the Exchange Act lists four points an effective control should achieve:

  • Execute transactions in accordance with management’s authorization
  • Record transactions as necessary for proper preparation of financial statements and to maintain accountability for assets
  • Restrict access to assets only as permitted by management’s authorization
  • Compare recorded accountability of assets with existing assets at reasonable intervals

That defines an accounting control. Yes, accounting controls for improper payments are crucial to a compliance program, as we’ve discussed here before.

Still, that definition gives ethics and compliance professionals only partial help. For example, “execute transactions in accordance with management’s authorization” applies to issues such as anti-bribery or bid-rigging. “Restrict access to assets only as permitted by management’s authorization” could apply to data security.

But those criteria are almost too broad; they could apply to any compliance risk involving company assets. On the other hand, they provide little help for personal misconduct risk such as harassment, which is a big part of the compliance officer’s remit, too.

A better definition of internal control

For a definition more versatile and practical, I turned to a colleague who is a long-time anti-fraud investigator. He proposed this:

A process of interlocking activities that use properly designed policies and procedures; which are preventive, detective, corrective, directive, and corroborative; along with training and continuous monitoring, to:

  • Assure achievement of an organization’s objectives
  • In operational effectiveness and efficiency
  • Generating reliable (complete and accurate) books and records
  • In compliance with laws, regulations, and policies
  • Which ultimately reduces risk of fraud, risk, and abuse

Now we’re getting somewhere. That definition is a mouthful, but it works. It fits with all sorts of risks that an ethics and compliance officer might confront, from personal misconduct to financial fraud. It spells out where controls come from, and what they’re supposed to do.

Put the right pieces together for a control

An ethics and compliance officer’s objective is to reduce the risk of misconduct to some reasonable amount, according to whatever risk tolerances your board sets out. In that case, understanding what a control is really captured in that first clause: a process of interlocking activities that use properly designed policies and procedures.

Take conflicts of interest as an example. Sure, you can have a policy against COI — but without other measures to put it into force, you have nothing more than a paper compliance program.

You could also have COI procedures, such as due diligence screens for beneficial owners, but without a policy to guide those efforts, they can lead to arbitrary enforcement and alienated employees (and third parties).

Those are nothing more than a jumble of control activities, not working in concert to address COI in a useful way.

The more effective approach is to align all those pieces usefully: a due diligence program to screen for beneficial owners of new vendors (a transaction control); a COI policy signed by every employee (a process control); and speeches by senior executives stressing the importance of avoiding even the appearance of impropriety (an entity level control).

Cut to fit

Consider what properly designed controls would look like for your organization. A tiny business with a handful of third parties doesn’t need elaborate, automated due diligence procedures. It does need strong leadership from the CEO.

Conversely, a global business does need elaborate due diligence programs, perhaps with more training and policies to boot. And while a speech from the CEO would help, let’s not kid ourselves about how effective a speech really is in a global organization with tens of thousands of employees. Other, more forceful control activities carry more weight.

It’s all about balance: finding the right blend of policies and procedures for your organization, to reinforce each other and deliver more internal control than the sum of those parts. That’s where a control should bring you. That’s what effective internal control is.

By Matt Kelly

Follow me

Ethics &Compliance Matters ™, Navex Global ®

Ethics & Compliance Matters™ is the official blog of NAVEX Global®. All articles posted on the Inside Internal Controls blog originally appeared on NAVEX Global’s Ethics and Compliance Matters Blog. The blog leverage the news, insights and best practices you find here to stay ahead of GRC trends, and take your compliance program to the next level. Read more
Follow me

, , ,

Comments are currently closed.

One thought on “What is an internal control, really?
  • That’s interesting and certainly provides a lot of detail which can be helpful when implementing controls in the accounting and related areas. But I think the best definition of internal control is much broader: Policies and procedures that help ensure that the organization achieves its objectives. The advantage of this broad definition is it reminds the reader that internal control is not primarly accounting or auditing; it pertains also to operations.