Special thanks to John J. Hall, CPA, President, Hall Consulting, Inc. for providing this valuable information on internal control.
What does internal control mean to you?
‘Internal control’ means many things to many people. Perhaps too many different things to too many different people.
Some see controls as symbols, arrows and lines on a process flowchart. Others believe controls are checking off the boxes on compliance lists every few months. Financial reporting managers and external auditors focus on the accuracy of reported results, but give little energy to controls over operations, customer satisfaction or product and service quality. Compliance experts, such as internal and government auditors, refer to various sanctioned models of controls starting with high level objectives flowing down into specific target policies, procedures and actions.
All are correct depending on their point of view or job responsibilities, but most can miss the mark as well. So, let’s break it down.
Breaking it down
Traditionally accepted definitions of controls start like this: Internal Controls are any action taken by management, the board or other parties to manage risk and increase the likelihood of achieving established objectives and goals.
I’m confident we all agree that’s a good starting point.
Let’s go one step deeper. Controls entail processes, policies, procedures and other management directives designed to provide reasonable assurance to achieve objectives in the following categories:
- Reliability of financial reporting
- Compliance with laws and regulations
- Effectiveness and efficiency of operations
These broad control objectives are then documented as a working framework or blueprint of intentions, actions and responsibilities. In any daily business setting, it’s the ‘what to do, how to do it and when to do it’ nuts and bolts of how things are accomplished.
What about the why behind these actions?
For example, it’s pretty common as a payment transaction grows in size, additional approval signatures are required before funds are released. Out of pocket travel cost reimbursement, weekly time reporting and routine purchasing card transactions usually require just one approval signature from the next higher level of authority, usually a first-level supervisor. But as transactions grow into the tens and hundreds of thousands, approval protocols also grow requiring multiple signatures. And that $200 million construction project? Most likely entire pages of signatures will be required as multi-million dollar contractor payment applications are processed.
All of that makes sense… in theory
We live in the real world of time constraints, multiple demands on our energy and comfortable human habits. Do all those signatures really bring additional control or just the appearance of control without the reality? Perhaps it’s just my 46 years of auditing experience, but I remain confident managers often just scribble their signature on documents someone else already signed.
If you agree, then let’s get down to it once and for all.
Assume your organization’s control procedures were thoughtfully designed, properly implemented and effectively maintained. Within reason, of course, as there’s always room for improvement!
We need to pay more attention to the human aspect of controls, the component making the standard procedure come alive. What about the knowledge and experience of transaction processors and approvers? What about their interest, focus, energy and attention at that critical approval moment as they reach for their computer mouse or pen to place their management stamp of approval?
Is their supervisor’s support based in encouragement to do things right the first time, the hallmark of any quality initiative? Or is there daily pressure to just get things done and off your desk?
And, possibly the most important question, what is the department’s peer-group culture like where review and approval take place? Are co-workers supported as they seek excellence and inject pride into their work? Or are they just slogging through the days until something better comes along? Peer group pressure to conform is a powerful motivator that either supports or undermines the effectiveness of internal controls.
In short, control protocols with weak human execution is an implicit significant weakness, which undermines risk management initiatives in any organization.
Have I scared you yet?
To be completely transparent, I fully intended to scare you into meaningful action. Fortunately, that action is incredibly simple and virtually free to build.
In fact, internal controls are heavily dependent on instructions about what to do, how to do it and when to do it. If we add the why to do it and motivate every employee to follow a few simple steps, that makes internal control come alive. So here’s the magic formula:
First, when you reach for your pen or computer mouse to approve a transaction, stop, collect your thoughts, focus your efforts and look at what’s in front of you.
Second, look at the transaction documents and underlying support. I mean really look at it. Not just a passive glance.
Third, ask yourself, “How do I know this is correct?” If you’re sure it’s fine, approve away. But when in doubt… doubt. Not when in doubt… believe!
Fourth and last, if in doubt, resolve it before approving or refer to others for action.
Stop, look, ask, and if in doubt, then resolve or refer. Pretty simple, right? Yes, but only if employees and managers have the mental and physical discipline to take these simple steps and make internal control come alive.
Make internal control come alive
Learn how to make internal control come alive! Join John Hall as he presents a 2-hour live CPE webinar on December 12 called Internal Controls: What They Are, What They Aren’t & How to Plug the Holes. In this session, the attendees will examine the broad concept of internal controls in government operations, determine what works and address the recurring reasons controls fail.
Back by popular demand, John returns on February 26 to present Selling Audit Recommendations for Government Auditors. In this 2-hour live CPE webinar, registrants will dive straight into how to deliver audit project ideas that grab the listener’s attention, stick in their brain and nudge them towards taking those critical steps toward improvement.
Hope to see you there!
Yellowbook-CPE.com is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: