Internal control is a fundamental concept for organisations and one of the core activities of finance professionals. But its nature is not static – it must adapt to changing times.
Business models have evolved rapidly in recent years in the face of digitalisation, automation and changing customer behaviour. So what does this mean for internal control? How can and should the discipline adapt if it is to remain not only relevant, but valuable?
Internal control should embrace technology and look for more varied sources of data and new methods of control
These are the questions that a new report by ACCA, the Internal Audit Foundation and the Institute of Management Accountants seeks to address head on. Internal Control and the Transformation of Entities draws on the experience of finance and internal audit professionals worldwide to look more closely at emerging trends and their impact on internal control, and at what organisations will demand of their internal controls and the finance professionals responsible for them in the future.
Those taking part in the research stressed the continued importance of internal controls to organisations’ stability and performance. The vast majority of almost 2,000 ACCA and IMA members surveyed identified fraud prevention and minimisation of risk as the main purpose of internal control.
There are concerns, though, over a perceived skills shortage. A lack of skilled staff was identified by half of the respondents as their most significant challenge – a crisis triggered, the report argues, by the scale of organisational transformation that is underway worldwide.
It is striking that the vast majority of respondents to the survey either had some form of transformational activity underway or planned in their organisation. The report identifies multiple drivers of change affecting organisations and, by extension, internal control.
‘While each of these may have a substantive impact,’ it says, ‘in combination they represent a period of turbulence for most entities. This is a time when risks are high and the need for controls to be effective is paramount.’
The ‘agile’ challenge
The adoption of cloud-based solutions means that for many organisations, transformation is an increasingly iterative and agile process, as companies seek to take advantage of immediate opportunities. ‘As a result,’ says the report, 'control frameworks need to flex and change.’
Yet the research reveals an apparent reluctance to move towards agile internal control and risk management, automated controls and continuous monitoring. So what can be done to ensure that internal control keeps track with organisational needs?
The report argues that if internal control and risk management frameworks are to remain fit for purpose in a business environment that is expanding in scope (to embrace, for example, sustainability issues) and using rapidly evolving technologies, internal control ‘must be integral to these advancements’.
This means that internal control should embrace technology and automate where appropriate, and as more non-financial reporting comes under its remit, look for more varied sources of data and new methods of control in recognition that data on which non-financial reporting is based is often less robust.
In particular, a broader range of skills will be needed than has traditionally been the case, including both technical and interpersonal elements.
‘The resourcing and make-up of both second- and third-line teams will be an issue as the scope of internal control expands,’ says the report. ‘An appreciation of technology and data are no longer “nice to have” – rather, they are necessities.’
‘An appreciation of technology and data are no longer “nice to have” – rather, they are necessities’
The report states that as stakeholders look for assurance over a broader range of disclosures from entities, the internal control framework will need to extend across more process flows, some of which have not previously been within the scope of the Institute of Internal Auditors’ three lines model.
‘The availability of the right skills is fundamental to the maintenance of effective internal controls,’ it adds. ‘These skills are broadening beyond the purely financial, and there must be recognition of this expanded need and the consequent investment required by both entities and individuals.’
The report concludes: ‘The bottom line is that the value of internal control extends well beyond statutory reporting and compliance to supporting external financial disclosures. To support business transformation and increase enterprise value, internal control itself must constantly transform to be fit for purpose in a digital and disruptive environment.’
The report recommends a number of key actions that could improve internal control, including:
- mapping the use of emerging technologies to internal controls and identifying opportunities to increase control effectiveness
- reconfiguring the risk model to reflect the changed technology practices that arise from the adoption of cloud-based applications
- embedding automated and parameter-based internal controls into cloud-based applications, especially at the point of initiation
- developing a strategy to integrate the necessary non-financial data required into the internal control framework and being prepared to document as appropriate
- identifying areas where manual controls are undertaken that may duplicate automated controls and eliminate as appropriate.