Internal controls serve as an organisation’s first line of defence against fraud and error. They not only assist in preventing and detecting fraud, hence controlling potential losses; they also bolster operational efficiency and effectiveness. Yet their importance is often forgotten or neglected by management.
Refocusing on the risk protection and other benefits that internal controls bring is a step in the right direction in ensuring that an entity achieves its objectives. For an effective evaluation of internal controls, following the framework set up by the Committee of Sponsoring Organizations of the Treadway Commission can help entities evaluate their internal controls.
Setting the tone at the top is the first building block
Consider the culture
The effectiveness of a control system is deeply rooted in an organisation’s ethical culture. Setting the tone at the top is the first building block. Without the leadership’s commitment to speaking and acting in a manner that is grounded in strong ethics, integrity and accountability, the whole system is prone to fall apart.
Accepting immoral behaviour at any level of the organisation will compound the negative effects, with other employees thinking that controls are unimportant and that ignoring them would not result in any repercussions.
Assess the risks
Another building block of a solid control system is risk assessment. Organisations scrutinise their processes and procedures to pinpoint areas of inherent fraud risks, ranking them based on the probability of occurrence and potential impact. The ‘fraud triangle’ is useful in assessing the risk of the likelihood of fraud, since it assists in identifying three explanations that lead to fraud: opportunities, incentives/pressures and rationalisations.
It is often less costly to implement preventative controls than to recoup the fraud losses after it has occurred
After ranking the risks, appropriate measures are conceptualised to mitigate them, prioritising those risks that have a higher likelihood of happening and their impact on the organisation. The risk of management override of controls always remains, but the aim should be to reduce this risk to an acceptably low level.
For instance, a commonly committed fraud is payment fraud. This is done through methods such as creating false customer accounts to generate false payments, altering payee details or self-authorising payments. Critical matters to confirm at this risk-assessment stage include who can create customer accounts and who approves the payments.
Prevention and detection
Two main categories of internal controls can be implemented:
Preventive controls can stop fraud before it starts. It is often less costly to implement preventative controls than to recoup the fraud losses after it has occurred. A commonly effective control in many situations is the segregation of duties. This foundational principle ensures that no individual has complete control over any system, preventing the opportunity for abuse. Another effective control is access control, where access to systems and, if applicable, physical places is limited to what is necessary for each individual’s role.
Detective controls uncover fraud if it bypasses preventive measures. Even the most meticulously designed preventive controls are not failsafe, so detective controls are thus necessary to identify fraud early on and minimize its impact. A focus on ‘what and where things could go wrong’ could be used as a guiding principle in designing these controls. Examples include account reconciliations, reviewing budget-to-actual performance for any unexpected differences and physical inventory counts (such as cash or inventory).
Effective communication involves ensuring that information flows properly
Information and communication
The quality of information is crucial for the effectiveness of internal controls. The characteristics of high-quality information are accuracy, timeliness, relevance and accessibility. This means that the data used to support and monitor internal controls should be free from significant errors or biases. As previously noted, identifying fraud early on will minimise its impact, thus exacerbating the need for information to be delivered in a timeframe that is useful for decision-making, and to the right people.
Effective communication is the second pillar of this segment of the internal control framework. It involves ensuring that information flows properly both within the organisation and with external parties. The effectiveness of communication can be gauged by how well information is understood and utilised by its recipients. This is especially important for communications relating to the control environment, as previously discussed.
Monitoring is crucial
The monitoring process involves ongoing monitoring, separate evaluations and corrective measures. The purpose of ongoing monitoring is to ensure that internal controls continue to operate effectively over time, during the normal course of operations. It could involve regular reviews of financial and performance reports that could potentially flag any anomalies.
Upon detecting deficiencies, prompt and decisive actions are imperative
In contrast, separate evaluations are periodic reviews performed to assess the effectiveness of a specific control. Personnel who are independent of the processes must perform these evaluations so that they provide an objective assessment and help identify areas where controls may need strengthening.
Upon detecting deficiencies, prompt and decisive actions are imperative. This includes disciplinary measures, policy revisions and an updated risk assessment, all aimed at preventing the issue from escalating and recurring.
Essentially, effective monitoring involves a blend of ongoing activities integrated into the business processes and separate periodic evaluations providing an independent perspective on the effectiveness of internal controls.
It is paramount for organisations to meticulously consider and implement strong internal controls. Reframing internal controls as integral to the organisations’ success, rather than supplementary, can foster a culture of security and integrity, which is vital for sustaining success.
