Key aspects to consider when writing a control

Internal Controls – A Process to Help Ensure Internal Controls are Designed Consistently and Appropriately

• By Jonathan T. Marks, CPA, CFF, CITP, CGMA, CFE, PI, and NACD Board Fellow
• April 8, 2021

Developed by: Jonathan T. Marks

The concept of Internal Control appeared as a practice in the USA at the beginning of the 20th century, whereas in the economic literature began to be extensively approached after the ‘50s.

The internal control concept originated in 1949 from the American Institute of Certified Public Accountants (AICPA), with a plan to coordinate organizations’ activities to increase effectiveness in organizational operations (Lakis & Giriunas 2012). Internal controls denote the rules or standards by which the objectives of an organization are attained. Through compliance to the set procedures, the organization ensures that employees implement these standards in an optimistic manner to accomplish the business maximize the competency of the organization (Flair 2017).

Hightower 2009 refers to internal controls as operational procedures and processes to establish efficiency and effectiveness of operations within an organization’s procedures and compliance with applicable laws. Providing an auditors view, Mihaela and lulian 2012 explain that internal controls and procedures form part of an organization’s control system and mention that internal control is not only for accounting purposes but also a system through which people interact with one another. Mihaela and Iulian 2012 stress the importance of an effective leadership plan for the long-term achievement of effective internal controls.

I have realized that many don’t understand what internal controls are or what they are supposed to do. For example, Recently, a twenty-year professional told me that internal control starts with a strong set of policies and procedures. That’s incorrect.  Internal control starts with a strong control environment based on a clear understanding of the business process objectives.  Here are some other inaccuracies –

• Internal controls are Internal Audits or Compliance problems. No, management is the owner of internal controls, and they must be held accountable.
• Internal controls bog down our efforts.  Internal controls should be built into and not onto business processes.
• Strong internal controls prevent fraud. No, Internal controls provide reasonable and not absolute assurance the organization’s objectives will be met!

It’s no secret the regulators continue to scrutinize compliance.  There are many deferred prosecution, non-prosecution, and enforcement releases that hammer companies for poor internal controls. The regulators don’t seem to realize that companies need a methodology to have properly designed internal controls; everyone consistently follows without exception. Many are treating the symptom and not the ROOT CAUSE!

An “internal control” is an action or a process of interlocking activities designed to support the policies and procedures detailing the specific preventive, detective, corrective, directive, and corroborative actions required to achieve the desired process outcomes or the objective(s).

This, along with CHECKS AND BALANCES that could include continuous monitoring, continuous auditing, and training, reasonably assures:

• The achievement of the process objectives linked to the organization’s objectives
• Operational effectiveness and efficiency
• Reliable (complete and accurate) books and records (financial reporting)
• Compliance with laws, regulations, and policies
• The reduction of risk: fraud, waste, and abuse
• Aids in the decline of process and policy variations leading to more predictive outcomes

• People or the Human in the Loop – no matter how detailed, inclusive, and illustrative the policies and procedures may be over a particular process, there will still be a reliance on people to execute the process steps per the established policies and procedures. There are multiple challenges when it comes to this enemy. First, there is no certainty or confirmation that all team members have been given, read, and understand the process requirements. They may say they know what to do but do not truly grasp all of the process requirements. Second, tenure impacts compliance with policy and procedure requirements in that experienced personnel develop their own techniques to complete a task that may not specifically comply with all process requirements. And lastly, process personnel develop workarounds to expedite the process, which inherently leads to specific policy requirements being excluded. There is a potential for critical, required steps to be skipped during the newly created workaround. In the end, it is critically important that all process team members understand that the policies and procedures are not a guide but a mandatory requirement for department compliance.

• Time – one commodity that can never be purchased is time. When time requirements are altered in a business process, it puts additional pressure on the process personnel to achieve the business objective more quickly. When there is no way to properly execute the process requirements according to the policies and procedures, steps are rushed or even skipped to make the new time requirements to complete assigned tasks. Be aware of the budgeted or allotted time for all required process steps and verify that those requirements are never altered because it will result in a weakened control environment. Be cognizant the policies and procedures were built with specific step requirements that included the associated time needed to complete them effectively. Any alteration in the time requirement usually results in errors or additional rework.

• Judgment – every person has their unique way of executing their job responsibilities which usually develops over time and experience. While, on the one hand, this can be advantageous to a department, it can also be detrimental. Policies and procedures are built specifically with the objective in mind and contain detailed internal and external compliance requirements. When judgment or discretion is allowed into the processing requirements, it weakens the control environment because it usually means that basic (or even critical) processing steps are being inadvertently omitted due to individual judgment. Experience on a team is great, but it will not take the place of process requirements for departmental and regulatory compliance. If a process judgment must be made, ensure there is sufficient documented evidence to explain the reason and the corresponding steps taken to address the process change.

• Workarounds/Overrides – as mentioned in the “people” element included with the enemies of control, workarounds are common within a process as individuals seek ways to expedite their job requirements. In this effort to save time, the process itself may suffer because most self-developed workarounds are bypassing an established control in the policies and procedures. While the result of the process may be correct, often, these workarounds omit critical documentation and verification steps detailed in the established policies and procedures. Discretion and override capabilities should only be placed in the most experienced hands in the department and have strict documentation requirements showing why this particular item deviated from the standard process requirements and detail/document what alternate steps were taken to complete the process.

• Incentives – while incentives are an excellent motivator for anyone, there can be an associated danger that is often overlooked within the ecosystem.   When incentives are linked to the completion of work, there is a greater risk that specific process requirements will not receive the proper attention to detail and will lack the appropriate documentation as outlined in the established policies and procedures. Established process incentives require a detailed monitoring control to ensure that the particular requirements of the incentive are achieved and that no controls were circumvented or overrode to receive the incentive. Believe it or not, when incentives are used, the control environment demands an additional level of checks and balances to ensure performance integrity. All incentive monitoring should be detailed and included in the first line of defense responsibilities.

BACKGROUND

• identification and business partner validation of the key business objective(s)
• review the objective(s) and determine the “true process risks,” which represent the barriers, obstacles, or hurdles to achieving the objective(s)
• if there is no evidence and confirmation of a true process risk, does a control need to be implemented
• research and verify the corresponding laws, rules, regulations, and policies surrounding each identified objective
• identify and obtain all required compliance business documentation as well as the filing date requirements
• discuss and document (flowchart) the process steps from start to finish
• identify and document all corresponding systems utilized in the process requirements as well as current access and edit rules
• identify and obtain examples of all required documentation needed to process a transaction from start to finish
• understand and compile a listing of all process approvers along with their corresponding approval authority and dollar limits (if applicable)
• understand the effect that systems and technology have on a control
• identify all internal and external third parties which could impact the control
• understand the process requirements and corresponding level of risk and exposure

• consider the enemies of a control (See above)
• determine process access and auditability
• ask and determine if the control conforms to the definition

A variety of actions make up a process.  All may have a role in achieving the final result, but only a few are truly critical to the outcome; that is, their absence would make it difficult, if not impossible, to achieve the desired result.  These critical actions are referred to as key or critical controls.  This step focuses on identifying and documenting the key controls in a process.

PROCESS

• select the process stage-gate (critical) steps and determine what, if any, controls are currently in place to ensure all step requirements are met
• verify the current controls address the identified and confirmed true process risks and are not unnecessary process steps
• determine if the current controls meet the five pillars of effective controls (design, build, implement, execute, and report) to deliver the intended outcome
• document any of the five pillars which are missing from the current control environment
• for every identified objective, determine what action(s), aka controls, would be expected in a strong control environment to achieve the desired outcome(s)
• compare the expected strong control environment controls to the current controls and note any differences
• identify the critical process steps which are directly linked to the achievement of the business objectives
• verify “proper” controls are in place for the critical process steps or develop the necessary controls for process efficiency and effectiveness
• consider the enemies of controls (people, time, judgment, workaround, overrides, and incentives) when developing a new control
• determine which type of control(s) would be the most effective and cost-prohibitive (preventive, directive, detective)
• review the control consideration table below for suggested controls and their purpose
• design the new controls based on the process needs and select a sample of transactions to run through the new process
• after control validation, implement the enhanced process controls

VALIDATION

• 30 days after the revised controls have been implemented, select a representative sample, and determine if the process is more efficient, has increased productivity, and/or reduced rework
• analyze each of the revised or newly implemented controls and evaluate their individual performance
• document the selected control tested, the sampling technique, the testing performed, and the results
• determine if the correct type of control was implemented and if any enhancements need to be made
• ensure you consider the control enemies when evaluating the effectiveness of the enhanced control(s)
• document the testing results and conclusion on the overall effectiveness of the new control environment as it directly relates to the achievement of the business objective(s)
• consider implementing a continuous auditing program to validate that the new controls were not only implemented but also adopted by the business team

REPORTING

• document and distribute the control performance summary report
• update the risk assessment (at the individual audit and annual level) documentation related to the validated business unit and processes
• share the results of the review with the appropriate control groups – audit, compliance, enterprise risk management, legal, investigations, business management, the audit committee

CONTROL CONSIDERATIONS

There are undoubtedly many other categories and examples of controls, all of which are necessary to achieve the desired result.  Control models (e.g., COSO, COCO, COBIT) have been developed to focus on the roles controls play in a business environment.  For further information, readers should consult these control frameworks as well as introductory auditing books.

Also, controls can be –

PROACTIVE

Proactive management actions and controls include prevention but go beyond it. Proactive management actions and controls should encourage desirable conditions, events, or outcomes and prevent undesirable errors or irregularities.

DETECTIVE

Detective management actions and controls determine progress toward objectives and identify the actual or potential occurrence of desirable and undesirable conduct, conditions, and events. These controls are the most common type of mitigating or compensating controls.

RESPONSIVE

Responsive management actions and controls do more than correct errors. They help the organization recover from undesirable conduct, events, and conditions; fix identified weaknesses; execute necessary discipline; recognize and reinforce desirable conduct and deter future undesired conduct or conditions.

Lastly, when designing a control, always consider the EcoSystem and your objective(s)!

We hope you find this information useful. I don’t believe guidance like this exists anywhere, and that is why I embarked on developing something useful.

Thoughts and comments are always welcome and appreciated!

Best,

Jonathan T. Marks, CPA, CFF. CFE

Special thanks to Rob Mainardi for your input.

Additonal Information

CONTROL ASSESSMENT PROCESS

Background

In every organization, there are established targets and goals which the executive team designs and documents to direct each business unit team to complete their associated responsibilities for the company to achieve the set targets. To ensure these goals are reached, every business unit must set process and performance objectives for their own teams and have the corresponding controls in place to provide an environment for success and, more importantly, consistency of the work product.

The key to not only achieving these established goals but also generating maximum team performance in the supporting business units is to create a robust control environment. Successful control environments are built on a foundation of internal controls designed to support the business process policies and procedures. The internal controls will ensure the achievement of the business objectives consistently while providing the business teams with a structure, direction, and requirements to complete their daily process activities.

Control Identification

In an effort to develop a robust control environment, there must be a process to evaluate the existence and effectiveness of the controls which are currently in place over each business process. The evaluation of controls, or control assessment, always begins with the business objective(s). The business objective is defined as the purpose or the reason the process was established in the first place. Why was this process created, and what must the process generate consistently to ensure the outcome is correct, timely, and in compliance with any internal/external rules or regulations? While this “objective” approach may seem simple, it is surprising how many individuals, and even teams, have difficulty defining their own process objectives. In any control assessment, the business objective(s) must be clearly identified and defined before any attempt to determine the effectiveness of the corresponding business process.

After identifying, defining, and confirming the business process objective(s), the next step is to document each process step from the beginning to the end of the business process being reviewed. This documented flow allows for a clear and detailed examination of the current controls to determine if they alone will generate the intended outcome. Remember that every process will generate an outcome, but it may not always be the intended one. The individual controls will be dissected to determine if there are sufficient to produce the intended outcome most effectively and efficiently. The only method to validate the existence of proper controls is to select a sample of transactions and follow the current established controls through the process to the outcome and determine how effective the process was at producing the result. If sample transactions produce the intended outcome, then the associated controls can be labeled effective. An additional consideration, other than producing the correct outcome, is to verify that the controls are implemented in such a manner that allows for the process team to navigate the requirements easily. Just because the controls produced the intended outcome does not necessarily mean the process controls are well designed and effective.

Control Assessment

The process to assess the effectiveness of established controls is a five-step evaluation to determine if the current controls are properly (1) designed; (2) developed; (3) implemented; (4) executed; and (5) reported. Each one of these five evaluations has specific requirements to ensure the control not only works effectively but also is linked directly to the achievement of the confirmed process objective. Our assessment breaks down each control into its core components to verify and validate it was designed with consideration of objective achievement in the most efficient manner through the development, implementation, and execution of each step. The fifth element of the control assessment is often overlooked but is just as critical as the previous four. A success factor in every effective control is that there is regular internal reporting and confirmation that the control is doing the job it was designed to do. All processes in all industries should have built-in reporting for their established controls.

Approach

This control assessment process, using the business objective(s) as the foundation, has been validated as the most effective method to confirm that the controls in place are not only focused on delivering the intended outcome of the business objective but also provide the roadmap and validation points for the business process team to be successful consistently.

I look forward to discussing the control assessment evaluation process to provide continual improvement in your operations.

What are considered key controls?

What are the 7 factors to consider in the assessment of controls?

What are the five elements of control?

What are the components of a control?