As many businesses formalise their hybrid working arrangements, Sarah McGirr, newly appointed Audit Director at Gildernew & Co, shares some useful guidance on the importance of an effective system of internal control, how you can ensure your controls are adequate and proportionate, and some of the signs to watch out for when all may not be well.
A strong system of internal control has long been the cornerstone for good governance within businesses of all sizes, whether that be large global organisations or small owner managed businesses. Whatever the size of the business and indeed whatever the type, strong internal controls are needed to protect the integrity of assets and ensure efficiency of operations. Without a fully functioning internal control system the following areas can each suffer: operational efficiencies, reliability of financial reporting information and compliance with laws and regulations.
With a growing number of local companies having US based parents, the requirements of the Sarbanes-Oxley Act and it’s focus on internal controls is widely understood. The expected introduction of what is being described as UK Sox will further enhance the need for companies of all sizes to consider the design and effectiveness of their own entity level controls. The continuing focus on internal controls is not surprising given recent high profile corporate failures and both the focus and the extent of regulation in the area is expected to be ongoing in the coming years. It is an area therefore that management and owners ignore at their peril.
Definition of a system of internal controls
An internal control system comprises the whole network of systems established in an organisation to provide reasonable assurance that organisational objectives will be achieved. Designing a robust system will take time and resources, however if not designed appropriately, will certainly expose your business to increased risk of operational and financial loss.
Why internal controls
Whilst regulation relating to internal controls mainly sits with larger entities, this does not remove the need for smaller entities to give due attention to the area. Some reasons why internal controls are a necessity for all sizes of organisation include the following:
1. Help to ensure a business meets its objectives
2. Help to ensure the quality of internal and external reporting
3. Assist with compliance with laws and regulations as well as internal policies
4. Help mitigate the risk of fraud and misappropriation of assets
5. Help reduce the likelihood and impact of poor judgement in decision making
6. Help mitigate control processes being deliberately circumvented, human error and risk taking that exceeds the thresholds set by the board.
The benefits of a robust system of internal controls are clear, and whilst it is important to note that a strong system is not a guarantee of success, such a system will provide reasonable assurance that your business will be protected and your objectives will be achieved. Internal controls are needed to ensure that the business has the right systems in place to promote success and a business without sound controls will almost certainly fail.
Examples of internals controls
Before the design process begins it is important to understand the types of internal controls you can implement. Internal controls fall into three broad categories which are examined below.
Detective controls are a type of internal control that help organisations detect errors or irregularities. Detective controls are typically used after the event, to find out what happened and why. Examples include key reconciliations, physical inventory counts, operation of an internal audit function.
Preventative controls on the other hand are used to limit the possibility of an undesirable outcome, therefore are designed and implemented to prevent a control deficiency occurring. Examples include segregation of duties and access controls.
Corrective controls are designed to correct deficiencies that have been detected. Examples include disciplinary action and implementation of new or updated procedures.
The overarching objective is to design and implement key controls that will help protect the financial reporting processes within the business. An ineffective control will result in wasted time and resource.
Some key controls that can help deliver a strong control environment include but are not limited to the following:
1. Segregation of duties
2. Physical controls over assets
3. Regular stock counts
4. IT General Controls
5. Reconciliation of key accounts
6. Spot checks on physical assets e.g. cash counts
7. Bank statements posted or emailed direct to an appropriate individual as well as to company address
8. Reviews at correct level and on a timely basis
If you feel that the control environment in your organisation has either not been designed appropriately or is not being implemented and monitored effectively follow your inner instinct – often you know your business best and will be well placed to identify control deficiencies.
In more serious situations deliberate management override of controls could result due to a weak control environment being taken advantage of. Consider the following factors within the Fraud Triangle: opportunity, incentive and rationalisation. A weak control environment creates the opportunity within this well-known framework which in turn can lead to a breakdown in internal control and fraud being committed within the business.
Warning signs that should not be ignored within any business include the following:
1. Staff members involved in key parts of control processes being reluctant to or not using annual leave
2. Staff members being onsite at unusual times e.g., late evenings, weekends, bank holidays
3. Staff members being reluctant to introduce segregation of duties within a process
4. Lifestyle that is not commensurate with remuneration
5. Reporting information being provided late or not at all
6. Missing documentation
7. Resistance within the team to external audit visit
Often time spent on designing and implementing a fully operational internal control system can be regarded as an inconvenience to the business. Some common myths that exist in relation to internal controls which can encourage this mindset, and which can dissuade the board from implementing and giving adequate time to internal controls include the following:
- only an ‘accounting’ thing
- a waste of ‘useful’ time
- only a box ticking exercise
- only for large businesses
- we don’t need to worry about internal controls because that’s why we have external auditors
Because such misconceptions exist, knowledge sharing is vital to help businesses design an adequate system of internal control and to overcome any feelings that time spent on internal controls is misspent.
While the design and implementation of an internal control system can have its challenges; it is widely recognised that a well designed and robust system creates a sound control environment that will appropriately protect the assets of the business. In today’s world where remote working is commonplace, alongside the threat of workplace fraud and rising occurrence of external fraud; this is certainly an area for management and owners that cannot be ignored or underestimated.
While it is widely recognised that it falls to the board to ensure that the control system in place is robust and effective it is also important to emphasise that it is fundamentally the attitude of management and shareholders to the concept of the control environment which makes or breaks the system. The tone at the top permeates the business and drives good practice throughout all tiers, hence the responsibility of management and owners does not end when the system is designed.
Taking the preventative measures today will allow you to run your business with confidence and will help protect your assets against future threats. Drive the message of a sound control environment through the business and take the appropriate steps to reduce the risk of becoming a casualty in the future.
Posted on September 12, 2022