Internal Controls – a step towards strong controls
In this article I take a look at the importance of good internal controls and how automating those controls can streamline your business and help you catch the exceptions to the rule. Please also see my other document regarding Defining Mitigating Controls / Compensating Controls.
Almost every problem that a company confronts can be traced back to a lack of good internal controls. Good internal controls mean that you know what is going on in your business. The definitions of the key business processes are different from each company and therefore it is necessary to understand how these processes run. Strong internal controls can also help you monitor and reduce risks. Internal controls are really the essence of good governance, taking a policy and translation it into details of day-to-day business practice.
First of all it is important to understand internal controls in general. Internal controls may mean different things to different people. Let me give you an idea what internal controls mean to me and how such controls can be defined. Controls encompass all the actions, processes or physical barriers that direct or guide a resource to achieve a desired result. Often they prevent, detect or correct risks from becoming barriers to success. Here are some different types of controls:
- Preventative controls – these controls prevent a bad event from happening.
- Detective controls – these controls determine whether a bad event has already happened.
- Corrective controls – these controls come into play once a problem is discovered.
The adoption of good internal controls in order to become SOX (or regulation) compliant is a top-down process that starts with management. Management recognizes that the regulations exist and cannot be ignored. They select a team to define how the regulations will be implemented as controls in the company. Control owners and business process owners work out how to incorporate these regulations into the business through automated controls.
After the controls were implemented they help close off avenues of risks. Companies may then enjoy such happy side-effects as preventing unintentional errors, improving efficiency and keeping auditors smiling.
As mentioned internal controls deliver a happy side-effect as they offer some benefits to companies. Each company has their own processes to handle different business scenarios. These processes contain risks which are barriers to success and avenues for fraud and negligence. Hence companies must have strong internal controls to avoid their occurrence. Nowadays, with the compliance requirements of regulations such as SOX (Sarbanes-Oxley Act), companies are trying to be more proactive about their controls. Being more proactive about controls requires effort and input, but also has many benefits.
From my point of view a company has four main benefits with the implementation of strong internal controls. Let me shortly give you an overview of these four:
Business process improvement – as a nice side effect of implementing strong internal controls is the improvement of business processes. While taking a close look at the business processes, companies often find potential to make them more efficient and streamlined. It gives companies a chance to examine their processes closely and to recap how other companies or how best practise works.
Management by exception – By establishing a norm companies learn to manage by exception. e.g. a dedicated process works this way and when it doesn’t, a control will alert us. Controls start to function as a barometer of how things are operating in the company and give an early warning of how things could go awry, or an indication of trends. Controls can also flag how companies need to change or improve their processes. If companies don’t continue to assess their controls and respond to the changes that controls indicate are necessary, they could be considered negligent.
Real time monitoring – automated internal controls are like traffic cops. They prevent accidents (by directing the flow of traffic), detect accidents (by listening to the radio) and clean up after accidents (removing damaged cards and calling an ambulance to take the injured to hospital). Like traffic cops, automated internal controls can be on duty 24 hours a day, seven days a week, monitoring both past activity and activity taking place in real time.
Mindset changes – Implementing automated controls requires more than changes to software. Doing so also requires a mindset change. Management commits to a code of ethics and to a new control consciousness, but they also have to ensure that this filters down throughout the company.
I hope this article helps you to understand why strong internal controls are highly recommended and necessary for all companies. I am looking forward to your feedback and input.