GRC Tuesdays: Internal Control is Not Only for Listed Companies
In most people’s minds, “internal control” is the set of policies and procedures designed to ensure reliable and accurate financial reporting. Based on this understanding, there is a misconception that internal control only applies to publicly traded organizations listed on a stock exchange that need to file annual finance statement reports and that other companies needn’t bother with it.
I think this perception might be the result of the Sarbanes Oxley Act (SOX) passed in the USA in 2002. Since its inception, this regulation focused on listed organizations has been one of the most commented corporate governance regulations and has given birth to many created local versions: C-SOX, K-SOX, J-SOX, and many more!
In some countries, private companies are not required to disclose financial information to the public, so many leaders of mid-size organizations believe that they don’t need to invest time and effort in internal control topics.
But this is far from being a general rule.
In Europe for instance, the requirement for financial disclosure is dependent on the company’s legal structure: “Companies with limited liability doing business in the EU, whatever their size, have to prepare annual financial statements and file them with the relevant national business register”. If they do not publish these, they will usually risk a fine.
In Australia, “Annual financial statements must be prepared by all entities except small proprietary companies” – hence it only excludes from this requirement companies that are not listed and companies with a revenue below AU$10 million (or assets below AU$5 million) and of less than 50 employees.
As a result, internal control’s function as Cerberus of processes for reliable and accurate financial reporting is still very much required in many geographies – even for non-listed companies.
But internal control is much more than compliance. It’s the cornerstone of corporate governance and can protect the organizations from a wide range of risks: operational, reputation, legal, financial, etc.
Personally, I very much like COSO’s definition of Internal Control. It defines it as “a process […] designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance”. As you can read this definition puts “achievement of objectives” – which is ultimately ever company’s goals – at the core of the internal control process.
What else does internal control do?
In addition to complying with multiple regulations, most companies also have internal initiatives they want to track. Including preparing for future regulatory requirements (ESG anyone?).
Well designed controls can address multiple obligations at the same time, and can therefore be used to track progress on non-mandatory ones that are still important to the business. Without additional effort.
And it can go much further. I think the best summary here is a quote from PwC: “Internal control gets to the heart of knowing how your business is being run”.
Internal control is the perfect red light process safety camera: checking all steps of business processes and flashing any discrepancies that prevents the company from functioning effectively.
A few examples:
Detecting errors or misconduct, including fraudulent behaviour: by checking invoice payments and customer credit patterns to prevent duplicates or excessive instances. Don’t think that this can apply to small companies? Analyst reports indicate that companies with fewer than 100 employees have actually lost more money each time they were hit by fraud than companies with more than 10,000 employees. As a matter of fact, as per the Association of Certified Fraud Examiners (ACFE) 2018 report on Fraud in Small Business: 29% of small businesses face risk due to billing, 22% for check payment and tampering, 21% for expense reimbursements, 20% for skimming, and 16% for financial statement fraud.
Safeguarding assets, including digital: by monitoring physical access to sites, IT systems, but also configuration changes, and ensuring proper use of company assets. Just think about a consistent check to ensure that all data from returned devices are wiped out before they are disposed of. If not, imagine the data they hold and what could happen if they fall in the wrong hands…
Improve operational efficiency: as mentioned earlier by simply “flashing” the process violations this red light process safety camera helps raise issues and ensure that corrections are working. Audit can of course do this, but they then don’t monitor the resolution on a continuous basis. Internal control does!
Encourage good behaviour: codes of conduct, business practice, trainings and permits are all integral parts of internal control framework – even if many companies don’t realize this. These define what is not tolerated (deficiencies) so there is no place for ambiguity, de facto creating a virtuous cycle of good behaviour. And just as a supporting argument: an LRN Benchmark of Ethical Culture indicates that “Companies with the strongest ethical cultures outperform —by approximately 40%—across all measures of business performance, including levels of customer satisfaction, employee loyalty, innovation, adaptability, and growth”.
And then there is the strategic decision angle: as a business leader, are you really willing on making a business investment decision on unreliable financial information? That really sounds like going to the casino and betting that today is going to be your day!
So, when is the best time to start?
Regardless of company size and even if you are not listed or filing for IPO, if you are serious about the sustained success of your company, I would say: now is the time to start!
And if you think this is an impossible task, then that’s simply not true. There are nimble solutions available and options that can get you on track rapidly.
With embedded automated capabilities and available content, you could even start monitoring the most critical processes without additional dedicated resources.
For some extra reading, I would suggest having a look at the blogs listed below:
- GRC Tuesdays: Fast Track Your Internal Control Project
- GRC Tuesdays: Governance, Risk, and Compliance as an Enabler to a Successful IPO
Where to start?
Personally, I would suggest looking at the major risks for your business, or where peers in your industry have experienced the most issues, and then start with the controls that monitor these areas. Progressively, you can then expand to more areas and activate more controls.
A typical area in this respect would be IT. IT is at the heart of most if not all organisational processes today – either as a support or as an enabler – and represents a significant source of risks: operational shutdowns, data breaches, etc. so why not start there?
In every organization, and this holds even more true in smaller organizations, compliance culture and adoption of new initiatives reflects the tone at the top. If internal control is seen as a waste of time and effort by top management – especially the owner – then there is a very slim chance that employees will dedicate time in ensuring that the controls are applied.
As a result, if you decide to embark on an internal control path, constant communication is a must.
Management needs to explain what is being done and not just monitor employees but for all the reasons mentioned above it also needs to highlight the benefits it expects. And if you are looking for examples of gains that can be achieved, then have a look at GRC Tuesdays: Building The Case For Your Internal Control and Compliance Solution.
What about you, how does your company communicate on its internal control process internally: as a necessary evil or a business enabler? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard