This article was updated in December 2019.
Internal control isn’t an all-or-nothing proposition. Just a handful of foundational controls can significantly improve an organization’s risk management and the reliability of its financial data. The difficulty lies in knowing which controls have the greatest impact—and how to strengthen them.
Defining Effective Controls
Many control frameworks exist that attempt to define what good internal control looks like. The most recognizable and trusted of these is the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control-Integrated Framework. It defines the underlying principles of an effective system of internal control over the following:
- Reliability of financial reporting
- Effectiveness and efficiency of operations
- Compliance with applicable laws and regulations
To do this, COSO established five internal control domains, 17 principles, and over 80 points of focus. The framework is a comprehensive and robust resource for establishing internal control; however, its complexity can limit its utility in some cases.
It’s not uncommon for small to mid-sized organizations to dismiss the COSO framework as something for large public companies. Those that do attempt to implement the framework often get lost in the details and forget its purpose. However, selectively applying some of COSO’s foundational controls is often beneficial for most organizations, no matter what their size.
Most organizations don’t need to implement the entire COSO framework to significantly improve their internal control environment. Prioritizing just four foundational controls can have an outsized impact on risk management:
- Segregation of duties
- Reporting hotlines
- Account reconciliations
- Budget-variance analyses
It’s usually one of these controls that either detects an internal control problem, such as fraud or a financial misstatement, or is deficient, which allows a problem to occur.
From a cost-to-benefit perspective, these controls accrue a significant risk mitigation benefit for relatively little cost. This is because they address a wide range of potential risks when compared to more transactional, process-level controls and allow other complementary controls to work effectively.
Segregation of Duties
Problems, such as fraud, material misstatement, and financial statement manipulation, have an increased potential to arise when the same individual is allowed to execute two or more conflicting sensitive transactions. These types of transactions drive processes with the potential to impact a company’s:
- Financial statements
- Operational activities
- Market reputation
Segregation of duties (SOD) divides these transactions between personnel to help avoid conflicts of interest. SOD is usually synonymous with IT-system access rights because a majority of critical functions are often performed through the enterprise system. Allowing this kind of access represents a very real risk to the business, and managing that risk in a pragmatic, effective way is more difficult than it may seem.
The complexity of today’s enterprise systems leaves many companies struggling with implementing and maintaining effective SOD. These are some of the most common pitfalls experienced by IT, internal audit, and finance departments:
Enterprise System Security Complexity
Enterprise resource planning (ERP) systems often rely on role-based security. Theoretically, this simplifies security administration, but the design of roles is often inappropriate. The risk is compounded by the fact that there’s frequently more than one way to perform a function or access data within an ERP system.
It’s often unclear who’s responsible for determining appropriate SOD. An IT department often does the technical administration, such as grant rights, removal access, and change access, but it’s the business itself that defines what’s appropriate. Because SOD requires technical and policy coordination, it can often fall through the cracks at the executive level.
Best-of-Breed Enterprise Environments
Some organizations use multiple ERP systems designed for specific purposes rather than one integrated system. This is known as a best-of-breed system because it uses the most specialized systems available for each business process. This scenario creates additional risk because it makes it more difficult to assess inappropriate access across unconnected systems.
To learn more, read our segregation of duties Insight.
Using two different sets of documentation to verify if figures are accurate and aligned can validate even the most complex transaction. This process, known as account reconciliation, is usually done by comparing the general ledger balance for a specific balance sheet with supporting documentation of what the balance should be.
Depending on the nature of the balance-sheet account being verified, the supporting documentation can include the following items:
- External data
- An analytically developed expectation
- A subledger
- Another internal database
Using this data, organizations can analyze the valuations, calculations, application of accounting principles, and other variables that may exist around a particular transaction, helping to avoid financial misstatements and improve balance sheet integrity.
Most organizations do some form of account reconciliation but not all of them work to make their reconciliations as effective as possible. These are some of the most common challenges faced by accounting teams:
Many organizations only reconcile accounts they view as important. However, this approach usually misses a common error that arises when a journal entry is posted to the wrong account. Balance sheet integrity can only be achieved by reconciling every balance sheet account.
Absence of a Risk-Based Approach
Not all reconciliations are equal. Some accounts are more complex, high volume, and prone to error while other accounts may present lower risk. Understanding the difference between high- and low-risk accounts and developing appropriate reconciliation procedures for each of them is essential for avoiding errors in the reconciliation process.
No Clear Accountability
For the process to be successful, reconciliations need to be done completely, correctly, and quickly enough to catch errors before financial misstatements occur. Many organizations neglect to clarify who’s responsible for ensuring this happens. Developing a formal reconciliation calendar can help drive the process by designating who’s doing what and when they’re supposed to do it and by setting clear quality control procedures.
Lack of Standardization
Just as there needs to be clarity around which accounts are being reconciled, when, and by who, it also needs to be made clear how that’s going to happen. Without putting quality standards in place, many organizations perform reconciliations without consistency.
Everyone involved with the reconciliation process should know the following:
- What’s the expected supporting data
- What’s considered an exception for follow up
- How those follow ups and their resolutions should be evidenced
Implicit in the standardization issue above is the assumption that those reconciling the accounts understand the purpose, risks, and relevant US generally accepted accounting principles (GAAP). This understanding is critical in designing the reconciliation procedures and for appropriately identifying, researching, and resolving potential exceptions.
A 2013 National Business Ethics Survey revealed that around 41% of all employees in the United States have witnessed misconduct that violates their organization’s ethics standards or the law. Organizations can greatly increase the likelihood of discovering misconduct by encouraging employees to flag potential acts of impropriety through a reporting hotline.
Such hotlines are typically dedicated phone numbers, websites, or both that are administered by a third party and allow for anonymous reports. This helps prevent the fear of retaliation from stopping employees or third-party vendors from making reports.
Reporting hotlines are often viewed as a function of the human resources department—a compliance box to check—which makes the control far less effective. These are some of the most common reasons why this happens:
Lack of Stakeholder Buy In
If a hotline is viewed as an administrative compliance activity or, worse, viewed as a nuisance or threat by senior management, it will never be an effective internal control—because it won’t be made a priority.
Ambiguity of Appropriate Use
Senior stakeholder skepticism of a reporting hotline often results in part from employees misunderstanding what the hotline is for. When employees aren’t trained on the appropriate use of a hotline and don’t understand the circumstances that would warrant a report, a hotline is often used as a mechanism to air grievances that aren’t necessarily ethical or compliance issues.
Lack of Credibility
If employees don’t view a hotline as anonymous or if they believe reports aren’t taken seriously, the utility of the control drops off significantly. For this reason, a defined reporting process should be documented and periodically communicated with employees.
A reporting hotline that’s buried in a company code of conduct policy or that’s difficult to use won’t be effective. This is a frequent symptom of a compliance-focused process. For a hotline to be effective, it needs to be easy to use and employees need to be trained how to make a report.
Ineffective Report Resolution
Resolution of potential issues is ultimately the purpose of a reporting hotline. If an organization implements a hotline without thinking through the resolution process, such as who reports go to and who’s responsible for following up on them, the effectiveness of the hotline quickly diminishes. Employees may also sense this lack of follow through and interpret it as an absence of credible support for the program.
Budget Variance Analyses
Typically conducted at the financial statement line item or account level, a budget variance analysis (BVA) is a periodic investigation of the difference between actual results and the expected results of a balance sheet based on a budget.
This type of analysis can often identify errors that would otherwise be missed by more mechanistic transactional control activities because patterns between interrelated accounts and business processes can be more easily assessed.
Most organizations perform some sort of financial variance analysis, but a few critical factors can significantly change the effectiveness of the control. These are some of the most common BVA roadblocks:
A variance between a budget and the actual balance sheet amount can result from a change from expectations or from an inaccurate budgeted amount. By their nature, budgets are estimates. Taking the time to understand the underlying drivers of a budgeted amount can drastically improve the effectiveness of a BVA.
Lack of Analysis Thresholds
Establishing what level of precision is required and what circumstances trigger additional follow up during a BVA is essential to making the process an effective control. Otherwise, variances that should probably be analyzed may not be, or time may be spent following up on a variance that isn’t a risk. Many organizations choose to define these thresholds in terms of absolute dollars and percentage of account balance.
Even with established thresholds, an effective BVA requires the control performer to understand the business context behind the financials and to think critically about how changes in the business should manifest. If sales are below budget, for example, sales commissions should also be lower.
Understanding offsetting variances and disaggregating data is also important. If data isn’t disaggregated, it’s possible to have offsetting variances that mask material changes to the balance sheet. Accounts are also sometimes an aggregation of different transaction types, which may have different expectations and potential errors.
A reviewer of a BVA can easily understand whether an analysis was performed completely, accurately, and thoroughly if the process is well documented. This generally includes documenting what was found as well as the resolutions of the investigated variances. The need for documentation is increased if the control is relevant for compliance purposes, such as Sarbanes–Oxley or International Organization for Standardization processes.
Implementing the entire COSO framework isn’t practical or even necessary for most organizations. However, enlisting the help of an experienced internal controls professional that understands its complexities can help your organization prioritize its foundational controls and implement meaningful process changes faster and more efficiently.
We’re Here to Help
To learn more about foundational controls and risk mitigation, contact your Moss Adams professional.