By Andy Burrows
[First published 15th April 2017]
[This article is also on LinkedIn - why not "Follow+" Andy and give the article a "like"?]
Internal control is often seen as a boring subject. It conjures up visions of bureaucracy, paperwork, inspection teams with checklists, things which slow the business down. But, as I have said elsewhere, “Saying that internal control is boring in business is like a train driver saying that tracks and signals are boring.”
Over the course of this series, I’ve been looking at activities within the remit of the CFO from what I’m calling a “purpose-driven” perspective. I’m trying to investigate whether examining, and being explicit about, the reasons why we do things, actually changes or influences the way we do them. If you haven't seen it already, please take a look at the introductory article that explains the thinking behind the approach: The Purpose-Driven CFO Part 1: Why Be Purpose-Driven. That, fittingly, tells you why I’m asking the ‘why’ questions!
With internal control, I can predict with some degree of confidence that this article isn’t going to get as many views as the others. And even if you’ve read to this point, you’ll already be getting twitchy, wondering whether you’re interested in going further. Sarbanes Oxley has a lot to answer for!
So, to give you a flavour, let me tell you that I’m going to argue that internal control is very much part of business performance management. And therefore, internal control is something that Finance should be very interested in, because Finance exists to drive business performance. It also means that the detail of controls, internal audits, etc, should be carefully considered to ensure that they add value.
So, first, what is internal control? The definition in Wikipedia says that it is “a process for assuring achievement of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization.”
But rather than stick with the textbook, let’s bring this to life. Think of driving your car, or go back to my train driver analogy if you want to bring this to life. The tracks make sure that the train keeps moving in the right direction. The signals and points ensure that trains don’t collide with each other, which you could consider a bit of risk!
In business, controls are there to make sure that you do things properly. And why should we do things properly? Because doing things properly reduces the risk of losing money.
For example, if you don’t invoice all your customers, you will lose money. So, you need controls to ensure that all your customers get billed the right amounts at the right times. In my business, because I tend to invoice once a week, my control is my calendar, where I record the time spent with clients and set automated reminders to do the invoicing.
And it does get more complex when you get in bigger businesses, involving more people, more diverse systems and larger transaction volumes. Transactions may go astray, or get miscoded, either due to system bugs or people’s mistakes. The risk of fraud or unauthorised transactions increases with the number of people you employ. So, you have checklists, documents (like purchase orders, requisitions, approval forms, etc), signatures, authority levels, separation of duties, reviews, reconciliations, and IT interface controls like check digits and automated warning messages when data transfer fails.
Second, people often get confused about who is responsible for control. Sometimes there is the impression that it is the responsibility of Finance to operate all controls. That’s probably because we deal with auditors and do quite a bit with accounting and financial controls (like reconciliations, approvals and segregation of duties).
But it doesn’t take much reasoning to make it clear that practically everyone in a business operates controls. And every manager has a responsibility to make sure things are done properly and their team meets their objectives. That is control. Managers have various formal and informal ways of doing this, but it’s still control. It’s everyone’s responsibility.
By now the answer to our why question is emerging. Controls, speaking generally, are put in place to reduce the risk of things going wrong. Because when things go wrong we risk losing money. The purpose of control is to mitigate risk. Internal control is part of the risk management framework.
That much (as seems to be the case with many of our “purpose-driven” discussions) is probably obvious.
However, the implications need to be drawn out.
And the first one is this: If risk management and control is all about protecting the business from losing money, then, put positively, it’s all about protecting the performance of the business.
And Finance, as I’ve argued before, is the bastion of business performance. We not only record and report on the financial performance of the business. We help the business to put in place processes within a framework that drives better performance.
So, we have to see the risk management and internal control framework as part of our business performance management framework. In managing performance, we simply can’t ignore the risks and threats that may undermine performance.
What I’m saying is that, whilst the responsibility for operating and implementing controls is the responsibility of every manager within their departments, Finance has a big interest in ensuring that controls are effective across the whole business.
And the implication of that is that internal control and risk management should not be side-lined. It’s not something that can be shoved into the remit of Internal Audit and forgotten about. The Finance Business Partners and FP&A specialists, the Financial Reporting accountants, the Finance Ops teams, all have a part to play in ensuring effective control and risk management within the business. Even in Finance it’s tempting to dismiss and denigrate Internal Audit and controls… we shouldn’t.
But I think there’s another really important implication of the fact that internal control is all about business performance.
And that is that if controls are supposed to protect the performance of the business - protect value - then we always need to make sure that the cost of every control is outweighed by the benefit.
The reason I say this is because it is something that is often forgotten, by both business managers and Internal Audit: Controls have a cost. But with a moment’s thought, it’s self-evident. Controls involve either people doing something additional or the development of software that checks things in the system(s). Either way, more work leads to more cost.
Again, it’s often automatically assumed that an additional control outweighs the benefit in reduced risk. And without criticising internal auditors (who are often undervalued in the business anyway), I have to say that I’ve never seen an internal audit report that considered this aspect in their recommendations. Most reports simply point out a control weakness, i.e. an area where things could go wrong, and recommend a control to make sure the likelihood or impact is reduced.
Managers, and Audit Committees, often look at this and think that because Internal Audit have recommended it, it must be implemented. But what I’m urging is that Finance (in their business partnering capacity) supports business managers in weighing the cost of the recommended controls against the benefit of reduced risk. That is to say, Finance should work with both the business and Internal Audit to ensure that controls that have a net benefit to performance are implemented, and that controls that don’t have a net benefit to performance are not. (I’m dead against any politics that sets Finance against Internal Audit or either against the rest of the business.)
Another way to look at this is that we often see, especially in big businesses, what I’ve heard referred to as BPR – Business Process Review. Some consultant may come in, trained in LEAN and/or Six Sigma, and analyse processes to see what steps can be eliminated. Part of what they’re doing is identifying duplicate or non-value-adding controls. So, all I’m suggesting is that we should take a critical look at proposed controls in processes before it gets to the point of needing a BPR!
Another angle is to compare internal control with another risk management technique – insurance. Insurance costs money in premiums. And you should always make sure you are getting value for money in mitigating the risks that are covered by the insurance.
It would then be a legitimate question to ask how we would go about measuring the reduction in risk, so that we can compare it to the cost of the control.
Now, we could draw a parallel between internal control and insurance, in the sense that both (for a cost) reduce your exposure to damaging and unmanageable levels of loss. So, if you asked an insurance company to insure against all your control weaknesses, they would no doubt have some actuarial model to make sure they made money to cover the risk. In other words, they have to put risk in financial terms if they are to set premiums at the right level. You could use a similar model to value the risk from particular control weaknesses.
The problem with thinking that way is that there’s a cost to doing that kind of cost vs benefit analysis. The cost of actuarial-type modelling is significant. So, we have a conundrum – we need to make sure the benefit of controls outweighs the cost. But the cost of accurately measuring the benefit of controls (the risk assessment) may be (most of the time) prohibitive!
So, you need some shortcuts to make judgments that, whilst recognised as subjective, are nevertheless analytical. So, what we normally do with risk assessment is to express it in terms of the ‘likelihood’ and ‘potential impact’ of negative events.
And it’s tempting, when doing this, to give only a quick thought to the rating of these things – High, Medium, Low? But I think it’s useful spending the extra few minutes thinking in financial terms, and thinking carefully. For instance, what’s the maximum potential financial impact? And what’s the impact on the performance of the business as a whole, not just your department? Sometimes what seems like a big risk to your department isn’t such a big risk to the performance of the whole business.
That’s all good stuff. But I want to close this article by saying something so simple I almost forgot to mention it. That is: When doing any control activity always know why you are doing it.
At the start of my career in Finance, more than 20 years ago, I was a Finance Manager in a division of one of Britain’s biggest and best banks. I wasn’t in a high street branch, so I wasn’t strictly a “bank manager”. But according to the “Branch Accounting Manual” there were certain control procedures that every holder of a “level 6” management grade position had to undertake.
One of those things was to sign printed out copies of every account in our branch (our division was operated as a branch, with our own “sort code”). When I joined the bank, no one told me that was something I had to do, and so when the Internal Auditors (who were apparently formerly known as “Inspection”) came round, they picked me up on it.
Initially I thought it was a waste of time. I didn’t know why I had to do it, or why it had to be a full legible signature rather than my initials on all 500 pages. And whilst complying dutifully, I was fairly sarcastic every week when I was handed the pile of paper.
To my surprise, though, as I started to do the signing, I started to notice things. I noticed numbers out of place, errors, old uncollected debt, uninvoiced charges, reconciling items that weren’t matched off because they’d been posted to the wrong accounts. And I started to keep a log, which turned into the basis of a weekly meeting with my Accounts Supervisor…
It was only through that experience that I realised why I was doing the signing, and had to grudgingly change my view – it was something that did add value because it caught so many things that could have gone wrong, had gone wrong and would have stayed wrong if I hadn’t had my weekly glance through the accounts. The funny thing is that once I understood the purpose of it, and bought into it, it wasn’t such a mind-numbing task when the ledger printouts landed on my desk each week.
So, my advice, if you have to sign documents, ledgers, journals, purchase orders; if you have to do reconciliations, reviews, or any other control procedure; is to ask yourself why you are doing it. What’s the purpose of that control? Understand why you’re doing it and you’ll do it better, the business will be better controlled and will therefore perform better.
So, thinking about the purpose of internal control has taught us that it’s all about business performance, because it’s all about preventing things happening that may damage the performance and value of the business.
That puts internal control and risk management squarely in the sights of the CFO, and of Finance Business Partners. It’s not something to be pushed to the side lines, and should lead to Finance valuing the services of their Internal Audit colleagues.
At the same time, we also noted that if internal control is there to protect business performance, it is legitimate to apply cost vs benefit analysis to any proposed controls.
To save you looking, here are the links to all the articles in this series:
Please keep on letting me know your thoughts. I do see these articles as just a start. So, I’m sure you can see areas where the thinking can be expanded and fleshed out. So please tell me what areas you would expand on, and additional implications you can see. And if you have any suggestions for what to cover in future parts, I’m keen to get ideas.
For regular emails containing tips and advice on working in Finance in business, as well as notification of new material from Supercharged Finance, just fill in your details and click the button below!