Some people enjoy reading self-improvement books. Some are born home improvement gurus. Others are intent on learning ways to improve their company’s internal control system. If you’re the latter, you’ve come to the right place.
Let’s talk about improvement.
When contractors begin an improvement project the first things they typically evaluate are the foundation, electrical, and plumbing.
Unless you’re in the beginning stages of a new startup, it’s rare to start with a blank slate. Whether by design or by happenstance, every business has some sort of internal controls in place.
The following is a blueprint, outlining three important steps to help improve internal controls.
Step 1: To Improve Internal Controls, Build a Strong Foundation
The starting point for any improvement is to assess what’s already in place and what there is to build on.
To identify control deficiencies, start by evaluating the presence and effectiveness of the components recommended for an effective control system as defined by the Committee of Sponsoring Organizations (COSO):
- Control environment
- Risk assessment
- Control Activities
- Information and communication
For a detailed discussion of the five components of internal control systems read “Internal Controls: What Are They & Why You Should Care.”
Step 2: To Improve Internal Controls, Harness the Energy of Control Activities
Faulty wiring prevents electrical current from flowing properly. It’s the same with control activities.
Control activities power a control system and if one or more are faulty, an organization may be at risk for an internal control system failure. To make sure you’re on track, measure control activities against the principles defined by COSO.
The three principles of effective control activities
- Implement control activities designed to reduce risk based on what the organization has defined to be acceptable risk levels. Develop these control activities to ensure you’re on track to achieve organizational goals and objectives.
- Select and develop control activities specific to information systems, especially in the area of IT.
- Develop clearly stated documentation (often in the form of a manual or employee handbook), outlining the policies and procedures required to implement and put control activities into action.
What are the three types of control activities?
Control activities are part of the control process that galvanizes an internal control system. To improve internal controls, focus on creating a variety of control activities that fall under each of the three categories:
Preventive Controls: Control activities tailored to avoid risks from fraud or loss or the obstruction of an organization’s operational objectives.
Detective Controls: Control activities designed to pinpoint the cause of unavoidable risk, errors in financial processes, or employee misconduct after the fact.
Corrective Controls: Control activities enacted after an irregularity or discrepancy is discovered. Corrective actions prevent the risk from occurring in the future.
Examples of control activities to improve internal controls
Examples of preventive control activities:
Segregation of duties among bookkeepers and other employees involved in financial transactions
- Supervisory or managerial authorizations for both spending and purchasing transactions
- Specific control procedures for the documentation of cash disbursements and cash receipts
- Ongoing risk management activities to realign objectives as business processes change
- Password protection for all financial information
- Regular staff training
Examples of detective control activities:
- Reconciliation of financial statements
- Internal audits for compliance issues, as well as reliability of financial reporting
- External audit by a licensed CPA who is not an employee
- Employee performance reviews
- Conduct regular physical inventory counts
Examples of corrective control activities
- Enforcing employee discipline policies
- Realigning separation of duties
- Retraining staff on policies and procedures
- Performing additional risk assessment and introducing revised or new internal controls
Step 3: To Improve Internal Controls, Find the Leaks in Your Internal Control Structure
Leaky faucets aren’t cost-effective. A burst pipe creates some costly damage. And backed up sewage… well…it’s no fun to clean up.
Weak internal controls produce the same problems. Some slow leak, creating problems over time; others are one major incident, leaving damaging results in its wake; others are a SOX storm waiting to happen.
SOX: The Sarbanes-Oxley Act of 2002 is a federal law created to regulate the reliability of corporate financial reporting to protect shareholders and employees from fraudulent accounting practices and financial misstatements.
Internal controls must be viewed as fluid processes—constantly changing with the ebb and flow of the business environment. Changes may occur in the form of evolving technology, additions to regulations, changing legislation, new staff hires organization growth, new developments in marketing trends, and increased competition.
The key to avoiding or reducing possible risks that may clog the flow of an organization’s operations is to effectively employ the fifth component of internal controls: monitoring.
The COSO Internal Control-Integrated Framework describes 17 principles that support each of the five components of internal controls. There are two Principles outlined by COSO for the monitoring of internal controls:
Principle 16: “The organization selects, develops, and performs ongoing and or separate evaluations to ascertain whether the components of internal control are present and functioning.”
Principle 17: “The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.”
Consistent monitoring flushes out ineffective and unnecessary internal controls, allowing an organization to adopt a better system, strengthening internal controls.
Start your internal control improvement project today
Once the Gaines’ determine the needs of a property, they turn to expert contractors to get the work done. In the realm of organizational risk management and improved internal controls, ZenGRC is the expert. To learn how we help organizations simplify, automate, and improve internal controls, schedule a demo today.