Ethics and compliance professionals, myself included, talk about the importance of effective internal control all the time. We document controls, we test them, we strengthen them when they’re weak, we retire them when they’re obsolete.
That’s not the same as understanding what a control actually is, at an abstract level: what it’s supposed to achieve, and how it’s supposed to operate within an organization. But that understanding is crucial if ethics and compliance officers want to design a system of internal control that is actually effective — one that works with whatever facts of business life your particular organization has.
Let’s start with an “official” definition of a control.
First, the auditing definition
A control has its own definition from the federal securities law. Section 13(b)(2)(B) of the Exchange Act lists four points an effective control should achieve:
- Execute transactions in accordance with management’s authorization
- Record transactions as necessary for proper preparation of financial statements and to maintain accountability for assets
- Restrict access to assets only as permitted by management’s authorization
- Compare recorded accountability of assets with existing assets at reasonable intervals
That defines an accounting control. Yes, accounting controls for improper payments are crucial to a compliance program, as we’ve discussed here before.
Still, that definition gives ethics and compliance professionals only partial help. For example, “execute transactions in accordance with management’s authorization” applies to issues such as anti-bribery or bid-rigging. “Restrict access to assets only as permitted by management’s authorization” could apply to data security.
But those criteria are almost too broad; they could apply to any compliance risk involving company assets. On the other hand, they provide little help for personal misconduct risk such as harassment, which is a big part of the compliance officer’s remit, too.
A better definition of internal control
For a definition more versatile and practical, I turned to a colleague who is a long-time anti-fraud investigator. He proposed this:
A process of interlocking activities that use properly designed policies and procedures; which are preventive, detective, corrective, directive, and corroborative; along with training and continuous monitoring, to:
- Assure achievement of an organization’s objectives
- In operational effectiveness and efficiency
- Generating reliable (complete and accurate) books and records
- In compliance with laws, regulations, and policies
- Which ultimately reduces risk of fraud, risk, and abuse
Now we’re getting somewhere. That definition is a mouthful, but it works. It fits with all sorts of risks that an ethics and compliance officer might confront, from personal misconduct to financial fraud. It spells out where controls come from, and what they’re supposed to do.
Put the right pieces together for a control
An ethics and compliance officer’s objective is to reduce the risk of misconduct to some reasonable amount, according to whatever risk tolerances your board sets out. In that case, understanding what a control is really captured in that first clause: a process of interlocking activities that use properly designed policies and procedures.
Take conflicts of interest as an example. Sure, you can have a policy against COI — but without other measures to put it into force, you have nothing more than a paper compliance program.
You could also have COI procedures, such as due diligence screens for beneficial owners, but without a policy to guide those efforts, they can lead to arbitrary enforcement and alienated employees (and third parties).
Those are nothing more than a jumble of control activities, not working in concert to address COI in a useful way.
The more effective approach is to align all those pieces usefully: a due diligence program to screen for beneficial owners of new vendors (a transaction control); a COI policy signed by every employee (a process control); and speeches by senior executives stressing the importance of avoiding even the appearance of impropriety (an entity level control).
Cut to fit
Consider what properly designed controls would look like for your organization. A tiny business with a handful of third parties doesn’t need elaborate, automated due diligence procedures. It does need strong leadership from the CEO.
Conversely, a global business does need elaborate due diligence programs, perhaps with more training and policies to boot. And while a speech from the CEO would help, let’s not kid ourselves about how effective a speech really is in a global organization with tens of thousands of employees. Other, more forceful control activities carry more weight.
It’s all about balance: finding the right blend of policies and procedures for your organization, to reinforce each other and deliver more internal control than the sum of those parts. That’s where a control should bring you. That’s what effective internal control is.
By Matt Kelly
- Impact of digitized environments & modern workplaces on internal investigations - April 15, 2020
- Whistleblower hotlines decrease the cost & duration of corporate fraud schemes - March 18, 2020
- Entering the era of operational resilience - February 27, 2020
That’s interesting and certainly provides a lot of detail which can be helpful when implementing controls in the accounting and related areas. But I think the best definition of internal control is much broader: Policies and procedures that help ensure that the organization achieves its objectives. The advantage of this broad definition is it reminds the reader that internal control is not primarly accounting or auditing; it pertains also to operations.