John J. Hall, CPA
President, Hall Consulting, Inc.
‘Internal control’ means many things to many people. Maybe too many different things to too many different people.
Some see controls as symbols, arrows and lines on a process flowchart. Others look only to the boxes they check off every few months on compliance checklists. Financial reporting managers and external auditors focus on the accuracy of reported results, but don’t give much energy to controls over operations or customer satisfaction or product and service quality. And internal and government auditors and other compliance experts refer to various sanctioned models of controls that start with high level objectives and flow down into specific target policies, procedures and actions.
All are correct depending on their point of view or job responsibilities. But most can miss the point as well. So let’s break it down.
Traditionally accepted definitions of controls start like this: Internal Controls are any action taken by management, the board, or other parties to manage risk and increase the likelihood that established objectives and goals will be achieved.
I’m confident we would all agree that’s a good starting point.
One step deeper, controls entail processes, policies, procedures and other management directives designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Reliability of financial reporting
- Compliance with laws and regulations
- Effectiveness and efficiency of operations
Then these broad control objectives are documented as a working framework or blueprint of intentions, actions and responsibilities. It’s the what to do, how to do it and when to do it nuts and bolts of how things get done each day in any business setting.
But what about the why behind these actions?
For example, it’s pretty common that as a payment transaction grows in size, additional approval signatures are required before funds are released. Out of pocket travel cost reimbursement, weekly time reporting and routine purchasing card transactions usually require just one approval signature from the next higher level of authority – often a first-level supervisor. But as transactions grow into the tens and hundreds of thousands, approval protocols grow as well with multiple signatures required. And that $200 million construction project? Entire pages of signatures are often required as multi-million dollar contractor applications for payment are processed.
And all of that makes sense in theory.
But what about in the real world of time constraints, multiple demands on our energy, and comfortable human habits? Do all of those signatures really being additional ‘control’? Or are we too often finding that it creates the appearance of control without the reality? Perhaps it’s just my own isolated experience over 46 years of auditing, but I remain confident that far too often managers just scribble their signature on documents someone else has already signed.
If you agree, then let’s get down to it once and for all. Let’s assume that in general your organization’s control procedures were thoughtfully designed, were properly implemented and are effectively maintained. At least within reason – as there’s always room for improvement.
But what about the human aspect of controls – the component that makes a standard procedure come alive? What about the knowledge and experience of transaction processors and approvers, and their interest, focus, energy and attention at that critical approval moment as they reach for their computer mouse or pen to place their management stamp of approval?
What about their supervisor’s support? Is it based in encouragement to do things right the first time – the hallmark of any quality initiative? Or is it daily pressure to just get it down and off your desk?
And possibly most important, what is the peer-group culture in the department where review and approval takes place – supporting co-workers who seek excellence and have pride in their work? Or just slogging through the days until something better comes along? Peer group pressure to conform is a powerful motivator that supports or undermines the effectiveness of control internal controls.
In short, control protocols with weak human execution is an implicit significant weakness. A weakness that that can undermine risk management initiatives in any organization.
Have I scared you yet?
To be completely transparent, that was my intent – if I scared you into meaningful action. And that action is incredibly simple and virtually free to build.
Internal controls are in fact heavily dependent upon instructions about what to do, how to do it and when to do it. And if we can blend in why to do it – and motivate every employee to follow a few simple steps, those control procedures come alive. So here’s the magic formula:
First, when you reach for your pen or computer mouse to approve a transaction, stop, collect your thoughts, focus your efforts and look at what’s in front of you.
Second, look at the transaction documents and underlying support. I mean really look at it. Not just a passive glance.
Third, ask yourself, “How do I know this is correct?” If you’re sure it’s fine, approve away. But when in doubt, doubt. Not when in doubt, believe!
Fourth and last, if in doubt resolve it before approving or refer to others for action.
Stop, look ask, doubt and resolve or refer. Pretty simple, right? Yes, but only if employees and managers have the mental and physical discipline to take these simple steps and make the controls come alive.
Want to find out more?
Join us on December 12 for our Yellowbook-CPE program on Internal Controls: What They Are, What They Aren’t, and How Auditors Can Help Government Managers Plug the Holes.
Yellowbook-CPE.com is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: