Internal controls aren’t an all-or-nothing proposition. Just a handful of foundational controls can significantly improve an organization’s risk management and the reliability of its financial data. The difficulty lies in knowing which controls have the greatest impact—and how to strengthen them.
Learn how your organization can improve the reliability of its financial statements with the following topics:
What Are Internal Controls?
Many internal control frameworks exist that attempt to define what good internal control looks like. The most recognizable and trusted of these is the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control-Integrated Framework. It defines the underlying principles of an effective system of internal control over the following:
- Reliability of financial reporting
- Effectiveness and efficiency of operations
- Compliance with applicable laws and regulations
To do this, COSO established five integrated components, 17 principles, and 87 points of focus. The COSO framework is a comprehensive and robust resource for establishing an internal control environment that’s adaptable to various business environment, responsive to risks to the organization, and supportive of good governance. However, its complexity can limit its utility in some cases.
It’s not uncommon for small to midsized organizations to dismiss the COSO framework as something for large public companies. Those that attempt to implement the framework often get lost in the details and forget its purpose. However, selectively applying some of COSO’s internal controls is often beneficial for most organizations, no matter their size.
Most organizations don’t need to implement the entire COSO framework to significantly improve their internal control environment. Prioritizing just four foundational controls can have an outsized impact on risk management:
- Segregation of duties
- Reporting hotlines
- Account reconciliations
- Budget-variance analyses
It’s usually one of these controls that either detects an internal control problem, such as fraud or a financial misstatement, or is found to be deficient when a problem occurs.
From a cost-to-benefit perspective, these controls accrue a significant risk mitigation benefit for relatively little cost. This is because they address a wide range of potential risks when compared to more transactional, process-level controls and facilitate the effective operation of other complementary controls.
Segregation of Duties
Problems, such as occupational fraud, accounting errors, and financial statement manipulation have an increased potential to arise when the same individual is allowed to execute two or more conflicting activities. These types of activities drive processes with the potential to impact a company’s:
- Financial statements
- Operational performance
- Market reputation
Segregation of duties (SOD) divides these transactions between personnel to help avoid conflicts of interest. SOD is usually synonymous with IT-system access rights because most critical functions are often performed through the company’s enterprise systems.
However, it’s important to view segregation of duties from both system access and the individual roles and responsibilities. Allowing employees to be able to control two or more critical activities presents a risk to the business, and managing that risk in a pragmatic, effective way is more difficult than it may seem.
The complexity of today’s enterprise systems leaves many companies struggling with implementing and maintaining effective SOD. Below are some of the most common pitfalls experienced by IT, internal audit, and finance departments when evaluating segregation of duties.
Enterprise System Security Complexity
Enterprise resource planning (ERP) systems often rely on role-based security. Theoretically, this simplifies security administration, but the use of standard roles is often inappropriate for proper SOD. The risk is compounded by the fact that there’s frequently more than one way to perform a function or access data within an ERP system.
It’s often unclear who’s responsible for determining appropriate SOD. An IT department often does the technical administration, such as grant rights, remove access, and change access, but it’s the business itself that defines what’s appropriate. Because SOD requires technical and policy coordination, it can often fall through the cracks at the executive level.
Best-of-Breed Enterprise Environments
Some organizations use multiple ERP systems designed for specific purposes rather than one integrated system. This is known as a best-of-breed system because it uses the most specialized systems available for each business process. This scenario creates additional risk because it makes it more difficult to assess inappropriate access across unconnected systems.
Exclusion of Manual Activities
When performing a comprehensive segregation of duties analysis, organizations shouldn’t just focus on system access, but also should focus on the segregation of key activities performed outside of the system. The combination of system access and manual responsibilities can lead to conflicts that might not be identified by performing segregation of duties analysis from a purely system access standpoint.
Using two different sources of information to verify if figures are accurate and aligned can validate even the most complex transaction. This process, known as account reconciliation, is usually done by comparing the general ledger balance for a specific financial statement account with supporting documentation of what the balance should be.
Depending on the nature of the financial statement account being verified, the supporting documentation can include the following items:
- Reliable third-party information
- An analytically developed expectation
- A separately maintained subledger
- Another internal database
Using this data, organizations can verify and analyze the completeness, validity, valuation, calculation, and proper application of accounting principles, and other assertions around a particular transaction, helping to avoid financial misstatements and improve financial statement integrity.
Most organizations do some form of account reconciliation, but not all of them work to make their reconciliations as effective as possible. Below are some of the most common challenges faced by accounting teams.
Many organizations only reconcile accounts they view as important. This approach usually misses a common error that arises when a journal entry is posted to the wrong account. Balance sheet integrity can only be achieved by reconciling every balance sheet account.
Absence of a Risk-Based Approach
Not all reconciliations are equal. Some accounts are more complex, high volume, and prone to error while other accounts may present lower risk. Understanding the difference between high- and low-risk accounts and developing appropriate reconciliation procedures for each of them is essential for avoiding errors and maintaining efficiency in the reconciliation process.
No Clear Accountability
For the process to be successful, reconciliations need to be done completely, correctly, and quickly enough to catch errors before financial misstatements occur. Many organizations neglect to clarify who’s responsible for ensuring this happens. Developing a formal reconciliation calendar or checklist can help drive the process by designating who’s doing what and when they’re supposed to do it and by establishing clear quality internal control procedures.
Lack of Standardization
Just as there needs to be clarity around which accounts are being reconciled, when, and by whom, it also needs to be made clear how that’s going to happen. Without putting quality standards in place, many organizations perform reconciliations without consistency.
Everyone involved with the reconciliation process should know the following:
- What are the expected review procedures to be performed?
- What’s the acceptable supporting data?
- What’s considered an exception for follow-up?
- How should those follow ups and their resolutions be evidenced?
Implicit in the standardization issue above is the assumption that those reconciling the accounts understand the purpose, risks, and relevant US generally accepted accounting principles (GAAP). This understanding is critical in designing the reconciliation procedures and for appropriately identifying, researching, and resolving potential exceptions.
A 2023 National Business Ethics Survey from the Ethics & Compliance Initiative (ECI) revealed that around 53% of all employees in North America have witnessed misconduct that violates their organization’s ethics standards or the law. However, only 62% of the misconducts observed have been reported. Organizations can greatly increase the likelihood of discovering misconduct by encouraging employees to flag potential acts of impropriety through a reporting hotline.
According to the 2022 Association of Certified Fraud Examiners Report to the Nations, 42% of all frauds were detected by tips, and organizations without hotlines took an average of six months longer to detect frauds and experienced average losses that were two times higher than organizations that had hotlines.
Such hotlines are typically dedicated phone numbers, websites, or both that are administered by a third party and allow for anonymous reports. This helps prevent the fear of retaliation from stopping employees or third-party vendors from making reports.
Reporting hotlines are often viewed as a function of the HR department—a compliance box to check—which makes the control far less effective. Below are some of the most common reasons why this happens.
Lack of Stakeholder Buy In
If a hotline is viewed as an administrative compliance activity or worse, viewed as a nuisance or threat by senior management, it’ll never be an effective internal control—because it won’t be made a priority.
Ambiguity of Appropriate Use
Senior stakeholder skepticism of a reporting hotline often results in part from employees misunderstanding what the hotline is for. When employees aren’t trained on the appropriate use of a hotline and don’t understand the circumstances that would warrant a report, a hotline is often used as a mechanism to air grievances that aren’t necessarily ethical or compliance issues. According to the 2022 Report to the Nations, reports of fraud are 16% more likely to be submitted in organizations that provide hotline training.
Lack of Credibility
If employees don’t view a hotline as anonymous or if they believe reports aren’t taken seriously, the utility of the control drops off significantly. For this reason, a defined reporting process should be documented and periodically communicated with employees.
A reporting hotline that’s buried in a company code of conduct policy or that’s difficult to use won’t be effective. This is a frequent symptom of a compliance-focused process. For a hotline to be effective, it needs to be easy to use and employees need to be trained on how to make a report.
Ineffective Report Resolution
Resolution of potential issues is ultimately the purpose of a reporting hotline. If an organization implements a hotline without thinking through the resolution process, such as who reports go to and who’s responsible for following up on them, the effectiveness of the hotline quickly diminishes. Employees may also sense this lack of follow through and interpret it as an absence of credible support for the program.
Budget Variance Analyses
Typically conducted at the financial statement line item or account level, a budget variance analysis (BVA) is a periodic investigation of the difference between actual results and the expected results of operations and financial position of the company.
This type of analysis can often identify errors that would otherwise be missed by more mechanistic transactional control activities because patterns between interrelated accounts and business processes can be more easily assessed.
Most organizations perform some sort of financial variance analysis, but a few critical factors can significantly change the effectiveness of the control. Below are some of the most common BVA roadblocks.
A variance between a budget and the actual financial account amount can result from a change from expectations or from an inaccurate budgeted amount. By their nature, budgets are estimates.
Taking the time to understand the underlying drivers of a budgeted amount and periodic monitoring and update of assumptions as things change can drastically improve the effectiveness of a BVA.
Lack of Analysis Thresholds
Establishing what level of precision is required and what circumstances trigger additional follow up during a BVA is essential to making the process an effective internal control.
Otherwise, variances that should probably be analyzed might not be, or time might be spent following up on a variance that isn’t a risk. Many organizations choose to define these thresholds in terms of absolute dollars and percentage of account balance.
Even with established thresholds, an effective BVA requires the control performer to understand the business context behind the financials and to think critically about how changes in the business should manifest. If sales are below budget, for example, sales commissions should also be lower.
Understanding offsetting variances and disaggregating data is crucial. If data isn’t disaggregated, it’s possible to have offsetting variances that mask material changes to account balances. Accounts are also sometimes an aggregation of different transaction types, which may have different expectations and potential errors.
A reviewer of a BVA can easily understand whether an analysis was performed completely, accurately, and thoroughly if the process is well documented. This generally includes documenting what was found as well as the resolutions of the investigated variances.
The need for documentation is increased if the control is relevant for compliance purposes, such as Sarbanes–Oxley or International Organization for Standardization processes.
Implementing the entire COSO framework isn’t practical or even necessary for most organizations. However, enlisting the help of an experienced internal controls professional that understands its complexities can help your organization prioritize its foundational controls and implement meaningful process changes faster and more efficiently.
We’re Here to Help
To learn more about internal controls and implementing a risk management strategy, contact your Moss Adams professional.