Transforming Internal Control into Business Enabler
Internal Control is commonly cited as an avoidable cost, a bureaucratic straitjacket that limits agile decision-making, while on the other hand, it’s a fundamental element in the governance of large organizations, listed companies, banks, and financial institutions, arguably mandated by regulators. This mandate essentially supports the argument that Internal Control is needed for organizations that deal with public money. This view not only diminishes the potential business value of Internal Control, especially its role as a business enabler, but it’s also inconsistent with the rationale that results are the product of and planning, and despite differences in scale of organization, Internal Control helps supports systematic decision making and progress towards organizational objectives.
To put up the case for Internal Control beyond this common interpretation is a daunting task, i.e. we must demonstrate contradictions in the common understanding discussed above, and beyond that, we must also show Internal Control immanently contains a value for all organizations.
To analyze this proposition we must begin with a definition of Internal Control that has wider acceptance. This addresses two aspects of our discussion; first, using a commonly known and widely published definition means not creating a new definition by simply avoiding criticism but demonstrating that it’s not understood correctly, and secondly, Internal Control is not conditioned with scale, and as such it applies to varying sizing or organizations, especially smaller enterprises with limited resources.
For this, I will use COSO Internal Controls Integrated Framework’s definition, which describes Internal Control as “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”
On closer analysis we can see break this up into three elements; (1) internal control is a designed process; (2) internal control provides reasonable assurance for the achievement of objectives; (3) internal control is effected by the board, management, and other personnel.
- Internal control is a designed process
All organizations, irrespective of their scale, have objectives, e.g. a global conglomerate could be targeting innovation in its product technologies, your neighborhood pizzeria could be desiring to increase its sales per customer by $5. Organizations undertake various activities in pursuing their objectives, these are interconnected with various parts of the organization collecting, processing, and transmitting information to support decisions in progressing towards their objectives. This interconnectedness is what we generally refer to as an Internal Control System.
Internal control is not a ready-made, off-the-shelf product, it’s a customized solution designed for an organization’s circumstances based on its market, goals, and strategy. And, while Internal Control systems of various organizations appear similar they are not the same, the differences are subtly created by their objectives. As Internal Control operates within organizations it must be immanently connected with objectives and this property makes it effective.
On the other hand, we have a phenomenon called ‘best practice’, which is probably one of the most overused terminologies in the context of Internal Controls. Best practice refers to Internal Control System that worked wonders for some successful companies, and consultants marketed these ready-made solutions to other companies and made a fortune by doing it. However, not only is the term, “best practice” overused, it’s also misleading. It implies that an Internal Control System which worked in the past for a company would repeat its success and create value for other companies while being indifferent to the latter’s objectives. Consequently, “best practice” quickly becomes a financial burden when organizations (re)structure processes to a system that worked for another company, and not with their objectives.
- Internal Control provides reasonable assurance with regards to objectives
In the preceding section, we discussed the importance of designing an organization’s Internal Control System with its objectives, this section deals with the effectiveness of Internal Control design in regards to achieving objectives. It’s important to remind ourselves here that Internal Control is not an end in itself, which means it’s a process that manages the transformation of resources into results. By this virtue, Internal Control can only be termed effective only when it can consistently manage this transformation, or in other words, when Internal Control Design has the quality to provides reasonable assurance with regards to objectives.
If the effectiveness of an Internal Control System is described as an ability to consistently produce desired outcomes, then this quality is the measure of an Internal Control System, or in other words, the design does not only relate to objectives, but it must also demonstrate this quality to achieve desired objectives. In this way, Internal Control Design correlates an organization’s activities and outcome., lacking which one is only hopeful of the best outcome, compared to systematically managing objectives.
The correlation is not an absolute or a perfect relationship, in which case activities guarantee desired outcomes or vice versa. The distortion or error in the correlation is caused by uncertainties, and the function of Internal Control Design (model) is to systematically manage uncertainties and reduce these to an acceptable level where an organization achieves reasonable assurance regarding objectives, i.e. the residual uncertainty does not have a significant impact on the outcome.
- The Process is effected by the Board, Management, and other personnel
This section of the Internal Control definition deals with people within an organization who are responsible for carrying out activities designed within Internal Control System. It is therefore important that people know organizational objectives and their role in the Internal Control System, thus creating a transparent process of responsibility and accountability. Lacking this knowledge, people become indifferent towards objectives increasing uncertainty in their decisions. Internal Control system is effective when people understand the context of their activities and how their contribution reduces uncertainty concerning organizational objectives.
In the end, we must conclude the discussion to answer if Internal Control a value that can be harnessed by an organization without unnecessary compromises or delays in decision-making processes. In the foregoing paragraphs, we discussed the importance of designing Internal Control with organizational objectives and thus resolving the problem of scale. This problem was created by the misconception of “best practices”. We also discussed that Internal Control System systematically manages uncertainty, lacking which an organization is pushed into a fire fighting style of management taking away time and resources. And lastly the importance of people knowing organizational objectives to effectively manage outcomes. Therefore, we can now state Internal Control increases the probability an organization achieves its objectives and this increase on one hand is the value an organization can harness, on the other hand, Internal Control becomes a business enabler as a systematic mechanism to reduce uncertainties to its objectives.