A New Holistic Model for Internal Controls Management (Part II of II)
Companies have to embrace a holistic management approach to their internal controls. In the corporate governance world, a new approach is needed to develop a more rational and consistent method for managing your company’s internal controls.
This is not a radical proposal but a rational response to the enforcement risks and the need for consistency across an organization.
Let’s start with a basic set up. An internal controls committee should be created consisting of key stakeholders to ensure consistent design, drafting and management. Compliance is a key stakeholder. Legal should be included as well.
The design of internal controls requires the balancing of two competing interests: first, managers and employees want to know how to complete various tasks, follow company rules, and comply with applicable rules; second, the company needs to draft its controls in a manner that does not expose the company and individual actors to possible civil and criminal enforcement for circumventing or failing to follow its internal controls.
This is a difficult balancing act but is an important consideration for companies, especially those that are operating under a rules-based culture.
The first hurdle to overcome, as always, is acknowledgement that a new approach is needed. The stakeholders include specific functions responsible for operating within the internal controls: finance, operations, procurement, compliance and legal.
The second step in this process is the collection of every internal control maintained by the company. This will take time because some will be hard to find and others may be rarely used or even unknown to many employees.
The third step is the assignment of primary responsibility for the internal controls. Each function should take responsibility where it is the natural lead – compliance for compliance-related controls; finance for financial controls; operations for operation-related controls and procurement for procurement-related controls.
The fourth step is to create a review matrix or a set of key questions for each internal control. These questions include:
- What is the purpose of the control?
- How does it align with current operations in the company?
- Does the control accurately reflect existing corporate policy governing the task?
- What key terms are used in the control and need to be defined?
With this frame of reference, the stakeholders should develop revisions or at least recommended changes to an existing control, or adoption of a new control, or combination of existing controls into a single control. The review process is intended to identify potential problems with the existing control in practice and develop proposed solutions.
The fifth step is to assign responsibility to a few individuals as the scriveners of the new set of internal controls. A member of the legal team should be involved in this process, preferably one who is known for their writing ability. A group effort should be made to bring together the final review, revision and re-organization of the internal controls.
The objective of this final step is to create a concise and thoughtful set of internal controls that adequately addresses specific requirements and uses consistent terminology and defined terms. It is critical that the internal controls are properly crafted to avoid over-broad requirements and terminology that can be used against the company by government prosecutors in situations that were never intended. On the other hand, the internal controls need to accurately capture the intended conduct and applicable requirements that need to be internally regulated.
The entire process is a balancing act that requires a collaborative approach built on a common understanding of the company’s operations and policy purposes. It is key to balance internal regulation against external risks from government enforcement agencies. To be sure, the crafting of internal controls means there may be disagreements among stakeholders on specific terms (e.g. the meaning of “is”), but it is better to hash out these issues in the internal stakeholder context.
The Committee already exists, it is called The Board Audit Committee. They have prime responsibility for the oversight of the internal controls framework. The Assurance team, already in place, is in charge of evaluating the controls; where these are technical, legal project or commercial controls, they seek assistance of the relevant departments. Modern companies have been operating on this basis for years. The key word here is ‘risk’. Controls are designed to mitigate material risks. If they don’t, they are bureaucracy.