Spring Cleaning: Time to Review Your Internal Controls
There are a lot of so-called “dirty secrets” in the corporate governance world. Not the tawdry kind that appear to follow controversial politicians – I mean in the world of internal controls.
I would wager that most companies cannot even identify all of the policies, procedures and controls that have been created during the life of the company. Some exist in what I call the “shadows” – a manager or supervisor had to solve a problem one day, figured out a procedure, had no idea if one existed, typed up a new procedure, signed it and then applied it in his/her world.
This may be an exaggeration but I am sure every company has policies and procedures that are formally or informally followed that are not known to every relevant function. In many companies, there is no organized central repository of policies, procedures and controls. Instead, a body of policies and procedures have grown over the years with sometimes no rhyme or reason to justify it as a corporate policy.
Take, for example, Sarbanes-Oxley financial accounting controls. Every CFO is proud of the complex maze of Sarbanes-Oxley controls that have been built over the years to ensure proper financial reporting. Sarbanes-Oxley transformed the audit function and industry. It created a discrete area for management of controls, responsibility for controls and day-to-day financial accounting and reporting procedures.
The problem with these controls – CFOs treat these controls like the crown jewels of the company. Chief compliance officers who ask to see them are rarely granted the “privilege” of reviewing, understanding, or God forbid, opining on any aspect of the Sarbanes-Oxley controls. While I amit this is a little tongue in cheek, the problem is that the financial accounting controls have implications across the organization, including compliance.
I bring up this example to make my point – everyone has a piece of a company’s internal controls – some more than others, as CFOs watch over a company’s financial controls. No one has line of sight, responsibility for, or even an understanding of, the company’s entire control structure and operation. Yes, of course, there are folks who technically claim that they have this view, but no one in reality takes responsibility for such a massive undertaking.
As a result, companies have varying policies, procedures and controls across the organization. This means that there is no consistency in the way a company defines its operations, describes its rules, or mitigates its risks. In many cases, this haphazard way to defining a company’s mission, its operations, and its internal rules and regulations leads to problems and sometimes even disasters – literal safety problems and accidents, and figurative scandals around financial crimes, including bribery, fraud and misuse.
Organizations fail to start at the right place. A company’s controls are akin to an internal set of laws governing individual conduct, division responsibilities and overall corporate operations. Prosecutors and regulators look to these rules as “internal controls” and have the ability to prosecute violators of these internal rules for willful circumvention of internal controls to hold actors accountable for misconduct, scandals and failures to supervise.
Given the implications and importance of internal controls, companies have to renew their efforts to identify, collect, review and refine their internal controls beyond just internal accounting controls, beyond internal financial reporting controls, and bring about a fresh new look – a defined set of policies, procedures, and controls governing the entire organization.
The first challenge in this process is to collect all the existing controls in one place. That means looking in every nook and cranny in the organization for those controls that exist out there and govern operations in discrete parts of the company. Once they are all identified and organized the spring cleaning is ready to proceed.
A second and important step is to review and assess the body of existing controls to identify those controls that are redundant, duplicative or unnecessary. This should become fairly obvious during the review. For example, I recall a client company identified at least five different policies or controls governing reimbursement for gifts, meals, entertainment and travel. Those were easy to clean up. But this was only one area.
An internal controls review, however, requires a joint effort. Everyone has to have a seat at the table, bring their controls to the process, and begin the laborious process of reviewing and refining the company’s internal controls. It is a project that can be massive in scope depending on the size of the company but should be started, divided up in phases or geographic areas, or across discrete projects.
Spring cleaning brings about a refreshing renewal in everyone’s life. It is time for organizations to bring the same attitude and approach to its internal controls. The organization will be healthier and ready for the challenges ahead.