An oft-repeated analogy for Internal Control is ‘Controls are to an organization, what brakes are to a car.’ They don't necessarily stop the organization; rather enable the organization to drive faster and smarter.

Paradigm Shift

In simple words, internal controls are various checks which ensure the company’s objectives are met appropriately. They can be in the nature of preventing a wrong-happening or detecting some mishap in a timely manner. In recent years, the world of controls has seen a paradigm shift in how we assess, monitor and report risks and how control issues are resolved.

With the advent of Big Data and Analytics, we are perfectly
poised to launch the exploration into the world of controls that is
filled with opportunities.

A necessary activity, that was earlier perceived as just a ‘checklist item’ - a boring post-mortem exercise, mostly resulting in stacks and stacks of supporting documentation is now fast turning into what is seen as an exciting area that adds tremendous business value by prevention & timely detection of issues. With Big data, sharp insights & foresights and predictive capabilities, the excitement is only increasing.

The Controls Value Continuum (Illustration 1) represents the controls journey from mandatory compliances, to proactively adding value to business. As companies traverse in their controls journey they need to self-evaluate – where they are in the Controls Value Continuum and where they need to go.

Illustration 1: Controls Value Continuum (CVC)

Myths and Truths

Traditionally, the arena of controls is mired with many myths – some of which we will explore below. However these myths are being busted by companies that are leading the discussions in this area.

They are seeing controls from ‘end to end’ and are driving the ‘Business Process Management’ agenda of controls by creating value to business, rather than a mundane necessary evil.

The quality of the design and the operating effectiveness of a
control measure is what determine robust control health, not
the numbers and layers of controls.

Myth 1: The more controls we have, the safer and more robust we are. This is a general notion when companies decide to err on the side of caution and employ controls upon controls – not all of which may be relevant to each case ‘In case of doubt, add a control’ is the mantra.

The Truth: The quality of the design and the operating effectiveness of a control measure is what determine robust control health, not the numbers and layers of controls. Even a few hundred controls might be a sub optimum number for a company managing a Balance Sheet of US$ 100 Billion.

Myth 2: Controls cannot be harmonized globally, since every country is unique and controls have to be assessed in relation to the country requirements.

The Truth: Many leading companies, in fact, have formulated and are implementing a globally harmonized financial controls framework, handling country-specific regulations on exception basis. For example, if credit terms to customers are different for different products in different countries, instead of reviewing basic ageing of debtors, if we look at ‘overdue’ debtors after considering the credit terms, the review control can be harmonized across all countries.

Myth 3: Controls can never be outsourced or centralized.

The Truth: Designing, monitoring, reporting, testing and governance of Controls’ health can be centralized into a shared services organization. In fact, doing so would make it easier to centralize audit and drive efficiencies.

Myth 4: Controls testing are performed once a year.

The Truth: Controls can be monitored, reported and governed on a more frequent basis. In case of continuous control monitoring model, exceptions are monitored on a monthly basis and remediated to avoid any late surprises during year end.

Myth 5: Controls can be tested only on a sample basis. All transactions in a company cannot be tested.

The Truth: Technology has helped companies to extract 100% of data from their base transaction applications. This data can be analyzed to identify exceptions which are moving beyond agreed thresholds. For example, traditional audit would involve sample based testing of around 60+ journal entries to conclude on millions of entries passed by the company. Though control analytics, all these million journals can be analyzed.

Myth 6: The main objective of Controls testing is to find an issue and identify its root cause.

The Truth: Identifying the issue and root cause is only the first step. Driving the resolution process and preventing future repeats is equally important.

Myth 7: Continuous Controls monitoring would only increase cost and effort to the company.

The Truth: Continuous monitoring and Governance results in preventing or timely identification of control issues and their resolution, hence reducing potential business impact. The evidence of this monitoring and governance also reduces effort of internal and external auditors, who can rely on this evidence. This may actually result in an overall decrease in compliance cost to the company.

Myth 8: Each category of control has to be monitored separately and aggregated to arrive at overall conclusion of control health.

The Truth: Controls have to be considered as an end-to-end process, with downstream layers relying on the previous layer for comfort. For example, if the overall control environment is robust, if the IT general controls and along with the access controls to the financial applications are robust, the transactional process controls would not be heavily tested or reviewed.

Conclusion

Busting these myths would enable implementing a comprehensive global controls program which would look at 100% data set, identify and resolve control issues and prevent future occurrence.

With the advent of Big Data and Analytics, we are perfectly
poised to launch the exploration into the world of controls that is
filled with opportunities. More myths are waiting to be busted!

ABOUT THE AUTHOR