What is vendor management?
Vendor management is the act of ensuring that your third-party vendors meet regulatory requirements and contractual obligations. This safeguards your business from …
In finance, internal controls are processes that ensure and maintain the integrity of financial and accounting information. These controls foster accountability, safeguard assets by preventing fraud and theft, increase operational efficiency, and promote compliance with applicable laws and regulations.
Financial controllers, auditors, and accountants have the most responsibility for internal controls. However, all employees must contribute to decreasing the company’s financial risk and increasing its security.
The development of internal controls in Australia started in the 1920s and 30s. Influenced by policy in the USA and Europe, Australian companies recognised the importance of controls as a way to keep accurate financial records and in the process, prevent fraud.
Formalisation of internal controls started in the 1950s after the formation of the Australian Society of Accountants (now CPA Australia). Two decades later, the ASX introduced rules to establish a defined regulatory environment for publicly-listed companies.
Perhaps the most significant impact on internal controls, however, was the release of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework in 1992.
First published in the United States, the COSO framework was initially developed in 1985 in response to numerous instances of fraudulent financial reporting.
The framework – which is used by finance, accounting and publicly traded companies – is the foremost framework in the world for the design, implementation and assessment of internal controls.
Various principles and guidelines have been adopted in Australia by state and federal governments as well as companies in the public, private, and non-profit sectors.
The objectives of an internal control system depend on the business and the industry in which it operates.
For a general definition, however, let’s return to COSO which describes internal control as “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”
From the above, the three primary objective categories include:
The COSO framework was updated in 2017 to reflect the idea that risk management (and thus adherence to internal controls) was not a discrete function within the company but holistic, and part of its DNA.
To that end, the framework defines five components that clarify how internal controls can be devised, implemented, and most importantly, maintained.
The control environment strives to ensure that all business practices are industry-standard. Processes and structures collectively influence the organisation’s culture and the behaviour of its employees.
Upper management should model expected standards of behaviour for it to filter down to middle management and employees. The company should also seek to retain and recruit personnel who demonstrate integrity and appropriate ethical values.
Risk assessment is a dynamic process that identifies the risks that could impact a business or prevent it from achieving its objectives.
A finance lender, for example, may conduct a comprehensive risk assessment to determine the risks associated with lending. These include credit risk, market risk and operational risk.
Information pertaining to risk appetite and mitigation should be shared across departments and also between managers, employees, and the board.
Rules should also be enacted to ensure that internal and external communication adheres to relevant laws, company values, and best practices. Adequate communication also ensures that control activities are understood and carried out effectively.
Ultimately, this component supports the establishment of a robust control environment.
Monitoring activities focus on the continuous and period assessment of the control environment’s performance. Internally, such activities may take the form of internal audits, supervision and automated systems.
Externally, internal controls may be monitored by various third parties.
In Australia, banks, insurance companies, and other financial institutions are regulated by four key bodies:
While each of the five COSO framework components relates to internal controls, control activities describe how relevant measures are enacted within the organisation.
The myriad ways these controls promote compliance and reduce risk are explained below.
Three broad types of internal controls are categorised as either before the event (preventative) or after the event (detective and corrective). The most effective internal control systems will take advantage of all three types.
Let’s look at each in more detail below.
The purpose of a preventive control is to prevent financial and accounting issues before they have a chance to occur.
Within this type there are various internal control activities:
Detective controls are mechanisms that uncover errors or discrepancies that have already taken place. These controls pinpoint anomalies in financial data or deviations from standard procedure as a result of human error or fraud.
Here are some detective control activities:
Corrective internal controls rectify issues identified by detective controls. Not only do they rectify issues, they also prevent them from reoccurring.
Corrective control activities include:
Internal controls are evaluated by internal audits that review a company’s:
According to the ASX Corporate Governance Principles and Recommendations, a publicly listed entity that does not have an internal control framework must explain why.
To that end, the entity needs to explain how it evaluates and improves the effectiveness of its relevant internal control processes.
Internal audits may be performed by employees of the company, an external audit provider or a combination of the two.
With that said, the Australian Securities and Exchange Commission (ASIC) recommends that the external auditor does not provide internal audit services to the same company.
To ensure the internal audit process remains unbiased, internal audits conducted by employees must report to an audit committee (and not the organisation’s management).
This committee is expected to:
In general, management needs to be kept separate from the audit process. The CEO can set the budget for an internal audit, but this should also be reviewed by the committee before approval.
Despite a company’s best efforts, there will invariably be contexts where certain factors override internal controls.
To conclude, here are some of the more common.
Internal controls are easily overcome if the control is weak to start with. At the most basic level, weak internal controls lead to fraud. Invoices may be paid twice, or payments may be made for work that was never completed.
In finance companies, weak internal controls cause more serious problems such as material weakness. This is defined as a deficiency in financial reporting that causes a company to misstate its financial situation, which can lead to harsh penalties.
If we recall the COSO definition of an internal control from earlier, we see the words “reasonable assurance” mentioned. This pertains to the fact that internal controls rely on honesty (as well as processes) to be effective.
In certain situations, even honest staff may defraud the company if the opportunity is irresistible. The temptation may also increase if the employee is under financial duress or dissatisfied with their job.
Related to errors in judgement is collusion, where two or more employees work together to defraud or deceive.
Collusion is often related to malicious insider attacks, where people with privileged access to a company’s resources exploit that access for financial gain.
Vendor management is the act of ensuring that your third-party vendors meet regulatory requirements and contractual obligations. This safeguards your business from …
Multi-factor authentication (MFA) is a security method that requires users to prove their identity using two or more distinct factors before accessing …
Imposter scams are a type of fraud where scammers pretend to be trusted individuals, companies, or government agencies to deceive victims into …
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.