Designing Effective Financial ControlsStephen G. Lynch

“A strong internal control

framework is the result of clear

control objectives and a

commitment by a company’s

Board, management, and

employees to create and

maintain a strong control

environment. It also requires a

commitment to properly assess

organizational risk, establish

and conduct appropriate

control activities, generate and

communicate timely, relevant

and reliable information, and

participate in regular

monitoring activities.”

Every year corporations lose millions of dollars due to poor internal controls. The failures include inadequate segregation of duties, lax control over vendor master records and incorrect customer invoices. Additionally, poor controls around the flow of data in an organization’s ERP system can result in manual rework to correct improper accounting entries. Taken to the extreme, inadequate controls can result in material misstatements in financial reporting and the associated regulatory submissions.

With the continued guidance of Section 404 of the Sarbanes-Oxley Act, management is required to publish in their annual reports a statement concerning the scope and adequacy of the internal control structure and procedures for financial reporting. Additionally, the company’s auditors must attest to and report on the assessment of the effectiveness of the internal control structure and procedures for financial reporting. An investment in strong internal controls is essential for the effective governance and protection of the corporation.

Control Objectives

In designing an effective internal control structure, three objectives must be kept in mind as the controls are designed, tested and maintained. These objectives are:

ß Ensure that corporate assets are safeguarded against malfeasance and used only for business purposes,

ß Provide accurate business information to management, investors, creditors, regulators and other relevant stakeholders, and

ß Ensure that employees comply with all applicable laws and regulations.

With these objectives established, the internal control structure can be developed and maintained using the COSO internal control framework.

The Internal Control Framework

The Internal Control - Integrated Framework report, published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), provides a framework that consists of five interrelated components. All of these components must be in

place and operating effectively for there to be an effective internal control structure. These five components are:

ß Control Environment

ß Risk Assessment

ß Control Activities

ß Communication and Information

ß Monitoring

Control Environment

The control environment is the foundation of a company’s internal control structure and is centered on the attitudes, actions and awareness of the company’s internal stakeholders, including the Board of Directors, management and front-line personnel. The level of importance these stakeholders place on strong internal controls will greatly influence the existence and effectiveness of those controls.

The control environment is core to a company’s approach to daily business activities and the way it assesses risk in conducting those activities. According to COSO, control environment factors include the “integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors”.

Risk Assessment

As part of the control structure, a company should have a process in place to assess risk in relation to its corporate objectives. The risk assessment applies to all areas of the company and should involve most activities within the organization. According to the COSO framework, risk assessment is a 3-step process:

ß Estimate the significance of the risk,

ß Access the likelihood or frequency of the risk occurring, and

ß Consider how the risk should be managed and assess what actions must be taken

An effective risk assessment system will incorporate both internal and external factors. Internal factors can include people, systems and processes. External factors can include economic developments,

regulatory changes and industry advances. It is the responsibility of the company’s management to properly assess risk and then to develop and maintain a program that will effectively mitigate the risk identified.

Control Activities

Control activities are the policies and procedures put in place by management to ensure that the processes put in place to address risk are being carried out. This component of the COSO framework is wide-ranging and includes controls designed to prevent errors as well as controls to detect errors after the fact and enable corrective action to be taken. Examples of preventive controls include segregation of duties and physical controls such as locking down cash. Detective controls are focused on reporting, reconciliations, management reviews and periodic audits to detect errors needing correction.

A key aspect of the COSO framework is its emphasis on information system controls. This includes financial, operational and compliance related systems. All of these systems should have both general and application controls. As the name implies, general controls pertains to all systems and covers issues such as physical access to the systems. Application controls are specific to a particular system and includes individual security profiles and business logic that would prevent unreasonable data from passing through undetected.

Communication and Information

Communications and information are actually two distinct components of internal control. Information must be readily available to organizational stakeholders and the information must be of sufficient quality that personnel can act on the information, confident that it is reliable. This information should also be suitable for communicating with external stakeholders such as investors, creditors and regulators.

COSO recognizes that information can be both structured and unstructured. Structured information comes from the company’s formal information systems and can be financial, operational or compliance related. Unstructured information can consist of conversations with customers and suppliers.

A strong internal control structure enables communication to flow through an organization, from top to bottom and from the bottom upwards, as well as horizontally through the various departments. These communication channels are created and maintained to ensure that information flows to those departments and individuals requiring information for their financial, operational and compliance related reporting and analysis responsibilities.

Monitoring

Nothing ever stays the same and internal controls are no different. Due to changing factors both internal and external, there is an ongoing need to monitor internal controls to assess their effectiveness and to determine if any changes in the internal controls are warranted.

Monitoring takes two basic forms: ongoing monitoring as part of a company’s continuous operations and periodic monitoring based on specific control objectives. COSO lists various means of ongoing monitoring which includes reviews by management and supervisory personnel to identify errors and make corrections as necessary. It also includes the regular reconciliation of physical and financial assets such as inventory and cash.

In addition to ongoing reviews, it is usually beneficial to make periodic reviews of specific control procedures. Although a company’s internal audit group may be involved in the testing and evaluation of internal controls, it is also acceptable for line management to initiate their own review of internal controls and make updates to the control structure as necessary to remediate any deficiencies found.

Conclusion

A strong internal control framework is the result of clear control objectives and a commitment by a company’s Board, management, and employees to create and maintain a strong control environment. It also requires a commitment to properly assess organizational risk, establish and conduct appropriate control activities, generate and communicate timely, relevant and reliable information, and participate in regular monitoring activities.

Key Focus Areas for Effective Internal Controls:

ß Control activities to manage enterprise risk

ß Information that is reliable and available to stakeholder groups

ß Communication mechanisms to convey accurate and timely information to stakeholders

ß Monitoring to ensure compliance with internal controls

About Stephen G. Lynch

Steve brings more than 20 years of experience advising global

companies on their service delivery strategies. An experienced

global consultant, Steve has partnered with clients on five continents

to develop and deploy the strategy that leads to superior

performance. His expertise spans the domains of organizational

transformation, process optimization, shared services, and global

service delivery.

Steve previously served in a variety of consulting roles at Ernst & Young, The Hackett Group,

CSC, and most recently, KPMG where he served as a Director in the Advisory practice. His

focus is on capital intensive industries including energy, industrial and consumer product

manufacturing, and pharmaceuticals. His clients include Bristol-Myers Squibb, Johnson &

Johnson, Novartis, Ford, Corning, ITT, General Dynamics, BP, ConocoPhillips, The Coca-C0la

Company, Sunbeam, and Mattel.

Contact Information

Stephen G. Lynch

+1.972.885.7734

steve@stephenglynch.com