MenuClose
 Log Out
Cart 0 items
Site Search
Course Search

4 surprising reasons to love internal controls

Creating a strong internal control framework can make your employees and customers happier
August 3, 2022
  1. Home
  2. 4 surprising reasons to love internal controls

By Jennifer Eversole, CPA

The mere mention of internal control often conjures images of red tape and bureaucracy, preventing people from getting things done. And understandably so – the word “control” is right there in the name, and generally people don’t like things that try to influence or direct their behavior. Unfortunately, internal control has gotten a bad rap as a necessary evil that disrupts the work that needs to get done. Done right, however, internal controls are immensely valuable to an organization by helping to ensure the company and its teams and employees meet desired objectives.

  1. Control environment. The control environment is the company’s attitude toward risk. It starts with the tone at the top, but permeates through the entire organization.
  2. Risk assessment. Risk comes in all shapes and sizes. Companies have risks outside of areas that we typically think of in terms of internal controls (data breach, fraud, etc.). Organizations face risks such as: employees aren’t properly trained to adequately do their jobs, new products won’t meet market demands, customers will quit using their products or services or that they won’t have enough cash to meet obligations. Including all areas of risk in the assessment leads to creating the right control objectives to help the business flourish.
  3. Control activities. Control activities are the policies, procedures and actions that are taken to help ensure that control objectives are met. They include things like approvals, authorizations and reconciliations.
  4. Information and communication. Companies need to have mechanism in place to provide, share and obtain information. That information should be communicated to the right people at the right time.
  5. Monitoring. Internal control frameworks aren’t something that are built and then put on autopilot. The control environment should be continuously reviewed to ensure that the design of the control objectives is suitable to meet the business’s key objectives and that control activities are operating effectively.

Why build an internal control framework?

All companies have internal controls, whether or not they are documented. For example, if a business owner sets the expectation that the last employee who leaves the building locks the door, an internal control has been established. Just establishing the expectation is not enough though. Sometimes information doesn’t get passed on when new employees are hired and sometimes there is room for misunderstanding of informal controls. Formalizing internal controls into a framework is an important step and involves much more than compiling checklists. A complete framework requires detailed analysis and documentation of the five interrelated components listed above. And just as no two businesses are exactly alike, internal control frameworks are unique to each business and can’t be copied and pasted from one organization to the next.

The process of building a complete internal control framework can be both time-consuming and eye-opening because it requires leaders to take a deep dive into the inner workings of their organizations, end to end. However, this exercise is among the most important activities most businesses can undergo. It is to properly communicate managements’ expectations regarding integrity and ethical values, to identify the control objectives that best mitigate risk across the entire organization, to align the right control activities with the control objectives so that everyone knows what to do, to evaluate the framework and use that information for continuous improvement and to have a mechanism to monitor and modify the framework on an ongoing basis.

Not only is building an internal control framework a business necessity to help ensure that risks are addressed in the best way possible, but in today’s world of outsourcing, customers often demand assurance from service providers that their control design is suitable and operating effectively. The assurance can be provided in the form of a Service Organization Controls (SOC) report, in which an independent auditor issues an opinion about a company’s control environment. Building an internal control framework is the first step to obtaining a SOC report.

Surprising side effects of internal control frameworks

In addition to mitigating risk and providing a basis on which to have a SOC report issued, internal control frameworks have many positive side effects that run counter to traditional thinking about internal controls.

1. Employee engagement

It is counterintuitive to think that more internal control would lead to higher levels of employee engagement. It is true that just throwing layers of bureaucracy into a process when something goes wrong without organizing the activities into a framework can demoralize employees. The may not have access to all the information that led up to the introduction of the control, or they may not know how the control activity support the business’s key objectives. On the other hand, having a formalized internal control framework can boost employee engagement levels in the following ways:

  • Employees will receive communication from management on expectations regarding integrity and ethical values, management’s philosophy and operating style, organizational structure and assignment of authority and responsibilities. This information will give employees parameters in which to make decisions when unexpected things happen, because unexpected things will happen. When employees know what is expected of them, and are empowered to make the decisions necessary to do their jobs, they are exponentially more engaged with the company.
  • Good internal control frameworks align internal control with the business’s key objectives. Every company should take the time to create their mission and vision. Once those are articulated, the important things that need to be done, or objectives to succeed, should be defined. A good set of objectives is relatively short and should come from multiple perspectives. Robert Kaplan and David Norton developed and coined the Balanced Scorecard strategic planning methodology in the early 1990s, which has been widely adopted by many successful organizations across the world since. The Balanced Scorecard methodology suggest viewing success from four primary perspectives: employees, businesses processes, customers and finances. For example, a company may determine that in order to succeed, it needs to increase employee engagement (employee), implement procedures to more quickly deploy software (business processes), increase customer loyalty (customers) or increase operating margins to generate more cash to reinvest in the company (finances). The control objectives and activities in the internal control framework are closely aligned with the business’s key objectives and move in tandem with them as strategies evolve. This means that employees have a clear understanding of how their own work contributes to the company’s success, which has been proven to increase employees’ commitment to the company

2. Overall cost savings

By building an internal control framework, companies are also streamlining processes and saving money because things are running more efficiently. Not only that, savings are also realized because things are more often done correctly the first time, thus avoiding costly corrections.

3.     Customer loyalty

In today’s business environment, where customers can often defect with the click of a mouse, it is critical that businesses are able to respond to customer needs quickly, completely and correctly the first time. When companies have good processes that are supported by strong internal controls, they have the foundation to give customers the exceptional experiences they demand.

4.     Customer confidence

When user organizations outsource business functions to a service provider, the risks of the service organization become risks of the user entities. Organizations that use service providers want to ensure the integrity and security of the system and company to which they are entrusting their data. Having a sound internal control framework on which a service auditor has issued an option is a competitive necessity for many service providers.

Summary

With the right perspective, internal controls can be viewed as enablers of a company’s business strategy. When a company defines their key business objectives, internal controls help underpin business objectives and help to ensure those objectives are carried out. The key to a successful relationship between internal controls and business strategy is to formalize the controls into a comprehensive internal control framework, complete with articulation of the control environment, management’s risk assessment and control objectives, control activities, information and communication mechanisms and a monitoring plan.

Jennifer Eversole, CPA, is co-founder and partner at Management Stack, LLC, a technology-based advisory and consulting firm in Roanoke. She is a member of the Disclosures Editorial Task Force.