One of the responsibilities of management is aid the creation, reporting and preservation of organizational value. In most cases, the management team struggles because of implementation of poor internal systems.
Having an effective internal control system that manages risk and reduces the risk of business failure is important for organizational value creation and preservation as well as driving business performance. Implementing effective internal control systems helps identify opportunities and counter threats.
It is therefore important for management and their subordinates to understand that internal controls form an integral part of the organization’s enterprise risk management and governance system. Finance should play a leading role of applying effective internal control systems. The team should be involved in the design, implementation, monitoring, evaluation and improvement of the organization’s internal control systems.
By having an effective internal control system, the organization is able to enhance its competitive advantage. This is so because ERM and internal control are two sides of the same coin. ERM helps identify threats and opportunities that the organization is exposed to, while controls help effectively counter threats and take advantage of opportunities. Ineffective and flawed internal control systems often lead to unsatisfactory business performance. This often happens because ERM and governance are run separately in silos and as a result management are unable to fully comprehend the various risks the business is exposed too.
In today’s volatile and constantly changing environment the achievement of business objectives is impacted by many variables, often outside the organization’s direct control. Because of this, ERM and internal controls should be integrated with the organization’s governance, strategy and operations. It is therefore no longer advisable for management to focus on the implementation of financial controls only but also non-financial controls that relate to operations and external circumstances if they are to successfully execute strategy and drive business performance.
To drive this integration forward, management need to ensure that the organization’s internal control system supports the business in achieving its objectives by managing risks, while complying with rules, regulations and the organization’s ethical framework and policies. They must regularly communicate at all levels of organization the values of the organization with respect to governance, risk management and internal control to ensure that its principles are fully understood and correctly implemented throughout the organization.
In addition to supporting the organization’s objectives, it is also important that management create and support a culture that inspires employees to act in accordance with ERM strategy and internal control policies. This means top management setting the tone for enterprise wide acceptance for example by creating clear roles and responsibilities with respect to ERM, governance and internal control; drafting and implementing effective whistle-blowing procedures; following up on control weaknesses or failures and providing sufficient resources and training to carry out internal control.
If the management team shows no concern or lacks interest of designing, implementing, evaluating and improving internal controls the chances of wider acceptance are slim to nothing. It is therefore that management walk the talk otherwise their words will disappear into the thin air. Improving the organization’s internal control system also requires regular monitoring and evaluation of the existing internal control system. The importance of the control, nature of the control and history of control failures among other things determines the frequency of the monitoring and evaluation process. Periodic monitoring and evaluation of the existing internal control system helps identify unacceptable high levels of risk, control failures or events that are outside the organization’s risk appetite and tolerance levels and need improving.
Management should therefore know fully the effectiveness of their organization’s controls and also regularly report to the various stakeholders the business risk profile as well as the structure and performance of the implemented internal control system. Sometimes an individual control will be working effectively and other times it needs to be made redundant and a new one designed and implemented. It is therefore important to ensure that individual controls are evaluated in relation to how the overall internal control system is supposed to work. An effective internal control system should be able to timely detect deficient controls or control failures.
Some of the causes of control failures and weaknesses include inability to keep pace with the changing business environment; poor risk analysis; inappropriately designing controls and lack of resources to fully support the design, implementation, evaluation and improvement of the existing internal control system. Internal controls should always respond to the organization’s risk profile. In other words, internal controls must be designed, implemented and applied as a response to the specific risks the business is exposed to, their causes and consequences on business performance and organizational value.
To sum up, by aligning internal controls and risk, management are able to decide which type of controls (managerial, transactional, preventive, manual or automated) to implement as well as their suitability relative to the organization’s size, structure and culture. In addition, periodically conducting proper risk assessments, evaluating existing internal controls system and designing new control systems can assist the management team to make informed decisions about the level of risk to take as well as implement the relevant controls capable of supporting the achievement of organizational objectives and driving business performance.