The basics still matter for effective internal control

The basics still matter for effective internal control

The Securities and Exchange Commission filed a flurry of enforcement actions in January that centered on ineffective accounting controls. Those cases always offer interesting glimpses into how corporate accounting can go wrong—and they also remind us of the fundamental reasons why internal control goes wrong.

Despite the wide range of risks, accounting systems, and control failures, things usually go wrong because of flawed human nature and flawed communication.

That’s why, as much as the compliance and audit community might like to gab about control activities, testing, evidence, and monitoring—at the end of the day, the control environment is still what matters most.

In one example, the company admitted that it had booked invoices as revenue before its client had agreed to accept them. Why did the early booking happen at all? Because executives in one business unit wanted to hit year-end performance bonuses.

Worse, some employees in that offending business unit did call the company’s ethics hotline, but in-house investigators didn’t understand the company’s billing processes. They wrongly concluded that no misconduct had happened.

Another example comes from a manufacturer that agreed to pay a fine because its team investigating product failures didn’t communicate with the accounting team clearly enough, to let the accounting team record accurate contingencies for a possible product recall—which, eventually, did indeed happen.

What’s really amiss when someone alters invoices to hit a bonus? If you skim the principles of the COSO internal control framework, the answer jumps out—a failure of Principle 1: “The organization demonstrates a commitment to integrity and ethical values.”

Likewise, when investigators misunderstand a report of misconduct, that’s a failure of Principle 4: “The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.”

Along similar lines, which principle breaks down when the urgency of a risk isn’t clearly conveyed from one part of the business to another? Principle 14: “The organization internally communicates information … necessary to support the functioning of internal control.” That’s a failure of information and communication.

All the control activities in the world—the policies, the IT controls, the testing, the mitigating controls—won’t tame a company’s audit and compliance risks if the control environment is weak or the information and communication don’t work. Those two components are the oxygen that surround your control activities. When you don’t have enough oxygen to breathe, everything you do requires more effort.

Remember the humans

For a compliance and audit enthusiast, failures in the control environment or in information and communication are fascinating because they’re failures about people. You don’t just need to review control testing or documentation; you need to examine the company’s values. You need to study its culture and the messages sent to employees. You need to understand how people interpret and follow the company’s rules. That’s challenging and engrossing all at once.

Even complex internal control systems can be subverted by the simple motive of greed: executives wanting to hit a performance bonus. And while a company might have ethical employees in some parts of its organization (like our example above, where employees did call the ethics hotline), a company still must be able to harness that ethical rigor (when followed up, they misunderstood the workflow processes they were investigating).

Lapses in communication, meanwhile, are problems more about “compliance at the border”: that point where a risk or compliance concern transits from one part of the organization to another. The fundamental issue might be the same (say, a product recall), but the first team doesn’t present the issue in a way the second team can appreciate (estimating the recall’s scope, versus accruing contingencies to pay for it).

That’s not always the fault of the teams themselves. The larger a business is, the more complex its structures are and the more “border crossings” it has. Communication takes longer; messages become more formal. Management reviews arise. Needs and obligations aren’t conveyed clearly. Whatever the cause, the result is the same: misunderstanding.

Challenges like these aren’t easy for compliance and audit executives to solve. Yes, you need independence, to ask possibly uncomfortable questions about a company’s values—or worse, about specific employees’ values.

You also need good people skills, and not just to assess someone’s character or competence accurately. If you want to design effective controls for issues that cross multiple borders or to nurture a strong control environment, you need to understand how employees behave and interact. That will be far more important than any technical review of a system’s access controls.

The plain truth is that most ineffective accounting controls are ineffective because they don’t withstand the two most dangerous forces in business: bad actors and people who misunderstand what’s in front of them. So while we should all be fans of robust control activities and shrewd risk assessment, it’s still all about human nature.

Matt Kelly

About the author

Matt Kelly
Matt Kelly is an independent compliance consultant who studies corporate compliance, governance, and risk management issues. He maintains a blog, RadicalCompliance.com, where he shares his thoughts on business issues and speaks on compliance, governance, and risk topics frequently. Kelly was named as "Rising Star of Corporate Governance" by the Millstein Center for Corporate Governance in the inaugural class of 2008 and named to Ethisphere’s "Most Influential in Business Ethics" list in 2011 (no. 91) and 2013 (no. 77). Kelly previously was editor of Compliance Week, a newsletter on corporate compliance, from 2006 through 2015. He lives in Boston, Mass., and can be reached at mkelly@RadicalCompliance.com or on Twitter at @compliancememe.