A high degree of indifference
Whenever you utter the words "internal control" in an environment where COSO is not a household word, you are likely to be confronted with a number of reactions, ranging from boredom over surprise over fear back to complete indifference. Overcoming that reaction is one of the key prerequisites for a successful further development of internal controls in any environment. So let's try to understand some of the underlying reasons for these diverse but not necessarily positive reactions.
High cost, no tangible value?
One of the root causes are expectations regarding internal controls. Implementing internal controls takes a considerable amount of time and means. In exchange for time and means there is an expectation of finding a measurable added value. However, most internal controls do not directly add any measurable value. They only become relevant and prove their value if and when things go wrong. And even then, most internal controls reduce the direct exposure to the impact of the problem. And that's their role, nothing more and nothing less.
That nicely brings us to the second reason, closely linked to the first: what is the cost-benefit ratio? Implementing internal controls most often occurs under pressure from an external source, such as a supervisory structure, an internal or external auditor, a finance inspector, a commissioner to the government, the Court of Auditors … and their point of view is one of control, with less attention being given to the cost side of the equation.
We often find the management team of an organisation under pressure to invest in internal controls against their will, because of external pressure and without much of an expectation of a measurable benefit. As a result, these investments are not really a key priority to this team. As a result, internal controls will be implemented in an incremental fashion, without integrating the controls in processes or linking the controls to one another. This makes these controls often far to easy to bypass or eliminate all together. The already contested added value decreases even further.
Internal controls may be implemented, but they are never really owned or even liked or loved in these circumstances. At the end of the day, internal control becomes the Cinderella of process organisation: hidden, never to come out. And that is a missed opportunity.
The underlying reason for internal controls development
Because what are internal controls really all about? What we aim to achieve is to ensure (within certain limits) the health of a process in an organisation. Our aims are pretty much comparable to what quality management has been working on.
Our origins differ. Quality management was born in production environments while internal controls development saw the light of day in finance and reporting. In essence however, there are few differences. The only real difference is the point of view, the difference in perspective on what in essence comes down to the same challenge: how do we make sure that we develop the best possible product or service with as few problems as possible along the way.
The biggest challenge usually is to identify the correct solution for the specific problem we're trying to address. In order to do this in the most effective manner, we need to dare let go of our dogmatic adherence to a perspective, be it internal control, quality or whatever else exists. We need to look at the challenge from the reality of the user or the person who is responsible for the issue we're trying to address. Once we have clarified the problem, then we can start looking at what framework is best for solving that particular problem. And the best possible way of achieving that is to evolve towards a common approach for risk identification and analysis. ISO 31000 is a clear and welcome step in that direction.
Making it concrete
Let's make this as tangible as possible: let's examine three scenarios, each with a quality approach and an internal control based approach. Up to you to decide which one is most relevant.
Scenario 1 - decreasing client satisfaction
Let's assume a risk assessment has identified a significant decrease in client satisfaction as a key risk.
A quality based approach will develop standardised procedures which aim to minimize deviation in service delivery. Internal controls development will develop a process to timely identify unacceptable deviations as early as possible in the process.
The two approaches are highly complementary and add value to each other.
Scenario 2 - key personnel approaching retirement
Let's assume a risk assessment has identified the organisation is at risk of losing an important part of its competencies because of the existing age distribution, with key personnel approaching the age of retirement.
A quality approach will develop functional descriptions which link into task and process descriptions, while internal control will focus on knowledge management systems builds.
Again, both approaches are highly complementary, in that they focus on retaining and structuring the information.
Scenario 3 - strategic indicators using erroneous information
Let's assume the risk assessment indicates that there is a risk of key indicators being fed with erroneous information. A quality based approach would focus on developing a balanced scorecard, while internal control will develop risk indicators.
Both approaches complement one another.
Internal controls are not well understood. Quality often is more accessible and better understood. As both approach complement each other well, quality can be used to allow for internal controls to ease their way into processes, without the usual resistance.