Internal Control Failures 2009

Straight coming to the point, this case study presents a way of thinking that offers better internal controls, and also helps top management to redirect resources from unnecessary monitoring and evaluation of controls towards creating better, more efficient and more competitive controls.

A large group had recently acquired a medium sized company that had been in financial distress for a long time, changed hands three times, and grown very quickly. The group found out that the controls were abysmal. It thought of putting up strong controls as soon as possible.

One of the big firms was appointed to implement controls that would cover the identified risks, however, while approaching in an usual way, it ignored to implement the kind of controls that would be efficient and that could be implemented in the time available, and reinforce rather than weaken the culture of the company.

The dominant approach has always been long on evaluation of internal controls and short on design and implementation. It is long on post hoc reactions to weaknesses discovered and short on anticipation. There are lists of risks and controls but no overall internal control system design. Mind well, risk is only one of the considerations besides economics, strategic reality, and cultural fit.

The top management went on to debate all the individual control deficiencies identified by the firm and came out with a list of implementation items. The difficult task that had remained for the top management was implementation of the recommendations. But something went wrong thereafter.

Slowly things started to fall behind schedule and some strain was felt. The managers took all the time they were allowed and then a little bit more. At the same time, they gradually become aware that they were not as skilled or as productive at the controls work as they had imagined. The big firm came to help with long shifts, working through weekends, and the implementation was just a few weeks late, but it was over. Hooray!!! Champagne was opened and everyone celebrated. It was a success. We have done it. Work Hard, Party Hard.

Initially there was little or no evidence of things going wrong, but after a short while the first feint indications of problems under the surface begin to emerge. As they were investigated more problems came to light and this eventually revealed a ghastly mess of faulty data, stuck transactions, and lost items. It was too late to go back to backups. Thousands of incorrect cases already existed and the reason this was not visible immediately was that not enough checks were being done. The controls were not in place.

Huge time and efforts were spent again using a different big audit firm, who came out again with more deficiencies in the internal controls. Only difference in the approach was presentation of their reports. The top management again went on to debate all the individual control deficiencies identified and came out with a new list of implementation items. But something went wrong again. No results and waste of efforts too.

It is very simple, when control designing is more time consuming and technically demanding so, the companies should have more people capable of designing and building internal controls than they have for evaluating those controls.

The internal controls experts are not investing enough time for developing better controls but on writing more reports about how good or bad they are. Evaluating controls again and again does not help.

Control weaknesses absorb a lot of evaluation effort, so having better controls first hand reduces evaluation work. So have good controls. It is important to get assurance from direct indicators of controls effectiveness that are designed into the control systems. Large processes and other sources of risk should be monitored using controls effectiveness indicators such as error rates and backlog statistics. Well designed systems of internal control include and use such statistics. This is not possible for risks that crystallize less frequently. For these there is no alternative but to judge effectiveness from whether the controls appear effective in relation to the perceived risks.

The job of top management is to direct resources appropriately towards the activities that need to be done including design, development, testing, implementation, and operation of controls as well as evaluation.

Top management should study the factors that indicate resources are needed and should not focus on risks alone. Companies need to have sufficient skilled resources to carry out the whole process from design to evaluation. Resources need to be rebalanced towards design and implementation and away from evaluation. Reduce your cost of monitoring now. Happy New Year 2010.