Core concepts in internal control
Central to the various corporate governance rules and regulations is the quality of internal control.
According to the corporate governance codes, corporate management has to assess whether it controls the company in such a way that the annual or quarterly financial reports are reliable to such an extent that external stakeholders can base their decisions upon these reports. External stakeholders can be divers: shareholders for example study financial reports to see if they want to reduce or enlarge their interest, banks calculate metrics to approve or reject loan requests, and suppliers use the financial statements to investigate whether their counterparty in a business transaction is creditworthy.
Corporate management gives an assessment of the quality of the company’s internal control in a specific statement that is part of the annual report, the so-called in-control-statement. In below image, the in control-statement of the company TNT from the annual report of 2006 is presented.
Before the relationship between ERP and internal control is discussed, essential concepts from the domain of internal control are explained. The first important concept is process cycle, a recurring set of business activities including the associated information processing. Within a process cycle, one or more processes exist. A process is a set of actions, manual or automated, again including the associated information processing. An example of a process cycle is the revenue cycle of an organization, which typically includes the processes order intake, order picking, packaging and shipping, invoicing and collection. An extensive description of process cycles can be found in standard text books, such as Romney & Steinbart [2000].
A company is in control when all separate process cycles are in control [Starreveld et al., 2002]. A process cycle itself is in control when all of its processes are in control.
A second important concept in internal control is risk, which in the domain of corporate governance is denied as the potential occurrence of an event that negatively impacts the reliability of the financial statements6. An example may clarify this. A risk in the revenue cycle is open invoices. If a large customer goes bankrupt and does not pay its invoice, the accounts receivable position on the company’s balance sheet may no longer be reliable, and as a result the company may no longer considered be in control.
A risk can be mitigated or even fully prevented by one or more risk mitigating measures or controls. In order to clarify this concept, the above revenue cycle example is continued. In order to reduce the risk of bad debt, an organization can implement several controls. One control could be to ask a creditworthiness report for every customer and reject orders if the report gives a negative outlook; this control reduces the risk. Another control could be to force the customer to pay in advance; this control completely prevents the risk.
Three classes of controls can be distinguished: organizational controls, physical controls and specific control activities. An example of an organizational control is the creation of an opposing interest. The risk that the products in the warehouse of an organization do not meet the quality requirements can be mitigated by using the opposing interest between the production manager who delivers goods to the warehouse, and the warehouse manager accepts goods for storage in the warehouse. The production manager wants to be able to prove that goods that have been produced meet the quality requirements, while the warehouse manager wants to be able to be sure that only goods that meet the quality requirements are stored in the warehouse. At the receipt of newly produced goods in the warehouse the managers have an opposing interest. he measure that mitigates the risk of products shipped from the warehouse that do not meet the quality requirements can be mitigated by a quality inspection at acceptance in the warehouse, which is signed of by both the production manager and the warehouse manager.
The second class of controls consists of physical controls. An example of a physical control is access control. The risk of damage or that of goods or documents by unauthorized access can be mitigated by porters, vaults, locks and keys, fences or other physical controls.
The last class of controls comprises specific control activities. An example is the four eyes principle.
Changing bank account numbers of suppliers or employees has a high error or fraud risk: if the wrong account number is entered, the organization will make payments to unintended bank accounts. He four eyes principle means that changes to bank account numbers are entered by one person while the another person checks the accuracy of the input.
Controls can also be classified by strength that is the extent to which they mitigate the risk. The strongest controls are preventive: they prevent the adverse event from happening. Weaker controls only discover the event after it has happened. These weaker controls are called detective, as they can only detect and mitigate the impact of the adverse event once it has taken place.
Finally, controls can be classified by the way they are carried out. his can be manual or automated. An example will clarify this distinction. In order to reduce the risk that an invoice is paid while no goods or services have been received, most companies let budget owner’s sign of invoices before payment. A manual control for this risk is that after the receipt of a paper invoice, the accounts payable department sends it to the budget owner by internal mail who checks the invoice, signs it of with a pen, and sends it back to the accountants payable department, who prepare a payment transaction.. The same risk can also be mitigated in an automated way: invoices are received electronically, an automated workflow application determines the budget owner and forwards the invoice to the budget owner, who signs of the invoice electronically, ater which a payment transaction is prepared automatically. Automated controls are executed mainly by hardware or software and to a lesser extent by human beings [Weber, 1999].
Frequently-used automated controls are boundary controls, such as authorization and encryption, input controls, such as input validation and context-specific menu options, processing controls, such as audit trails that register who has created, updated or deleted a transaction, and output controls, such as printer selection.
After process cycle, process, risk and control, a final important concept from the internal control domain is evidence. Evidence is the auditable confirmation that a control actually has been carried out. As an example: evidence for creditworthiness checking to mitigate the risk of bad debt is stored copies of the creditworthiness reports.
Risks do not always materialize, and it is therefore not always easy to prove that controls are effective. In order to be able to prove that controls are in place and that therefore an organization can be considered in control, the execution of controls is often audited through testing. Testing controls consists of checking the evidence that proves that a control has actually been carried out.
For every risk, numerous controls can be designed. Overviews of risks and matching controls for many business processes have been described by the Committee of Sponsoring Organizations [COSO, 1994,
2004]. Fort automated controls; the sizeable textbook written by Weber [1999] can be consulted.
Which control an organization decides to implement depends on the impact that the risk has when it materializes, the costs involved in implementing the controls, and the strength of the controls. In recent years, automated controls have become more and more popular. They are often preventive and therefore stronger than manual controls, they are generally cheaper to implement, and they are easier to audit [Sneller & Langendijk, 2007]. For this reason it is advised to use automated controls where possible to increase the deficiency and effectiveness of internal control.