Though the term Internal Controls is widely in use, when I ask young Chartered Accountants â€œHow do Internal Controls manifest in an Organization?â€, a comprehensive response has not been generally forthcoming. Hence this attempt.
I like to explain Internal Controls using 5 â€œPâ€s. They are Policies, Processes, Procedures, Practices and you can guess the 5th â€œPâ€. Otherwise, you will find it in one of the following paragraphs. While all these â€œPâ€s serve various purposes, our focus is on their relevance to Internal Controls, and how an Internal Auditor could use them in the discharge of his / her duties.
Policies are an important means of communication, used by the Board of Directors, to convey to the external world and to internal stakeholders, on the Organizationâ€™s methods of conducting business. We know that Accounting Policies are included in the published accounts, to help readers understand the basis of preparing financial statements. Policies serve certain other purposes as well. Policies are the first step towards achieving Organizational Objectives. They are relatively permanent in nature, and deserve the attention of the top management. Absence of a relevant policy could be a control weakness. Policies could be grouped under â€œCorporate Policiesâ€ and â€œFunctional Policiesâ€. Examples of Functional policies are Sales Policies, Manufacturing Policies, HR & Admin Policies, IT Policies and so on.
Let us look at the relevance of a Sales Policy. If you are engaged in Hotels business, with a chain of hotels, there is a need for a Policy on Discounts to Room Tariff. Otherwise General Manager of each hotel in the chain, could go for individual discretion, which may not be in the interest of the organization. Thus if you are the Internal Auditor of a hotel chain, you could recommend a â€œDiscount Policyâ€ if it is not documented and followed. Similarly, Internal Auditor needs to review whether all important business aspects are adequately addressed through policies.
Processes help in implementing Policies. Process focus is important while designing Systems, whether computerized or manual. Processes can be classified in to Core (Key) Processes that are essential for conducting business, and Processes for Support Functions. For example, if your organization is in EPC (Engineer, Procure and Construct) business, your core Process starts with receipt of Enquiry from prospective customer, Estimation and Proposal Making, Submission of the Proposal, Negotiations, Bagging the Order, Detailed Engineering, Procuring (placing Purchase Orders), receiving materials at site, Erection, Installation, Commissioning and obtaining Project Closure from the customer. In the same business, support Processes are for functions like HR, Finance, Quality and Administration.
Clarity on processes is essential for all stakeholders, particularly in a set up where different departments are involved. If we look at material procurement process, an Indent is raised by a User department on Purchase, which in turn releases a Purchase Order. Material is received in Stores, where a Goods Receipt Note (GRN) is prepared. Vendorâ€™s Invoice is received in the Accounts Department, which picks up the Purchase Order and GRN, matches them with the Vendor invoice, creates a Payable, and releases Payment. While this process is contiguous, different departments like the User, Purchase, Stores and Accounts are involved, and without proper clarity on the process, to all, it would not be feasible to execute transactions, and can leave potential control gaps.
Procedures are developed from Processes, and serve as a guide or instruction to the operating personnel in discharge of their duties. Apart from training resources, they could help in practices like Job Rotation. Standard Operating Procedures (SOPs) as they are popular, are essential for all medium and large organizations. Well managed companies place lot of emphasis on documenting SOPs, ensure that all stakeholders get engaged in awareness and implementation, and even include SOP Compliance verification in the scope of Internal Audit. Statutory Compliances are invariably included in Procedure documents.
Even if the best of Policies, Processes and Procedures are in place, if they are not followed in practice, the purpose is not served, and the organization is exposed to potential control weaknesses. Apart from Operating Procedures, Information Security related procedures are generally compromised. Sharing passwords with other employees, leaving confidential material on tables unattended, and some of the employees engaged in bank payment related process sharing their access cards and passwords with others for executing bank transactions, are common security threats. Employee leaves the organization but his / her access card or signature is not withdrawn from the bank. In some cases other employees impersonate and continue executing transactions using the same access card. Internal Auditor needs to be alert in reviewing such practices.
Well, the last â€œPâ€ is People, one way the most important of all the â€œPâ€s, since only People implement all the above. Two important elements here are awareness of the relevant Policy, Process or Procedure and willingness to implement it. If I am conducting any walkthrough, I make it a point to observe the case worker executing a task, and make enquiries to know the extent of his / her knowledge of the task the being handled and the attitude, whether proactive or is under compulsion. Negative signals here are a potential control weakness.
In whatever role you are, whether an Accountant, a Manager or an internal Auditor, I hope that my article will prompt you to think of Internal Controls in the â€œPâ€s I have suggested. For more articles from me please see my Blog at www.operationstomoney.com
Thank you for your attention.
Tulasi S Sastri
© 2015 Tulasi S. Sastri