In its most simplistic form, the dictionary defines risk as “the possibility that something bad or unpleasant (such as an injury or a loss) will happen.” Just like each individual has his or her own risk tolerance that influences behavior, every company has its own unique risk profile based collectively on management’s tolerance and priorities. There are multiple strategies a company can use to reduce its risk exposure, but the strongest mitigation strategy is one that is proactive, risk-aware, control-minded and based on a solid internal control foundation.
According to the Committee of Sponsoring Organizations of the Treadway Commission (a joint initiative dedicated to providing guidance on internal control, enterprise risk management and fraud deterrence), internal control is “a process, effected by the entities’ Board of Directors, Management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives related to operations, reporting and compliance.” By its very definition, internal control must be co-developed and supported at the highest levels of the organization. But where does a business start when developing internal controls? Let’s take a look at the three essentials of a well-designed internal control structure: people, processes and technology.
Key #1: People
Internal control is not merely about policy and procedure manuals, systems and forms. At the most basic level, it has a human element that cannot be overlooked. The people in your organization and the actions they take at every level can affect internal controls. Having well-designed internal controls is only part of the solution – if they aren’t executed successfully, their benefit diminishes rapidly and can ultimately leave the company in a vulnerable position. That’s why it is essential that senior management sets the tone at the top and is involved in the development and ongoing monitoring of the internal control system. Be sure to involve staff through ongoing training and accountability assessments.
Key #2: Process
Internal control is not a once-and-done task; it is a process consisting of on-going thoughts, actions and activities. It is important to recognize that internal control is a means to an end – a more secure and prepared company – not an end in itself. Integrating controls into your everyday activities helps your company achieve its objectives. Approaching internal control as an on-going and dynamic process, just like your business, allows it to provide reasonable assurance to senior management and the Board of Directors. Absolute inoculation from risk simply isn’t possible or even desired in today’s fast-changing economic environment, but having internal controls “baked in” to your everyday processes is key to mitigate risk while minimizing redundancies and administration costs.
Key #3: Technology
Technology is an integral part of business in today’s world. In a society where modern technology entails the regular exchange of access and convenience for security, it can be daunting for companies to understand the part internal controls play in systems. Add in the increased savviness of criminals and it’s no wonder that technology risk has rightfully risen to the top of management’s concerns. While mitigating risk across multiple solutions requires the expertise and guidance of technology specialists, there are several basic tasks every company should complete as part of their internal control process. If not already underway, be sure your IT staff or third-party IT support provider incorporate the below components:
- A protected network is essential for maintaining information security.
- Each computer connected to the network needs to be installed with antivirus software as well as the latest software updates.
- Firewalls must be active and regular scans should be run to ensure protection.
- Frequently monitor the network and system logs for possible vulnerabilities.
- Network administrator should consistently check for software upgrades and patches to protect against potential threats.
Does your business have a solid internal control foundation? RKL’s Business Risk Services team can help assess current processes or improve weak controls. Contact one of our offices today to get started.
Contributed by Bethany A. Novis, CPA/ABV, CVA, CFE, a partner in RKL’s Business Consulting Services Group. Bethany specializes in risk management, fraud investigation, business valuation and litigation services. In addition to being a licensed CPA accredited in business valuation, she holds designations as a Certified Valuation Analyst (CVA) and a Certified Fraud Examiner (CFE).