In January this year, concerns over the contamination of meat products hit the headlines in Ireland and the UK. Since then, the scandal has spread right across Europe and shows no sign of abating.
When questioned by UK Members of Parliament (MPs) in March, the head of the Irish beef processing company at the centre of the furore admitted that there had been a breakdown in the company’s internal control. Managers had used meat that was bought from suppliers who were not on an approved list.
Internal control usually makes it into the world’s headlines only when it fails to do its job. Likewise, it usually gets an airing in the board room only when something has gone wrong. In fact, ask executives for their views on internal control and most will have an apathetic response at best: It’s a necessary nuisance; it requires discipline, compliance and adherence to rules; it makes our processes and structures static and inflexible.
This perspective doesn’t resonate with the fluid and fast-changing environment of modern business. The traditional view is that internal control is about checking and controlling the business environment for known factors. How does that support the creation of resilient strategies capable of dealing with the unexpected?
In May 2013, an updated version of one of the first frameworks to address internal control was released. The update to the Internal Control – Integrated Framework by the Committee of Sponsoring Organizations (COSO¹) provides a timely opportunity to challenge how organisations approach internal control. Its revisions in a number of areas should prompt business leaders to ask themselves: Who is really accountable for internal control? Does our internal control system underpin the achievement of our most important objectives? Is there a way for internal control to stimulate rather than stifle agility? In short, is it time for a fresh look at internal control?
COSO’s original framework was launched back in 1992. Its predominant focus was financial reporting, rather than other areas, such as operations, compliance and non-financial reporting. Moreover, it tended not to be applied in a way that took account of the enterprise as a whole, including outsourced service providers and business partners. As a result, the evaluation of internal control has often only been based on a partial scope of what it really covers.
There has been a growing recognition that expectations of internal control needed to better reflect the complexity and more global perspective of today and tomorrow’s business environment. The table details some of the changes reflected in the Framework Update — it’s an evolutionary, rather than a revolutionary, change.
The main focus of the updates is not so much the individual components of internal control, but rather how they interact and their capacity to adapt. Importantly, the scope of the reporting objectives has been broadened to take greater account of what stakeholders expect to know about.
As the European horse meat scandal shows, effective internal control requires more than control over financial reporting. Organisations need enhanced internal control that spans operations and compliance and encompasses the 'extended enterprise'. The broader view of the control system and a greater scope of what it monitors outlined in the updated Framework allow business leaders to reduce the risk of control weaknesses in one area impacting operations in another. These and other changes in the updated COSO Framework lay the foundation for business leaders to design an internal control system to underpin more resilient strategies.
So how does internal control operate in your organisation? Empowering, dynamic and value-creating? Or restricting, static and value-preserving? How does it keep pace with your business needs and help you control the risks of today and tomorrow? There is no one-size-fits-all internal control system, nor should there be. It can take different shapes depending on the size and type of company, growth rate or maturity, industry or operating model, tolerance for risk and reliance on technology. Nonetheless, all organisations can benefit from taking a fresh perspective. Here are three perhaps counterintuitive perspectives that might help you get greater value from internal control.
"Lessons learned from all too many corporate failures and scandals point to the lack of ownership of the controls that mitigate the risks of achievement of the organisation’s objectives. The cornerstone of internal control is a shared vision and commitment to doing what is right at all levels of the organisation as well as with supply chain partners."
With internal control, there is always one ‘right way’, right? The traditional view is that internal control takes the decision-making power out of the hands of individuals in the organisation. Internal control procedures reduce process variation; they should be followed and boxes should be checked to help ensure predictable outcomes.
A more strategic view acknowledges that the unpredictable does happen — and prepares for it. When it does, your employees need to judge the right thing to do and have the means to make sound decisions. An effective internal control system enables this. As Principle 1 in the updated Framework underlines, this starts with a clearly demonstrated commitment to integrity and ethical values right from the top of the organisation through to its operating heart — the ‘middle of the organisation’.
The European horse meat scandal again highlights the dangers of a seemingly widespread lack of commitment to integrity and ineffective monitoring of what really matters (product integrity as well as financial reporting and the achievement of financial goals). The growing complexity in the supply chain enabled individuals to exploit breakdowns in the control system, allowing horse meat to be re-labelled and sold as beef. The result was a disrupted supply chain, withdrawn products, fraud investigations and plummeting revenues. The longer-term impact is lasting damage to the reputation of the entire meat-processing industry.
Once the tone at the top is clear, success or failure in internal control depends on how it is adopted on a day-to-day basis. Making all individuals accountable for their internal control activities (as stated in Principle 5 in the updated Framework) is critical here, and underpins the empowerment of employees. To be accountable, though, the individual should:
This illustrates the interdependence of the five components of internal control, which the updated Framework describes through 17 principles expected to be present and functioning, and requires a more strategic approach at the outset.
Accountability should reach beyond the immediate confines of the organisation to the extended enterprises as your business seeks to protect and strengthen its brand.
Empowering people to take control within agreed parameters helps them navigate daily complexities. It also makes sure they’re ready to respond at critical moments rather than risk the delay and confusion of relying on others.
What is the impact of new technology on internal control? In a previous article, "The Dark Side of Connectivity", we highlighted the need to learn new ways to behave and new ways to cope with human behaviour to create a safe cyber world.
Cyberspace lacks the natural and instinctive resilience of our physical society. In the physical world, risks and likely consequences are relatively visible and can be kept in perspective. However, in the cyber world, working online in comparative safety gives a false sense of security. Potential risks are not realised nor matched by appropriate caution and behaviour.
At the same time, we have not had the chance to design our systems to reduce risk in a way that takes these changed human behaviours into account. This includes internal control systems. How can these systems be adapted to monitor and control what employees might be saying about your organisation in different social media, for example? Or what hacking attempts are made onto its systems? Or how issues are identified and escalated? Cybersecurity decisions indeed involve much more than technology management — they involve “a process, effected by people at every level of the organisation to provide reasonable assurance to senior management and the board of directors around the ability to achieve specified objectives”; in other words, internal control, as COSO defines it.
“The discipline of grounding internal control evaluations in current or emerging strategy and objectives is key to helping ensure that relevant information is communicated and helps management anticipate and address the issues of tomorrow.”
The traditional view is that internal control is focused on the past and consists of checking procedures and data that fortify the reliability of its financial reporting. It can be seen as a necessary nuisance and is often treated as a box-checking activity.
But that’s missing a trick. Aligning internal control with the organisation’s most important operational, reporting and compliance objectives will support their achievement in everyday activities and decisions.
First, specify objectives with sufficient clarity to allow the related risks to be identified and assessed. This is the essence of principles 6 and 7 in the updated Framework. While effective internal control can’t guarantee that objectives will be met, it provides timely information or feedback on progress towards operational, compliance and financial performance goals. Your management can then take action to keep things on track.
For instance, you might have operational quality objectives, using low defect rates and high customer satisfaction to measure progress. The internal control system underpins this objective by ensuring:
The benefits of aligning key objectives with the system of internal control go beyond their short-term realisation. You can report on progress towards them with greater credibility. With a more robust set of data on which to base performance reporting, your board can enhance the information it shares with your stakeholders. Shareholders, for example, have been shown to pay a premium for being better informed about an organisation’s progress towards its wider objectives and obligations.
One Scandinavian pharmaceuticals company has “balancing financial, social and environmental considerations” as part of its business philosophy. Commitment to that philosophy drives its corporate reporting, which then requires that even non-financial information is subject to formal controls. The company became one of the first to publish an integrated financial, environmental and social report. A partner at one investment management company stated that non-financial information included in this integrated report was “critical to his ability to understand the organisation’s real risks”.
“A hard look at business objectives is essential for ensuring that the right controls are in the right places and continue to add value to the business. However, the business environment is anything but static. A dynamic internal control system may prompt rethinking the business model.”
The traditional view of internal control is that it creates a rigid structure restricted by a static set of rules and processes. It stifles agility, innovation and business change. The perception is that internal control systems don’t keep pace with the changing business environment, making them lag behind what the business needs of them.
The strategic perspective, on the other hand, understands that an effective internal control system is adaptable and able to keep pace with changes in the business environment. Since it monitors business changes and their impact on risks to the organisation, it remains relevant, keeps operations running smoothly, enhances agility and ultimately enables business leaders to make the right strategic decisions.
Market expansion is an area where strong internal control can contribute to the right strategic decisions. Not only does it underpin the reliability of data needed to make risk-informed decisions on market entry and to determine when market exit may be necessary, but it also constantly monitors market presence risk. Operating in a new and unfamiliar market demands additional efforts to collect data and to manage a new, external risk set, while at the same time dealing with internal, operational and business risks that companies have to manage as they expand. Getting reliable data in developing markets can be especially difficult. The understanding that an organisation’s headquarters has of conditions in a new market can often be different from what local managers see. An effective internal control system will help to facilitate that dialogue and enable the correct strategic choices. There have been instances in recent years where exposure to bribery and corruption has caused several international manufacturing companies to stop doing business in certain countries. Unable to implement the level of control needed to mitigate these risks, the risk management decision has been to exit the country.
A fast-growth technology company maintained agility in its internal control throughout its rapid expansion by monitoring in real-time. Front-line operations staff, support functions and independent reviewers, who understood the links between internal control and achievement of the company’s objectives, were empowered to challenge the control environment. As the company started to do business in more countries and become more complex, it engaged in a dialogue on risks and changes affecting the organisation. Management revisited operating models and business processes, dug beneath the surface to make sure they were operating with the necessary management information and refined their control and monitoring activities.
There is a strengthened focus on change in the updated Framework. Principle 9 states that the organisation should assess changes that could significantly impact the system of internal control, including changes in the external environment, business model and leadership. One example comes from the banking sector when a particular bank offered clients more than 70 loan modification options. A crisis in the industry flagged the complexity of managing so many different scenarios, which impeded the bank’s ability to monitor the multitude of risks. This prompted the bank to revisit the costs and benefits of providing so many options to its customers, assess related operational quality issues and analyse the competitive landscape. It found that other leading players had streamlined their offerings to 40 options and were gaining higher customer satisfaction and performance ratings.
And the framework cautions against assuming that “no news is good news”. Principle 16 says that an organisation should select, develop and perform ongoing and/or separate evaluations to make sure that the components of internal control are present and doing what they should.
During the latest economic downturn, many companies downsized operations and outsourced certain activities — in particular in the banking and telecommunications industries. Of course, they were still responsible for delivering expected operational quality, compliance and transparency. The challenge has been ensuring that knowledge about significant controls, and the controls themselves, hasn’t disappeared during the lay-offs. As the scope and scale of operations change, organisations need to keep on top of right-sizing internal control relative to risk exposures and reallocate resources accordingly.
Understanding the changes to the updated COSO Framework could pave the way for a more strategic view of internal control. However, this strategic perspective needs to be converted into a nimble and agile internal control system to make sure it provides a firm foundation for resilience.
It’s important for your board to communicate its commitment to ethical values and integrity in business. It’s also important that all employees feel empowered to do the right thing and are rewarded for mitigating risks to your organisation’s obligations. Leaders in turn feel the comfort of shared accountability for, and ownership of, internal control.
“Resilience accepts shocks will occur and the organization’s power of response is as important as its power of control.”
Further priorities include making sure the internal control system is aligned to your organisation’s most important objectives and making sure there is a dynamic process for change management. As the business environment shifts, emerging issues are identified and communicated quickly. In this way, timely decisions can be taken that keep your organisation on course towards its objectives — even in times of change or uncertainty. Shareholders receive enhanced information on progress towards non-financial as well as financial objectives. Internal control is not burdensome. It is agile, nimble, right-sized and monitored so that it continues to do its job.
Is this what your organisation is seeing and, if not, how can you put internal control on track?
¹The Committee of Sponsoring Organizations (COSO) was formed in 1987 and issued its original Internal Control – Integrated Framework in 1992, which has become widely used by organizations across industries in the US and internationally. It was endorsed in 2004 by the SEC as a framework to support compliance requirements around internal control over financial reporting, but has also been applied in spheres of operations and compliance. PwC is a co-author of the original and the updated frameworks.