Internal Controls – The end game

Remember the shockwaves sent through the business world when the ‘too-big-to-fail giant’ crumbled? From the downfall of the corporate giant Enron in 2001, to the implosion/fraudulent practices of the health technology company Theranos in 2018, to the collapse of the cryptocurrency exchange FTX. These are stark reminders of what happens when internal controls fail. Each of these companies, despite being leaders in their respective fields, share a common central theme: weak internal controls.

Internal controls are not confined to financial institutions; they are essential for the success and longevity of any business in any industry— aerospace, healthcare, engineering, manufacturing, energy, telecommunications and so much more. Internal controls can mean the difference between patient safety and catastrophic errors in the healthcare sector. In manufacturing, they ensure product quality and compliance with safety standards. Strong internal controls are the secret ingredient to a company’s success. Without them, businesses are vulnerable to fraud, inefficiency, financial instability, hefty fines, and most critically, reputational damage.

In theory, internal controls are defined as “the policies and procedures implemented by an organization to ensure their financial reports are reliable, operations are efficient, and activities are compliant with applicable laws.”  However, this formal definition understates the pervasive nature of internal controls. When viewed through a more personal lens, “internal control is us.” It encompasses every action we take, every process, and every system that safeguards an organisation’s integrity, protects its assets and drives its success. From the simple act of locking a door to secure physical assets to the complex algorithms that prevent cyberattacks, internal controls are the invisible framework that underpins every business operation.

Myths	Realities
Internal control starts with a strong set of policies and procedures	Internal control starts with a strong control environment
“Internal control – that’s what I have internal auditors for!”	Management is the owner of internal control
“Internal control is a finance thing. We do what the Controller’s office tells us to do.”	Internal control is integral to every aspect of the business
Internal control is essentially negative, like a list of “thou shall not’s”	Internal control makes the right things happen the first time – and every time.
Internal controls are a necessary evil. They take time away from our core activities – making products, selling, and serving customers	Internal controls should be “built into, not onto” business processes
With downsizing and empowerment, we have to give up a certain amount of control	With downsizing and empowerment, we need different forms of control
If controls are strong enough, we can be sure there will be no fraud, and financial statements will be accurate	Internal control provides reasonable, but not absolute assurance that the organization’s objectives will be achieved

An effective internal control system will have two basic types of controls – Detective and Preventive, as each serves a different purpose.  As you perform routine processes, or when you are thinking of implementing a new procedure or process, it is important to ask the following questions to help determine the appropriate control:

• What could go wrong?
• What steps have been taken to ensure that something does not go wrong?
• How can you verify that nothing went wrong?

The answers to these questions will enable you to better target the type of control that is needed.

Preventive controls are designed to prevent errors or irregularities from occurring in the first place. Examples include segregation of duties, policies, and procedures. Whereas detective controls are aimed at identifying errors or irregularities after they have occurred. Examples of detective controls include reconciliations, audits, and exception reports – automatically flagging unusual or suspicious transactions for further investigation

While we may know the two (2) broad types of internal controls, there are three (3) other types worth mentioning – Corrective Controls, Directive Controls, and Compensating Controls.

Internal controls are crucial in identifying, assessing, and mitigating risks within an organisation. They provide a framework for establishing procedures that prevent and detect errors and irregularities, thereby safeguarding the company’s assets. For example, segregation of duties ensures that no single individual has control over all aspects of any critical process, reducing the risk of fraud and error.

Internal controls play a vital role in ensuring that a company complies with relevant laws and regulations. By implementing procedures that monitor adherence to legal requirements, companies can avoid penalties, legal actions, and reputational damage. For example, internal audits and compliance checks can help ensure that the company is following tax laws, environmental regulations, and industry-specific standards.

Earlier on, we highlighted some well-known cases of weak internal controls. It is important to recognise that many other companies have also faced serious consequences due to similar failures.

Dash Inc. faced a significant scandal in 2016 due to fraudulent financial reporting. The company’s failure to maintain accurate and honest financial records led to severe repercussions.

• Consequences: Legal and financial consequences, including regulatory investigations, financial losses, and damage to market position.
• Internal Control Failure: The scandal underscored inadequate financial controls and oversight. Strengthening internal controls in financial reporting could have prevented these irregularities.

In Ghana, several banks collapsed due to poor internal controls and risk management. This crisis had a profound impact on the financial sector and the broader economy.

• Consequences: Economic instability, job losses, and loss of confidence in the banking sector. The government had to intervene to protect depositors and stabilise the sector.
• Internal Control Failure: Weaknesses in risk management and governance led to the banks’ failure. Improved internal controls could have identified and mitigated the risks that led to the collapse.

These case studies demonstrate that poor internal controls can lead to catastrophic outcomes, including financial losses, legal penalties, and reputational damage..

BENEFITS OF STRONG INTERNAL CONTROLS

In our rapidly evolving business environment, where risks are continually shifting, an organisation’s ability to adapt is very critical. Effective risk management hinges on a robust internal control system that identifies and mitigates emerging threats while also ensuring the long-term stability of your business. As organisations refine their risk management strategies, it becomes key to highlight the benefits that internal controls bring. These controls will serve as the main foundation/backbone of a resilient organisation, offering more than just risk mitigation – they enhance operational efficiency, safeguard assets and build stakeholder confidence.

Internal controls also play a vital role in enhancing operational efficiency and effectiveness. By streamlining processes and establishing clear guidelines, organisations can eliminate redundancies, reduce waste, and optimise resource allocation. This leads to improved productivity and cost savings, enabling organisations to achieve their goals more efficiently.

One-way internal controls enhance efficiency is through process standardisation. By defining standard operating procedures and workflows, organisations can ensure consistency and eliminate variations that may lead to errors or delays. This standardisation also facilitates training and onboarding, as employees have clear guidelines to follow.

Automation is another key aspect of enhancing efficiency through internal controls. By implementing automated controls, organisations can reduce the reliance on manual processes, minimising the risk of human error and freeing up resources for more value-added activities. For example, automated invoice processing systems can streamline the accounts payable process, reducing the time and effort required for manual data entry and approval.

Robust internal controls are essential for ensuring accurate financial reporting and transparency. By implementing controls over financial processes, organisations can minimise the risk of errors, misstatements, and fraud, providing stakeholders with reliable and transparent financial information.

Internal controls over financial reporting (ICFR) are designed to ensure the integrity of financial statements and disclosures. These controls include activities such as data validation, reconciliations, and reviews, which help ensure the accuracy and completeness of financial information. By maintaining strong ICFR, organisations can provide stakeholders with confidence in the reliability of their financial statements.

Transparency is a key benefit of strong internal controls. By establishing controls over financial processes, organisations can provide stakeholders with clear and transparent information about their financial performance and position. This transparency enhances trust and credibility, which are crucial for attracting investors, lenders, and other stakeholders.

The importance of financial accuracy and transparency is underscored by the Sarbanes-Oxley Act (SOX) in the United States. SOX requires publicly traded companies to establish and maintain effective internal controls over financial reporting. Compliance with SOX not only ensures accurate financial reporting but also enhances investor confidence and protects shareholders from financial misconduct. Similar regulations exist in Ghana across the banking sector and listed companies.

Compliance controls are designed to monitor and enforce adherence to regulatory requirements. These controls include activities such as policy enforcement, training programs, and regular audits to ensure compliance with applicable laws and regulations. By implementing compliance controls, organisations can identify and address compliance gaps, reducing the risk of non-compliance and associated consequences.

The importance of regulatory compliance is evident in the financial sector and listed companies where strict regulations govern operations. For example, financial institutions must comply with regulations from regulators such as the Bank of Ghana, Security Exchange Commission, and National Insurance Commission.

Strong internal controls provide organisations with a strategic advantage in the marketplace. By enhancing operational efficiency, financial accuracy, and compliance, internal controls enable organisations to differentiate themselves from competitors and seize opportunities for growth and innovation.

A way internal controls provide a strategic advantage is through improved decision-making. By providing accurate and timely information, internal controls enable organisations to make informed decisions based on reliable data. This enhances the organisation’s ability to respond to market trends, identify growth opportunities, and optimise resource allocation.

Internal controls are not just a means to an end but the end game for sustainable business practices. By embedding internal controls into the fabric of an organisation, businesses can ensure long-term sustainability, resilience, and adaptability in a rapidly changing environment.

Strong internal controls provide organisations with the tools and processes to identify, assess, and mitigate risks effectively. By proactively managing risks, organisations can minimise the impact of potential disruptions and ensure business continuity. This resilience is crucial for sustaining operations and maintaining competitiveness in the face of challenges such as economic downturns, technological advancements, and regulatory changes.

In summary, the benefits of internal controls to your business are:

1.      Ensures effective risk mitigation

2.      Enhances efficiency and effectiveness

3.      Promotes financial accuracy and transparency

4.      Ensures regulatory compliance

5.      Promotes long term sustainability

6.      Provides strategic advantage

FUTURE-PROOFING THE BUSINESS

Internal controls play a crucial role in future-proofing the business by helping organisations adapt to future challenges and uncertainties. By establishing a robust control framework, organisations can anticipate and respond to emerging risks, technological advancements, and regulatory changes, ensuring long-term success and sustainability.

A critical component of futureproofing is technology adoption. Strong internal controls provide organisations with the foundation to embrace digital transformation and leverage emerging technologies. By implementing automated controls, data analytics, and cybersecurity measures, organisations can enhance operational efficiency, protect against cyber threats, and gain insights for strategic decision-making.

Additionally, internal controls help organisations navigate regulatory changes and compliance requirements. By establishing controls over compliance processes, organisations can stay abreast of evolving regulations and ensure adherence to legal and industry standards. This proactive approach minimises the risk of non-compliance and associated penalties, allowing organisations to focus on growth and innovation.

The concept of internal control is one of the trademarks of effective governance and good business operations. Without a strong system of internal control, organisations cannot ensure that the interests of company stakeholders are being protected. Strong internal controls support organisational goals and objectives, while helping safeguard against the risks of financial loss, operational waste, environmental irresponsibility, corporate fraud, and even reputational damage that can be irreparable.

As companies are faced with present and emerging risks, regulations, and technological advancements, internal controls provide the stability and adaptability needed to thrive. In this sense, internal controls, apart from being tools for managing current challenges are a critical component of an organisation’s ongoing strategy for achieving enduring success and resilience.

In the end, internal controls are not just a means to manage risks—they are the end game. They represent the decisive strategy that separates thriving organisations from those that falter. With internal controls, you’re not merely playing the game; you’re defining it, ensuring that every move secures your place at the top. In this high-stakes arena, internal controls are the final, unyielding defense—because in business, winning isn’t about

Source: KPMG

References:

1.      Gartner. (n.d.). Internal controls. Gartner https://www.gartner.com/en/finance/glossary/internal-controls

2.      The University of Toledo. (n.d.). Internal controls and you. The University of Toledo. https://www.utoledo.edu/offices/internalaudit/pdfs/internalcontrolsandyou.pdf

3.      University of Florida. (n.d.). Types of internal controls. University of Florida. https://cfo.ufl.edu/administrative-units/finance-strategy-analytics/internal-controls-anti-fraud-and-advisory-services/internal-controls/internal-controls-fundamentals/types-of-internal-controls/

4.      International Banker. (n.d.). The Enron scandal 2001. International Banker. https://internationalbanker.com/history-of-financial-crises/the-enron-scandal-2001/

5.      BBC News. (2021, August 25). What is Evergrande and is it too big to fail? BBC. https://www.bbc.com/news/business-58336998

6.      Griffith, E. (2022, November 10). Why Did FTX Collapse? Here’s What to Know. The New York Times. https://www.nytimes.com/2022/11/10/technology/ftx-binance-crypto-explained.html

7.      Graphic Online. (2024, March 28). Ghanaian fintech Dash shuts down after raising $86.1 million in five years. Graphic Online. https://www.graphic.com.gh/business/business-news/ghanaian-fintech-dash-shuts-down-after-raising-86-1-milion-in-five-years.html

8.      KPMG. (2023, April 20). Internal controls: The endgame has almost begun. KPMG UK. https://kpmg.com/uk/en/blogs/home/posts/2023/04/internal-controls—the-endgame-has-almost-begun.html