Every compliance officer knows that internal controls are important for an effective compliance program. Defining exactly how internal controls help a compliance program, however—or even defining what an internal compliance control is—can be a much more difficult task.
The trap is that our brains hear “internal control” and instinctively envision a noun; a thing unto itself. Compliance officers use sentences like, “This control isn’t working” or “We need stronger internal controls in our accounting process.” As if an extra shipment of internal controls could be delivered to some weak business process, like relief workers air-dropping supplies onto a suffering population.
That’s not the right way to perceive things. Internal controls are both policy and procedure blended together, into a set of interlocking activities that (ideally) drive businesses to behave in certain ways. They’re crucial to effective compliance, that doesn’t mean that understanding their role is easy. It isn’t.
So today let’s take a deep dive into how internal controls drive better compliance.
What Is an Internal Control?
An internal control can be many things: written policies and procedures guiding employees to act in certain ways, “hard controls” coded into software systems that prevent employees from taking the wrong actions, audits or tests that compliance officers perform to see how well those other controls are working, or reports that executives pull together based on data about the company’s transactions so senior leaders can make decisions about what other internal controls might be necessary.
In other words (and as mentioned above), internal controls are a set of interlocking activities. They come in different forms and work in different ways, but internal controls are supposed to work collectively to help the company achieve its objectives: business, compliance, security, and otherwise.
Internal controls can be grouped into several categories as well. First, internal controls can be preventive or detective. As the names imply, preventive controls are supposed to prevent employees from taking the wrong actions in the first place, while detective controls help managers review transactions after the fact to see whether any of them were improper.
Internal controls can also be manual or automated. Manual controls require a person to decide to perform them, such as an auditor deciding when and how to audit a bundle of financial transactions. Automated controls are typically embedded into the company’s technology and run automatically: say, the accounting system designed so it will never send payments to a third party where due diligence hasn’t been completed.
Why Is Internal Compliance Control Important?
A system of effective internal control is important for several reasons.
First, the U.S. Sentencing Guidelines list internal control as one of the elements of an effective compliance program. The guidelines don’t specify what those internal controls should be; each company can design whatever system of internal control works best for their organization. The guidelines only state that a business should have “standards of conduct and internal controls that are reasonably capable of reducing the likelihood of criminal conduct.”
Second, laws such as the U.S. Foreign Corrupt Practices Act (FCPA) also require companies to maintain effective internal control. In the statute’s own words: businesses must “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances” over the company’s books and records. If a company doesn’t maintain those internal controls, it can face enforcement penalties from the Securities and Exchange Commission (SEC).
More fundamentally, maintaining effective internal control is just good business. Without strong internal controls, executives can’t be confident that employees are doing their jobs well. Mistakes or misconduct will happen more often. At best, the company squanders resources trying to clean up those messes. At worst, the company will suffer civil litigation, reputation damage, lost customers, and plenty of other problems. Internal controls are crucial to prevent all of those things.
What are the Mechanisms for Internal Control?
To answer this question, compliance officers can consult the COSO framework for internal control. This is the standard framework that corporate accounting teams and audit firms use to assess compliance with the Sarbanes-Oxley Act, and it divides effective internal control into five components.
- Control Environment: the basic processes and standards the company establishes to enforce the rest of internal control. When we talk about “tone at the top” or rewarding employees for ethical behavior, that’s the control environment.
- Risk Assessment: the methods a company uses to define its objectives (including compliance objectives) and then to assess the risks of achieving those objectives, including risks of fraud or other misconduct.
- Control Activities: the actions a company takes to put its internal controls into practice. For example, this would procedures to perform due diligence on third parties or to give role-based training to employees about data privacy.
- Monitoring Activities: the tests, audits, and other monitoring a company might do to see how well its internal controls perform over time.
- Information and Communication: the discussions executives have about risks and internal control. This might include quarterly reports the compliance officer provides to the board or regular meetings of an in-house compliance committee where business leaders talk about emerging risks.
Again, remember the big picture here: internal controls are a set of interlocking activities that all work together. The strong tone at the top leads executives to perform a rigorous risk assessment. That leads to thoughtful control activities, which are tested regularly for effectiveness. The results are reported to executives for thoughtful discussion, which might drive new messages from the top about new risks—and so forth and so on. Everything should work together in a cycle.
How Can You Improve Internal Controls with a Compliance Program?
A compliance program improves internal control first by establishing what employees should do and then implementing mechanisms to assure that employees actually take those steps or to alert managers when those actions don’t happen. It’s about discipline and rigor to drive better employee conduct—and to document that rigor, so regulators can see that the company is making a good-faith effort to meet regulatory requirements.
For example, a company might need to assure that it performs due diligence on new customers, or obtains parental consent before collecting data from a minor. A compliance program would guide compliance officers and business unit leaders to assure that:
- The company has developed procedures to do those things;
- The company has rolled out training to employees so they know those procedures;
- The company monitors how consistently employees perform due diligence or obtain consent;
- Reports are generated to help managers understand how often due diligence fails or consent isn’t obtained; and
- If policies and procedures aren’t working to the desired levels, the company improves them.
The compliance program is the system executives use to work through those steps and keep internal controls effective—over and over again, for one risk after another. You may need outside specialists to help, and for companies of any appreciable size, you’ll definitely need technology to design, implement, monitor, and document your internal controls.
However you get the task done, a compliance program is crucial for keeping your system of internal control working; and an effective system of internal control is fundamental to corporate compliance. You can’t have one without the other.
Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.