Designing Effective Financial Controls

Designing Effective Financial Controls
Stephen G. Lynch

“A strong internal control
framework is the result of clear
control objectives and a
commitment by a company’s
Board, management, and
employees to create and
maintain a strong control
environment. It also requires a
commitment to properly assess
organizational risk, establish
and conduct appropriate
control activities, generate and
communicate timely, relevant
and reliable information, and
participate in regular
monitoring activities.”

Every year corporations lose millions of dollars
due to poor internal controls. The failures include
inadequate segregation of duties, lax control over
vendor master records and incorrect customer
invoices. Additionally, poor controls around the
flow of data in an organization’s ERP system can
result in manual rework to correct improper
accounting entries. Taken to the extreme,
inadequate controls can result in material
misstatements in financial reporting and the
associated regulatory submissions.
With the continued guidance of Section 404 of the
Sarbanes-Oxley Act, management is required to
publish in their annual reports a statement
concerning the scope and adequacy of the
internal control structure and procedures for
financial reporting. Additionally, the company’s
auditors must attest to and report on the
assessment of the effectiveness of the internal
control structure and procedures for financial
reporting. An investment in strong internal
controls is essential for the effective governance
and protection of the corporation.
Control Objectives
In designing an effective internal control structure,
three objectives must be kept in mind as the
controls are designed, tested and maintained.
These objectives are:
ß Ensure that corporate assets are
safeguarded against malfeasance and
used only for business purposes,
ß Provide accurate business information to
management, investors, creditors,
regulators and other relevant stakeholders,
and
ß Ensure that employees comply with all
applicable laws and regulations.
With these objectives established, the internal
control structure can be developed and
maintained using the COSO internal control
framework.
The Internal Control Framework
The Internal Control - Integrated Framework report,
published by the Committee of Sponsoring
Organizations of the Treadway Commission (COSO),
provides a framework that consists of five interrelated
components. All of these components must be in
place and operating effectively for there to be an
effective internal control structure. These five
components are:
ß Control Environment
ß Risk Assessment
ß Control Activities
ß Communication and Information
ß Monitoring
Control Environment
The control environment is the foundation of a
company’s internal control structure and is centered on
the attitudes, actions and awareness of the company’s
internal stakeholders, including the Board of Directors,
management and front-line personnel. The level of
importance these stakeholders place on strong internal
controls will greatly influence the existence and
effectiveness of those controls.
The control environment is core to a company’s
approach to daily business activities and the way it
assesses risk in conducting those activities. According
to COSO, control environment factors include the
“integrity, ethical values and competence of the entity's
people; management's philosophy and operating style;
the way management assigns authority and
responsibility, and organizes and develops its people;
and the attention and direction provided by the board of
directors”.
Risk Assessment
As part of the control structure, a company should have
a process in place to assess risk in relation to its
corporate objectives. The risk assessment applies to
all areas of the company and should involve most
activities within the organization. According to the
COSO framework, risk assessment is a 3-step process:
ß Estimate the significance of the risk,
ß Access the likelihood or frequency of the risk
occurring, and
ß Consider how the risk should be managed and
assess what actions must be taken
An effective risk assessment system will incorporate
both internal and external factors. Internal factors can
include people, systems and processes. External
factors can include economic developments,

regulatory changes and industry advances. It is the
responsibility of the company’s management to
properly assess risk and then to develop and maintain
a program that will effectively mitigate the risk
identified.
Control Activities
Control activities are the policies and procedures put in
place by management to ensure that the processes
put in place to address risk are being carried out. This
component of the COSO framework is wide-ranging
and includes controls designed to prevent errors as
well as controls to detect errors after the fact and
enable corrective action to be taken. Examples of
preventive controls include segregation of duties and
physical controls such as locking down cash.
Detective controls are focused on reporting,
reconciliations, management reviews and periodic
audits to detect errors needing correction.
A key aspect of the COSO framework is its emphasis
on information system controls. This includes
financial, operational and compliance related systems.
All of these systems should have both general and
application controls. As the name implies, general
controls pertains to all systems and covers issues
such as physical access to the systems. Application
controls are specific to a particular system and
includes individual security profiles and business logic
that would prevent unreasonable data from passing
through undetected.
Communication and Information
Communications and information are actually two
distinct components of internal control.
Information must be readily available to
organizational stakeholders and the information
must be of sufficient quality that personnel can act
on the information, confident that it is reliable.
This information should also be suitable for
communicating with external stakeholders such as
investors, creditors and regulators.
COSO recognizes that information can be both
structured and unstructured. Structured
information comes from the company’s formal
information systems and can be financial,
operational or compliance related. Unstructured
information can consist of conversations with
customers and suppliers.
A strong internal control structure enables
communication to flow through an organization,
from top to bottom and from the bottom upwards,
as well as horizontally through the various
departments. These communication channels are
created and maintained to ensure that information
flows to those departments and individuals
requiring information for their financial, operational
and compliance related reporting and analysis
responsibilities.
Monitoring
Nothing ever stays the same and internal controls
are no different. Due to changing factors both
internal and external, there is an ongoing need to
monitor internal controls to assess their
effectiveness and to determine if any changes in
the internal controls are warranted.
Monitoring takes two basic forms: ongoing
monitoring as part of a company’s continuous
operations and periodic monitoring based on
specific control objectives. COSO lists various
means of ongoing monitoring which includes
reviews by management and supervisory personnel
to identify errors and make corrections as
necessary. It also includes the regular
reconciliation of physical and financial assets such
as inventory and cash.
In addition to ongoing reviews, it is usually
beneficial to make periodic reviews of specific
control procedures. Although a company’s internal
audit group may be involved in the testing and
evaluation of internal controls, it is also acceptable
for line management to initiate their own review of
internal controls and make updates to the control
structure as necessary to remediate any
deficiencies found.
Conclusion
A strong internal control framework is the result of
clear control objectives and a commitment by a
company’s Board, management, and employees to
create and maintain a strong control environment.
It also requires a commitment to properly assess
organizational risk, establish and conduct
appropriate control activities, generate and
communicate timely, relevant and reliable
information, and participate in regular monitoring
activities.

Key Focus Areas for Effective
Internal Controls:
ß Control activities to manage
enterprise risk
ß Information that is reliable and
available to stakeholder groups
ß Communication mechanisms to
convey accurate and timely
information to stakeholders
ß Monitoring to ensure
compliance with internal
controls

About Stephen G. Lynch
Steve brings more than 20 years of experience advising global
companies on their service delivery strategies. An experienced
global consultant, Steve has partnered with clients on five continents
to develop and deploy the strategy that leads to superior
performance. His expertise spans the domains of organizational
transformation, process optimization, shared services, and global
service delivery.
Steve previously served in a variety of consulting roles at Ernst & Young, The Hackett Group,
CSC, and most recently, KPMG where he served as a Director in the Advisory practice. His
focus is on capital intensive industries including energy, industrial and consumer product
manufacturing, and pharmaceuticals. His clients include Bristol-Myers Squibb, Johnson &
Johnson, Novartis, Ford, Corning, ITT, General Dynamics, BP, ConocoPhillips, The Coca-C0la
Company, Sunbeam, and Mattel.
Contact Information
Stephen G. Lynch
+1.972.885.7734
steve@stephenglynch.com

Designing Effective Financial Controls

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Designing Effective Financial Controls

Similar to Designing Effective Financial Controls (20)

Designing Effective Financial Controls