HOW NOT TO PERFORM CONTROLS

by | Nov 22, 2023 | Internal Control | 0 comments

If you perform a control procedure in a manner that has remained constant for ages; thank technology, not blame it!

For technology will make your life easier and simpler, even if it means being your replacement. You can find something else to do that technology couldn’t replace or else learn to embrace it wholeheartedly and harness its prowess to your benefit.

Although, there has never been a formally documented ‘great grandfather approach’ in internal controls theory and practice, yet it is one which is the most sought after and practiced. This is so because an average mind always seeks what’s settled over trying anything new or changing what’s established, no matter how frail or redundant it has become since it was established.

The ‘feel good’ rationale is based on the premise that when there has never been any instance of a failure or lapse or error or fraud, the control doesn’t need to be changed. The science of probabilities is stupid and system improvement/evolution is an intrigue to reduce human requirement.

So, we go back to performing controls the way these have always been done, oblivious to the fact that our ‘consistency’ in sticking to the ages old methodology seals the entity’s fate into oblivion as well; slowly but surely. We’ll review that in a bit.

First let’s look at some examples of how not to perform controls. 

  • Security people at factory gate checking every 3rd vehicle exiting the premises at day end on every Tuesday and Friday for the last several years.
  • Checking physical compliance with protective equipment use at a particular location and a particular time slot every week for the last many years.
  • Processing invoices for services utilized after these have been verified by the officials who availed these services.
  • Approving goods invoices for payment based on confirmation of officials who had ordered the materials.
  • Recording assets if confirmed by officials as having been received.
  • Posting period closing accruals based on information provided by the users.
  • Keeping pre-approved incremental purchase order forms under a larger order with the users for proceeding forthwith on their periodic requirements.
  • Allocating unidentifiable costs to cost centers based on the user departments assertions.
  • Creating records meant for goods movement through the gate at the backend offices.
  • Adhering to checklist-based inspection models for physical monitoring of compliances.
  • Creating policy exceptions before designing and implementing controls.

 And how these should instead be performed:

  • Undefined pattern of vehicle checking with surprise checks put in place at random at any time of the day and at any day.
  • Surprise checks at any work site at any time of the day and at any day so that each work site and time has an equal probability of being selected.
  • A services completion note should be a precursor for invoice processing followed by verification of work orders raised for the services and an independent official review, where possible.
  • Invoices for goods need to be processed based on Goods Received Notes recorded in the application. Basis of GRNs could be checked on a sample basis if needed.
  • Assets’ existence needs to be confirmed either physically or through specific documentary / e-evidence directly by accounts for these to be recorded.
  • Accruals for each revenue and expense head need to be confirmed by specifically referring to each contract and commitment already preapproved by accounts before period closing.
  • There should be no pre-approved purchase order forms. Each order should be issued only when reviewed and approved to ensure continued requirement.
  • Unidentifiable cost center expenses should be allocated based on standard costing when no overheads apply.
  • Gate records should be created at the gate for each movement of goods.
  • Using checklist model as minimum control requirements, always looking for adding, substituting and improving these.
  • Never allowing exceptions to controls. Instead, only allowing minimum escalations when needed and tweaking controls whenever possible to remove the need for escalations.

Certainly, this guidance is neither definitive nor suited to all situations, and technology has automated and outmoded few of the examples given here, but that’s exactly the point here, being technology transition ready. The guidance is thus relevant enough to help build a culture around how internal controls should be approached and performed.

I call it the growth-centric approach to internal controls since it is based on a continual monitoring and improvement model, that helps the entity’s systems evolve yielding efficient, effective and economical processes, the kind every growing entity needs to have.

If we’re to embrace technology and not confront it, controls are to be performed in the manner explained in this piece. Since, technological investment is another name for endless possibilities, being open to be challenged, to be confronted with new control issues and being ready for change is the culture that fosters technology.

Businesses achieve operational and management systems excellence through superior controls. These controls ensure operations run smooth, are resilient and have adequate in-built backups for restoration. They also ensure that complete, accurate and relevant information for decision making is available as and when needed. Finally, such controls ensure risk management is formalized and implemented to manage downside risks turning into failure and upside risks yielding opportunities. And that’s the launch pad for growth.       

Continuing to perceive and perform internal controls in a medieval manner means that the entity believes it operates in a static operating environment where its risk profile will remain stagnant, and its control objectives won’t change, meaning thereby that the entity is not growing.

 

So, for those using the ages old wisdom of ‘great grandfather approach’ in performing internal controls, their management systems become a legacy that will continue for as long as the entity continues to successfully dodge technology and its entirely rational advance with help from its ‘trusted’ pairs of hands, believing in human intervention, not system dependency.

But it’s a fight the entity cannot win; for legacy systems belong to museums and the entities that hold on to these earn their spot in annals of history!

Post Views: 40
 

Submit a Comment

Your email address will not be published. Required fields are marked *