Internal control, its functions, and its importance to the organization have been discussed in Chapter 16. The message this section brings to the reader is that internal control has to be audited, and the more rigorous, factual, and docu- mented this auditing is, the better for all stakeholders.
Webster’s Dictionary defines rigorous as: Severe, exact, strict, scrupulous, accurate, allowing no abatement or mitigation. All these definitions apply to the auditing of internal control, and the way it should be executed. The mechanics to be adopted should facilitate the identification of failures in the analysis and communication of gaps in compliance to laws, regulations,
0.5 1.0
-1.0 -0.5 0
1997
2Q 2001 2000
3Q
1998 1999
1Q ORIGINALLY REPORTED
RESTATED
$ BILLIONS
Figure 17.2 Working its way to bankruptcy, Enron made successive income overstatements
internal bylaws, as well as in connection to assumed risks from trading and non-trading activities.
Here is, as an example, how three different institutions look at the issue of inter- nal control, and what is expected from it. At Bank Vontobel internal control focuses on limits (private and institutional); all types of derivatives trades; credit lines; risk policies (clients and correspondent banks); brokerage operations; and assets/liabilities management. A quantitative and qualitative risk analysis done by internal auditing involves 11 weighted queries:
● The highest weight has been given to internal control.
● Failures in the internal control system will alert senior management.
In the case of Bank Leu, the most important mission given to internal control is compliance. Bank Leu provided a good reason why internal control should be self-standing and should not be part of auditing. According to its policy, auditing is a supervisory meta-layer. To the contrary, internal control, risk management, treasury, lending, accounting, and other departments are concerned with day-to- day activities – which have to be regularly audited.
Lars O. Grửnstedt, of Handelsbanken, suggested that at his institution credit risk and market risk are two distinct disciplines and, for practical reasons, the mon- itoring of these two risk classes is more efficient if they are kept in different organizations rather than integrated in the same one. However, Grửnstedt added, internal control is over all business activities, providing a linkage between:
● The credit risk department, involved in setting market risk relevant limits, and
● Market risk parameters used in establishing counterparty limits.
A few of the technologically most advanced banks pressed the point that inter- nal control can also be seen as a system supported through networks, computers and sophisticated software, which is at the service of all authorized managers and professionals in the bank. In this sense:
● Internal control is intelligence, which enables senior executives to track everything important that moves the wrong way in the organization, and
● The internal control system monitors exposure from credit risk, market risk, operational risk, settlement risk, legal risk and other risks relating to transactions, fraud, and to security issues.
Any interruption in the internal control process relating to the first bullet is a managerial failure; while internal control malfunctioning associated to the
second bullet is a system failure. Both types of failure can be effectively audited, with the reasons behind them identified and brought into perspective.
A similar statement can be made regarding internal control activities in areas such as:
● Safeguarding business assets
● Assisting in compliance, and
● Accounting reconciliation.
While auditing a company’s books and its management control system, internal and external auditors are essentially producing something akin to military infor- mation, or more precisely internal control intelligence. Other domains where internal control activities offer themselves to auditing are:
● Promotion of personal accountability, and
● Measures taken for timely corrective action.
In other cases, however, the auditing of internal control is more complex because its goals include compliance to the company’s policies and practices.
The pattern in Figure 17.3 presents a snapshot of focal areas entering into the internal control orbit. All of them should attract senior management’s attention as they are, for decision-makers, what Socrates used to call his demon – this inner voice that whispers: ‘Take care’.
Auditing aims to make internal control approaches more effective by identifying weak practices that require not only corrective action but also some form of sanc- tion against people and departments supporting them. In the opinion of some experts, the Audit Committee is better positioned to supervise and monitor the internal control system than the internal auditors individually.
Practically all senior executives who participated in this research were of the opinion that internal control responsibilities start at board level and they affect the way people operate in every department of the institution. A well-tuned internal control system helps to assure that the information senior management receives is accurate. Expert opinions have converged on two facts:
● Internal controls are valid only as far as people working for the organiza- tion observe them, and
● Controls should be designed not only to prevent cases like Parmalat, WorldCom, Enron, Barings and Orange County, but also to underline the accountability of every person.
‘It is the responsibility of senior management to define the internal control structure,’ said Claude Sivy, of the Bank for International Settlements. ‘If inter- nal control is going to work, management must be committed to it,’ added Edward A. Ryan Jr of the Securities and Exchange Commission, in Boston. John B. Caouette, vice-chairman of MBIA Insurance Corp., concurred with this state- ment: ‘Internal controls are only successful if embedded in a strict risk man- agement culture.’
The auditing of internal controls can capitalize on the fact that one of the con- sistent themes of good management is the ability to know what happens in all corners of the organization. ‘Internal control is a concept which reaches all lev- els of management and the activities pertinent to those levels,’ said Jonathan E.C.
ACCOUNT RECONCILIATION
PRESERVATION OF ASSETS RISKS
FRAUD
COMPLIANCE BOARD-LEVEL
POLICIES
SELF- DISCIPLINE
BOARD-LEVEL ACCOUNTABILITY
OPEN COMMUNICATIONS
AUDITING TECHNOLOGY
LAWS AND REGULATIONS INTERNAL CONTROL
Figure 17.3 Focal areas of internal control and impact of internal and external key factors
Grant, of the Auditing Practices Board in London, adding that ‘To do the proper service to internal control we should not confuse:
● Monitoring, and
● The basic concept.’
Jonathan Grant also underlined the danger that line management might leave internal control duties to somebody else down the line of command. Therefore, he suggested that the definition must specifically emphasize management’s accountability– as internal control is everybody’s business and every employee, top to bottom, should care for it and for its deliverables.
Furthermore, as Figure 17.4 suggests, there is common core between the func- tions of internal control and other major organizational activities. Many financial industry executives who participated in this research underlined the need for
EXTERNAL AUDITING
ACCOUNTING RISK
MANAGEMENT TREASURY OPERATIONS INTERNAL
CONTROL
COMMON CORE AUDITED ACCOUNTS
CONTROL OVER EXPOSURE INTERNAL
AUDITING LIQUIDITY
FINANCIAL MEASUREMENTS
Figure 17.4 The functions of internal control, auditing, accounting, treasury and risk manage- ment overlap, but also have a common core
powerful tools to make internal control proactive. ‘Most current tools are post- event,’ said Clifford Griep, of Standard & Poor’s in New York, ‘but internal con- trol must be proactive. It must deal with pre-transaction approval.’
In the opinion of David L. Robinson, of the Federal Reserve System, internal con- trol must in principle be content-neutral, but a system designed to serve this purpose should be commensurate with the complexity of the business which it supports. This is as true of banking and finance as it is of any other industry. A content-neutral approach is a sound principle to follow in regard to organization and structure, particularly when it is enriched with measurable objectives which, in turn, make the auditing function feasible.