Internal control system are very frequently too complex. Those elaborate implementations generate misunderstandings from operational management. They also require too much efforts globally from the company resulting in an inefficient internal control system implementation.
A simplified internal control system is a must. Therefore it is not optional as complex systems just don’t work. Beyond management misunderstanding, the more they use ressources the less they really produce. Those recommandations towards simplified internal control system must be validated by senior management level of the company and implemented by the internal audit & control teams.
1- A first step towards simplified internal control system is about “transversal risks”. Internal control system managers should reduce the number of questions to assess transversal risks control.
Transverse risks are those that threaten almost all business, such as fraud or billing errors. They are general business risks. Of course internal control systems will look at them first, but it should not overwhelm management. Methodological grids consolidating several hundred lines of risk and best practices to “help” the entities to deploy their internal control must be simplified.
The internal control “comply or explain” principle is supposed to cover this issue. The principle is simple: if an entity is at risk for some item it should comply with recommandations. Otherwise, it should explain why it is not at risk. Nevertheless “comply or explain” tends to add complexity. Internal control methods authors believe that they can raise many general risks. They believe that entities will only have to explain. This is a wrong assumption as it only push complexity of internal control methods towards always more general risks to assess.
COSO stresses the importance of deploying control methods that are appropriate to the risks. Managers of internal control systems should apply this principle to internal control methods. General risks should not be the main focus of internal control systems.
2- Provide more help and methods on the identification and control of “business risks”.
There is unfortunately no method to help managers to identify their business risks. However, it can be auditors job to help them. Internal audit teams have in-depth knowledge of risks. They conducted repetitive audits and have a knowledge available to operational managers during the risk identification phases.
3- Provide assistance to help audited entities better use audit reports.
Auditors produce audit reports to the attention of senior management. Therefore they contain many confidential informations preventing them for a wide communication. Unfortunately operational levels usually do not have copies of audit reports. This is a poor value for money audit.
The only solution is to use the Auditors. In fact they are the best resource who knows well the audit. They do have the ability to help operational levels. There will be one obstacle, beyond their availability : they have to control the risk to become judges and parties.
– – – – – – –
This was the last Best Practice for auditors. Now let us discover the first best practice for managers: Internal control and audit are not another administrative layer.