An internal control is a process of interlocking activities that use properly designed policies and procedures .
control. It is as follows. “A process of interlocking
dismay, most people can’t. Before I give you Marks’
of internal controls to the door of some weak business process like İÕĆõÕêŖĔİăÕİĴ²õİʴÑİĔĭĭõčëĴŁĭĭĆõÕĴ onto a suffering population. That’s not what really happens, however. What really happens is that we adjust the weak business process to (ideally) make it stronger. If the process is particularly bad — one might even call it materially weak — we make multiple adjustments at once. That’s what Marks captures in his ĔĭÕčõčëĆõčÕʝčõčļÕİč²ĆËĔčļİĔĆõĴ² process rather than a thing, and the raw materials the process uses are policies and procedures. The mission of the audit or compliance executive is to see that those raw materials are properly designed so that they work together effectively and the internal ËĔčļİĔĆļñÕčêŁĆţĆĆĴõļĴČõĴĴõĔčʣ ǵƉŧǠхŘƺưǵǠƺƥхşŧɭưƎǵƎƺưǨ \²İăĴʿÑÕţčõļõĔčĔêõčļÕİč²Ć control didn’t emerge from a vacuum. The COSO framework for internal control and federal securities law have their own ÑÕţčõļõĔčĴʞļĔĔʨ²čÑļñĔĴÕ ÑÕţčõļõĔčĴĆĔčëĭİÕËÕ ded Marks. For example, Section 13(b)(2)(B) of the Exchange Act ÑÕţčÕĴêĔİ ÕĆÕČÕčļĴĔêõčļÕİč²ĆËĔčļİĔĆʝ • System of internal accounting
ÑÕţčõļõĔčʞĆÕļČÕ offer what raced through my head when he put the įŁÕĴļõĔčļĔČÕʝčõčļÕİč²ĆËĔčļİĔĆ is something a company uses that’s intended to reduce the chance of an unwanted risk outcome. EÑÕĆõÊÕݲļÕĆŘăÕĭļČŘÑÕţčõļõĔč broad, because a control can take Č²čŘêĔİČĴʝ²ĴĔêļŖ²İÕİĔŁļõčÕļñ²ļ blocks a payment to unapproved ĭ²İļõÕĴʨ²ĭĔĆõËŘʰŖõļñËÕİļõţ˲ļõĔč required) against bribing foreign ëĔŕÕİčČÕčļĔêţËõ²ĆĴʨ²ĴĭÕÕËñêİĔČ ļñÕ&c²ĴĴŁİõčë employees that it’s better to miss your monthly Ĵ²ĆÕĴįŁĔļ²ļñ²čţŗ²ËĔčļݲËļʣ Those examples are all different in form and substance — but controls they all are. In sequence, they are a transaction control (block the payment), a process control (train employees) and an entity control (senior executive issues guidance on corporate priorities). They all work together toward the objective of reducing corruption risk. ļõĆĆʞČŘÑÕţčõļõĔčõĴʲĴÕÑĔč examples more than anything else. I know a control when I see it — but is that the same as understanding the abstract concept of a control and how ĔčÕţļĴõčļĔ²ËĔČĭĆõ²čËÕĭİĔëݲČʤ Enter the Marks şŧɭưƎǵƎƺư Over the years, Marks has êĔİČ²ĆõşÕÑñõĴĔŖčÑÕţčõļõĔčĔê²
activities that use properly designed policies and procedures which are preventive, corrective, directive, corroborative, along with training and continuous monitoring, to assure the achievement of an organization’s objectives in operational effectiveness and ÕêţËõÕčËŘʞëÕčÕݲļõčëİÕĆõ²ÊĆÕ (complete and accurate) books and records in compliance with laws, regulations and policies, which ultimately reduces risk of fraud, waste and abuse.” ñ²ļÑÕţčõļõĔčõĴ²ČĔŁļñêŁĆʞ but it hits on all the right points, including the most important one right in the top line. An internal control is a process of interlocking activities that use properly designed policies and procedures . The rest is all correct but is more about helping you to understand what a control does. His opening lines explain what an õčļÕİč²ĆËĔčļİĔĆõĴʝEļʿĴ²ĭİĔËÕĴĴʣEļ does something. That might be why people hesitate to ÑÕţčÕ²ËĔčļİĔĆʣcŁİ ÊݲõčĴñÕ²İʼÑÕţčÕ²ËĔčļİĔĆʽ²čÑ instinctively we envision a noun — a thing unto itself. In everyday language, we say sentences like, “This control isn’t working” or “We need stronger internal controls in our accounting process,” as if we could deliver an extra shipment
ËĔčļİĔĆĴĴŁêţËõÕčļļĔĭİĔŕõÑÕ reasonable assura čËÕĴļñ²ļʝ
• Transactions are executed
with management’s general or
10 | March 2024
Opinion
CCI Magazine
Made with FlippingBook Ebook Creator