Improving Internal Controls

Internal control improvements are often perceived as adding cost to an organization.  In fact, the argument against some control improvements is that the cost to implement them outweighs the benefits they create.  There are some control improvements, however, that have a high likelihood of generating true economic returns. 

Detective vs. Preventative Controls

Every control can be classified as either preventative or detective.  That is, controls either prevent errors before they occur or they detect errors after they have occurred but in time to correct them before they do significant damage.  Both types of controls are important, but in general, preventative controls are preferred for two reasons.  First, because detective controls come into play after errors have occurred, the errors can have a negative impact on the business up until the point they are detected.  Second, it is usually cheaper to prevent errors than to detect and fix them after they occur.  For these reasons, preventative controls generally have a higher “economic value” to an organization.

Companies can drive value from internal controls and improve their bottom line by looking at the nature of controls that operate in significant areas and considering the proper balance of detective versus preventative controls.  For example, a company that relies primarily on reconciliations and monitoring controls to find errors after the fact in the order entry process might look to establish some front-end controls like batch balancing or system edit checks to prevent errors from getting into the system in the first place.

Detective controls are designed to identify an error or exception after it has occurred.  Examples include: Preventative controls focus on preventing errors or exceptions.  Examples include:
  • Exception reports
  • Reconciliations
  • Reviews of operating  performance
  • Periodic inventories
  • Use of checklists
  • Training
  • Proper segregation of duties
  • Authorization levels / approval

Manual vs. Automated Controls

Just as all controls can be categorized as preventative or detective, they can also be categorized as manual or automated.  And just as preventative controls are generally preferred over detective ones, automated controls are generally preferred over manual ones.  Automated controls are typically more reliable than manual controls because they are not subject to the same degree of human error.  Automated controls also tend to be more efficient than manual ones and can provide more valuable, timely and reliable information to management for decision-making purposes.  There are places where manual controls are critical, especially in complex or dynamic processes, or in places where judgment is required.  But a good analysis of processes that utilize numerous manual controls can often uncover significant automation improvement opportunities.

Manual controls operate through human intervention.  They are the most flexible but are also subject to human error.  Examples include: Automated controls operate through and within information technology systems.  They function systematically and work with a high degree of consistency.  Examples include:
  • Reconciliation of amounts entered to source documents
  • Signatures / initials on completed documents
  • Budget-to-actual reviews
  • Re-performance of computations
  • System access controls
  • Data entry requirements prior to transaction processing
  • Automated balancing and reconciliations
  • Automated flags that identify possible invalid or duplicate entries / data

Investing the time to identify areas where preventative controls and / or automated controls might be implemented is likely to pay off in the long run.  It simply requires a process for first inventorying existing controls based on their attributes (manual vs. automated; preventative vs. detective) and then looking at those attributes in the context of the control and business process environment.  This can be accomplished by considering the following:

  • What areas rely heavily on detective or manual controls?
  • Is there a business or control reason why these detective controls or manual controls are needed?
  • What impact could shifting these controls to be more preventative or automated have on the reliability and economics of a given process?