Internal controls and anti-corruption
A quick guide by Rebecca Anne Batts, Consultant – Internal Controls and Corruption, Green Corruption programme at the Basel Institute on Governance
What are internal controls?
controls” refers to systems of policies, procedures and practices to prevent,
detect and respond to issues, errors and irregularities. Systems of internal
control can be very effective in addressing corrupt conduct, which is the focus
of this quick guide. But internal controls can also address other problems that
affect an organisation’s efficiency and effectiveness, such as poor employee
performance or the failure to accomplish important organisational goals.
internal controls are thought of in relation to financial statements and
government or commercial market activities. However, almost any firm or
organisation where people work together to achieve shared goals has some kind
of a system of internal controls. Even criminal enterprises typically have
internal controls to prevent their illicit products or ill-gotten gains from
internal controls systems are not just about uncovering and fixing problems.
They are also a good way to demonstrate that the organisation is functioning
well. If no serious irregularities show up, that’s great news for staff,
external stakeholders and investors. At their best, effective internal controls
can help pinpoint the things that are working well.
Is it all about paperwork?
policies and procedures such as regulations and codes of conduct are important
to set out the rules and communicate the organisation’s values to stakeholders,
including the public where appropriate. The overall system of internal controls
includes these formal, intentionally designed rules and procedures, but also includes
important informal practices. One example is unofficial information-sharing networks,
where law enforcement officers provide a “heads up” to counterparts about areas
of emerging concern or informal mentoring and training activities that share
best, internal control systems focused on mitigating corruption risks rely on both
formal and informal practices. Corruption is very much a real-world phenomenon
and won’t be solved by formal rules alone.
controls and responses differ greatly depending on the context in which an
organisation operates and what it is trying to achieve. A law enforcement
agency responsible for investigating wildlife crime will have very different
rules and practices from a trading business. There are no hard-and-fast rules
or cut-and-paste templates for developing effective systems of control.
Examples of internal controls to
prevent, detect and respond
public institution like a law enforcement authority. Their system of internal
controls might encompass:
- Controls to prevent evidence from being
tampered with, for example, could be as simple as a lock on the door to the
evidence room. Or they could involve a more complex accountability mechanism,
with a periodic inventory of the evidence and a tracking system to ensure its
safe transfer from store room to court room.
- Controls that collect and communicate
information can help detect potential corruption. Whistleblowing and reporting
systems can produce leads for investigation or data that might not otherwise
come to the attention of law enforcement. Accumulating information as part of a
control system enables data analytic approaches. For example, analysing
information on case progress could help identify certain prosecutors who never advance
with a certain type of case. This is a potential trigger to delve deeper and
find out what is going on.
- Penalties for wrongdoing are one kind of
obvious response.But the agency could also hold “lessons learned”
discussions following successful or failed cases. Analysing what went
well and what may have gone wrong can be an effective and positive control that
will help the agency and its personnel achieve their objectives.
controls have multiple purposes. Consider the simple control of an independent
count of petty cash. If you are considering whether to take some of the money,
the audit can be a prevention control. If money goes missing, such an audit
could help detect who embezzled it. And if frequent mistakes are identified,
additional training or oversight might be an appropriate response.
Part of everyday business
complex organisations may have dedicated internal control units, such as internal
audit departments, offices of internal affairs, compliance divisions, internal offices
of inspector general or something similar. Some control systems extend beyond
the boundaries of an individual agency, as in the case of central guidance
agencies such as a nation’s supreme audit agency, a government-wide personnel operation,
unified purchasing and contracting entities, or independent offices of
inspector general. These typically focus on the more formalised side of
internal controls, though they may address informal processes as well.
to making sure that the right policies, procedures, standards and guidelines
are in place, internal control units also look at the degree of compliance with
the policies in practice -- because there is no point having a first-class code
of conduct if nobody abides by it.
well-functioning organisations, internal audit departments have a high level of
independence, often reporting directly to the highest level of management. They
also work closely with compliance and personnel departments, since they have a
detailed overview of how things work in the organisation and are skilled at
But it is a
mistake to think that internal controls are solely the responsibility of the
internal controls department. Quite the opposite: internal controls need to be
an integral part of every aspect of business, helping the organisation to
function effectively day to day.
Success factors for internal
It is hard
to measure the impact of internal controls in preventing corruption. How can
you estimate how much fraud is avoided because supervisors sign off on time
cards or because job rotation brings new eyes to established situations?
of internal controls can provide absolute assurance of effectiveness. A few individual
“bad apples” will always find a way to bypass even the best system of internal
controls. One or two high-profile problems does not mean the majority of staff
are not committed to acting with integrity.
there are some factors that clearly impact the effectiveness of internal
- Independence of those responsible for carrying out the
controls, especially within the internal controls unit itself. This includes independence
in appearance and independence in practice. It also means designing systems
that protect those who may have to deliver unwelcome news.
- Buy-in from staff members who implement the control.
This needs clear communication to ensure they understand why a control is
valuable and worth their time and effort. Compliance with even simple controls
like regularly changing an IT password rises when staff understand the
- Cost-benefit in terms of both time and money. If a control
is expensive or unnecessarily time-consuming, like filling in extraordinarily
detailed forms to request a small amount of petty cash, then people will simply
- Consequences need to be real and consistently applied. If
an internal control reveals a corrupt act, the offender should be appropriately
penalised. Merely moving a corrupt public official from one department to another
does not usually deter further misconduct. Consequences are not always
penalties: an audit report could recommend a revised process or training to
remedy a weakness, for example.
reporting channels for employees to raise alerts about something they see or feel is not quite
right, or to make suggestions to improve how things work. Formal reporting
channels can range from a humble suggestions box to an anonymous whistleblowing
system. Equally important is the development of a “speak up culture”, whereby
employees feel empowered to raise issues or ask questions without fear of
Supporting organisations in
strengthening internal controls
donors, investors and development practitioners may be working with local
partner organisations in the public or private sectors that lack robust
internal control systems. This is understandable: resources and capacity are
often lacking, and the political will to implement effective systems to
prevent, detect and respond to corruption risks is not always there.
ways to help organisations strengthen internal controls could include training,
tools such as self-assessments, or funding for technology to assist with
planning, management, tracking and auditing of cases or projects. Mentoring or
other opportunities for internal controls personnel to exchange ideas and good
practices with their counterparts in other organisations and countries can also