Learn what internal controls are and how they help organisations to prevent, detect and respond to corruption and other issues, errors and irregularities. These systems of policies, procedures and practices can be incredibly effective at keeping organisations of all types running smoothly.
Broadly, “internal controls” refers to systems of policies, procedures and practices to prevent, detect and respond to issues, errors and irregularities. Systems of internal control can be very effective in addressing corrupt conduct, which is the focus of this quick guide. But internal controls can also address other problems that affect an organisation’s efficiency and effectiveness, such as poor employee performance or the failure to accomplish important organisational goals.
Frequently, internal controls are thought of in relation to financial statements and government or commercial market activities. However, almost any firm or organisation where people work together to achieve shared goals has some kind of a system of internal controls. Even criminal enterprises typically have internal controls to prevent their illicit products or ill-gotten gains from going astray.
>Robust internal controls systems are not just about uncovering and fixing problems. They are also a good way to demonstrate that the organisation is functioning well. If no serious irregularities show up, that’s great news for staff, external stakeholders and investors. At their best, effective internal controls can help pinpoint the things that are working well.
No. Written policies and procedures such as regulations and codes of conduct are important to set out the rules and communicate the organisation’s values to stakeholders, including the public where appropriate. The overall system of internal controls includes these formal, intentionally designed rules and procedures, but also includes important informal practices. One example is unofficial information-sharing networks, where law enforcement officers provide a “heads up” to counterparts about areas of emerging concern or informal mentoring and training activities that share good practices
At their best, internal control systems focused on mitigating corruption risks rely on both formal and informal practices. Corruption is very much a real-world phenomenon and won’t be solved by formal rules alone.
The “right” controls and responses differ greatly depending on the context in which an organisation operates and what it is trying to achieve. A law enforcement agency responsible for investigating wildlife crime will have very different rules and practices from a trading business. There are no hard-and-fast rules or cut-and-paste templates for developing effective systems of control.
Imagine a public institution like a law enforcement authority. Their system of internal controls might encompass:
Many controls have multiple purposes. Consider the simple control of an independent count of petty cash. If you are considering whether to take some of the money, the audit can be a prevention control. If money goes missing, such an audit could help detect who embezzled it. And if frequent mistakes are identified, additional training or oversight might be an appropriate response.
Large or complex organisations may have dedicated internal control units, such as internal audit departments, offices of internal affairs, compliance divisions, internal offices of inspector general or something similar. Some control systems extend beyond the boundaries of an individual agency, as in the case of central guidance agencies such as a nation’s supreme audit agency, a government-wide personnel operation, unified purchasing and contracting entities, or independent offices of inspector general. These typically focus on the more formalised side of internal controls, though they may address informal processes as well.
In addition to making sure that the right policies, procedures, standards and guidelines are in place, internal control units also look at the degree of compliance with the policies in practice -- because there is no point having a first-class code of conduct if nobody abides by it.
In many well-functioning organisations, internal audit departments have a high level of independence, often reporting directly to the highest level of management. They also work closely with compliance and personnel departments, since they have a detailed overview of how things work in the organisation and are skilled at developing recommendations.
But it is a mistake to think that internal controls are solely the responsibility of the internal controls department. Quite the opposite: internal controls need to be an integral part of every aspect of business, helping the organisation to function effectively day to day.
It is hard to measure the impact of internal controls in preventing corruption. How can you estimate how much fraud is avoided because supervisors sign off on time cards or because job rotation brings new eyes to established situations?
No system of internal controls can provide absolute assurance of effectiveness. A few individual “bad apples” will always find a way to bypass even the best system of internal controls. One or two high-profile problems does not mean the majority of staff are not committed to acting with integrity.
Nevertheless, there are some factors that clearly impact the effectiveness of internal control systems:
International donors, investors and development practitioners may be working with local partner organisations in the public or private sectors that lack robust internal control systems. This is understandable: resources and capacity are often lacking, and the political will to implement effective systems to prevent, detect and respond to corruption risks is not always there.
Positive ways to help organisations strengthen internal controls could include training, tools such as self-assessments, or funding for technology to assist with planning, management, tracking and auditing of cases or projects. Mentoring or other opportunities for internal controls personnel to exchange ideas and good practices with their counterparts in other organisations and countries can also help.