Pregled sekcija

    • Internal controls and anti-corruption

      A quick guide by Rebecca Anne Batts, Consultant – Internal Controls and Corruption, Green Corruption programme at the Basel Institute on Governance

      What are internal controls?

      Broadly, “internal controls” refers to systems of policies, procedures and practices to prevent, detect and respond to issues, errors and irregularities. Systems of internal control can be very effective in addressing corrupt conduct, which is the focus of this quick guide. But internal controls can also address other problems that affect an organisation’s efficiency and effectiveness, such as poor employee performance or the failure to accomplish important organisational goals. 

      Frequently, internal controls are thought of in relation to financial statements and government or commercial market activities. However, almost any firm or organisation where people work together to achieve shared goals has some kind of a system of internal controls. Even criminal enterprises typically have internal controls to prevent their illicit products or ill-gotten gains from going astray.

      >Robust internal controls systems are not just about uncovering and fixing problems. They are also a good way to demonstrate that the organisation is functioning well. If no serious irregularities show up, that’s great news for staff, external stakeholders and investors. At their best, effective internal controls can help pinpoint the things that are working well.

      Is it all about paperwork?

      No. Written policies and procedures such as regulations and codes of conduct are important to set out the rules and communicate the organisation’s values to stakeholders, including the public where appropriate. The overall system of internal controls includes these formal, intentionally designed rules and procedures, but also includes important informal practices. One example is unofficial information-sharing networks, where law enforcement officers provide a “heads up” to counterparts about areas of emerging concern or informal mentoring and training activities that share good practices

      At their best, internal control systems focused on mitigating corruption risks rely on both formal and informal practices. Corruption is very much a real-world phenomenon and won’t be solved by formal rules alone.

      The “right” controls and responses differ greatly depending on the context in which an organisation operates and what it is trying to achieve. A law enforcement agency responsible for investigating wildlife crime will have very different rules and practices from a trading business. There are no hard-and-fast rules or cut-and-paste templates for developing effective systems of control.

      Examples of internal controls to prevent, detect and respond

      Imagine a public institution like a law enforcement authority. Their system of internal controls might encompass:

      • Controls to prevent evidence from being tampered with, for example, could be as simple as a lock on the door to the evidence room. Or they could involve a more complex accountability mechanism, with a periodic inventory of the evidence and a tracking system to ensure its safe transfer from store room to court room.
      • Controls that collect and communicate information can help detect potential corruption. Whistleblowing and reporting systems can produce leads for investigation or data that might not otherwise come to the attention of law enforcement. Accumulating information as part of a control system enables data analytic approaches. For example, analysing information on case progress could help identify certain prosecutors who never advance with a certain type of case. This is a potential trigger to delve deeper and find out what is going on.
      • Penalties for wrongdoing are one kind of obvious response.But the agency could also hold “lessons learned” discussions following successful or failed cases. Analysing what went well and what may have gone wrong can be an effective and positive control that will help the agency and its personnel achieve their objectives.

      Many controls have multiple purposes. Consider the simple control of an independent count of petty cash. If you are considering whether to take some of the money, the audit can be a prevention control. If money goes missing, such an audit could help detect who embezzled it. And if frequent mistakes are identified, additional training or oversight might be an appropriate response.

      Part of everyday business

      Large or complex organisations may have dedicated internal control units, such as internal audit departments, offices of internal affairs, compliance divisions, internal offices of inspector general or something similar. Some control systems extend beyond the boundaries of an individual agency, as in the case of central guidance agencies such as a nation’s supreme audit agency, a government-wide personnel operation, unified purchasing and contracting entities, or independent offices of inspector general. These typically focus on the more formalised side of internal controls, though they may address informal processes as well.

      In addition to making sure that the right policies, procedures, standards and guidelines are in place, internal control units also look at the degree of compliance with the policies in practice -- because there is no point having a first-class code of conduct if nobody abides by it.

      In many well-functioning organisations, internal audit departments have a high level of independence, often reporting directly to the highest level of management. They also work closely with compliance and personnel departments, since they have a detailed overview of how things work in the organisation and are skilled at developing recommendations.

      But it is a mistake to think that internal controls are solely the responsibility of the internal controls department. Quite the opposite: internal controls need to be an integral part of every aspect of business, helping the organisation to function effectively day to day.

      Success factors for internal controls

      It is hard to measure the impact of internal controls in preventing corruption. How can you estimate how much fraud is avoided because supervisors sign off on time cards or because job rotation brings new eyes to established situations?

      No system of internal controls can provide absolute assurance of effectiveness. A few individual “bad apples” will always find a way to bypass even the best system of internal controls. One or two high-profile problems does not mean the majority of staff are not committed to acting with integrity.

      Nevertheless, there are some factors that clearly impact the effectiveness of internal control systems:

      • Independence of those responsible for carrying out the controls, especially within the internal controls unit itself. This includes independence in appearance and independence in practice. It also means designing systems that protect those who may have to deliver unwelcome news.
      • Buy-in from staff members who implement the control. This needs clear communication to ensure they understand why a control is valuable and worth their time and effort. Compliance with even simple controls like regularly changing an IT password rises when staff understand the rationale.
      • Cost-benefit in terms of both time and money. If a control is expensive or unnecessarily time-consuming, like filling in extraordinarily detailed forms to request a small amount of petty cash, then people will simply bypass it.
      • Consequences need to be real and consistently applied. If an internal control reveals a corrupt act, the offender should be appropriately penalised. Merely moving a corrupt public official from one department to another does not usually deter further misconduct. Consequences are not always penalties: an audit report could recommend a revised process or training to remedy a weakness, for example.
      • Credible reporting channels for employees to raise alerts about something they see or feel is not quite right, or to make suggestions to improve how things work. Formal reporting channels can range from a humble suggestions box to an anonymous whistleblowing system. Equally important is the development of a “speak up culture”, whereby employees feel empowered to raise issues or ask questions without fear of repercussions.

      Supporting organisations in strengthening internal controls

      International donors, investors and development practitioners may be working with local partner organisations in the public or private sectors that lack robust internal control systems. This is understandable: resources and capacity are often lacking, and the political will to implement effective systems to prevent, detect and respond to corruption risks is not always there.

      Positive ways to help organisations strengthen internal controls could include training, tools such as self-assessments, or funding for technology to assist with planning, management, tracking and auditing of cases or projects. Mentoring or other opportunities for internal controls personnel to exchange ideas and good practices with their counterparts in other organisations and countries can also help.

      Learn more