5 Common Internal Control Gaps and How to Address Them
Strong internal controls play a vital role in risk management. They are your best line of defense against the various threats that could affect your organization, from the internal sources (fraud, misappropriation of assets) to the third-parties with which you work.
From time to time, controls could benefit from an external review to make sure they are functioning as intended. These external reviews range from internal audits or for service providers, Systems and Organization Controls (SOC) reports.
Across industry and organization size, there are some common shortcomings in internal controls. If you are on the fence about whether you need an external review of your control environment, consider these five common internal control gaps and the potential solutions on how to address them.
Issue 1: Board of Directors Role in Internal Environment
Management teams and boards of directors should be involved in the establishment, independence, responsibilities, competencies, and oversight of internal controls.
Issue: Not all organizations have formally established a board of directors or the activities they execute related to the organization’s control environment.
Solutions: If the above issue describes a situation in your organization, you may want to consider making the following moves:
- Formally establishing a board executive management team
- Documenting and reviewing the roles and responsibilities of executive management
- Defining and evaluating the required competencies of executive management members
- Executive management providing oversight of the development and performance of internal controls
Issue 2: Information and Reporting
Leadership should be able to obtain, generate, and use relevant quality information about their risks in order to shore up their internal controls environment.
Issue: Many organizations have not formally documented, maintained, or periodically reviewed the information that would support their internal controls.
Solutions: You will need to evaluate what information you are generating and how it’s created. Organizations without solid information and reporting may want to consider revamping their information gathering and aggregation processes with the following steps:
- Document and maintain data flow diagrams, process flowcharts, narratives, and procedure manuals to identify information sources within your internal controls system.
- Identify the relevant information gathered, entered into your system, and exported from your system.
- Evaluate that data for completeness and accuracy, and continue to evaluate that data at regular intervals.
- Determine how long to retain past information, and ensure you are only keeping information as long as required to provide the required system functionality, service, or use.
Issue 3: Documenting User Roles and Oversight
Organizations should have formal definitions and documentation for their internal control environment, including who is responsible for oversight of internal controls.
Issue: There is little to no documentation related to the process of developing and measuring internal controls.
Solutions: The first step would be to create paper trail that supports the maintenance and user roles within your control environment. Once documented, consider the following actions:
- Review and periodically evaluate the effectiveness of internal controls (the frequency and process for which should be documented).
- Communicate and assign responsibility for the operation of internal controls within the environment.
- Ensure executive management is involved in the assessment of internal control performance and effectiveness (which also addresses Issue 1).
- Perform an annual Segregation of Duties analysis and evaluate the acceptability of the risk it exposes.
Issue 4: Fraud and Risk Assessments
Internal controls should be addressing all forms of fraud, including threats that could potentially be coming from inside the organization.
Issue: Many risk assessments do not include fraud as one of the key threats facing an organization.
Solutions: Fraud takes many forms, and there are some industries where certain types of fraud is more common than others, based on nature of their work. (The Association of Certified Fraud Examiners breaks down what fraud looks like across industries, as an example of the many forms that may be available.) If you are not currently covering fraud with your internal control environment, consider taking the following steps:
- Identify the types of fraud that could most affect your business operations.
- Review and address the controls for those risks associated with the types of fraud to which your organization may be vulnerable.
- Consider whether anything in your business or organizational culture could be raising your fraud risk, such as job-related incentives, pressures for certain outputs, cost containment expectations, and employee morale.
Issue 5: Vendor Management
Organizations should have vendor management protocol, including background checks, code of conduct agreements, experience, responsibilities, training, risk assessments, and attestation report reviews.
Issue: Vendors are a source of significant risk if taken on without performing due diligence procedures.
Solutions: If you have not set up a formal vendor management program, consider taking the following steps:
- Assign the responsibility and accountability of third parties and vendors to an individual or team within your organization. This resource can help ensure that the controls established are being followed.
- Implement a background check for all vendors and an acknowledge that your organization has an expected code of conduct for its third party vendors.
- Document all third-party roles and responsibilities and periodically evaluate what services are being performed by a third party.
- Create a system for evaluating third-party providers’ competencies and experience. Are vendors continuing to perform to expectation? Do they have the experience you need for the service being performed? One of the ways you might find this out is if the third-party provider regularly hold training for its employees.
- Perform a periodic vendor risk assessment.
- Ask for a Systems and Organization Controls Report (SOC I or SOC II) to understand the controls in the vendor’s environment.
Mind the Gap
Oftentimes flaws in a control environment only come to light during a review or security incident. For more comments, questions, or concerns about how you can address your internal controls, please contact us.