When I was in grade school, a group of girls would get together at someone’s house after school, and we would seek advice from a Magic 8 Ball about some future event such as “Should I get my ears pierced?” or “Should I hang out with a certain boy?” We would shake the Magic 8 Ball and then turn it upside down to find out the answer to our yes/no question. Sometimes, we were elated at getting the answer we wanted. Other times, we were disappointed by the response. Don’t you wish that you could use a crystal ball to predict the future of your business profitability, know what business risks may be headed your way in the near or distant future, and understand how to detect errors or problems before they even happen?
All businesses are subject to threats that could harm their organization and result in asset loss. These risks, ranging from human performance error to fraudulent activity, are present in every business. Internal controls should be part of the solution to detect and prevent these events from occurring and to ensure the effectiveness of executing your organization’s operating, reporting, and compliance objectives. There are several internal control frameworks, and the one that is most widely referenced is the Committee of Sponsoring Organizations (COSO) Internal Control – Integrated Framework (You can read more about the formation and history of COSO later in this article).
Below are three categories of internal controls to consider integrating into your processes:
Preventive controls are designed to prevent an event that adversely impacts your organization or a specific business process. These are the most beneficial controls because they lessen the need for detecting errors and taking corrective actions. Automating preventive controls can provide additional benefits by reducing or removing human intervention from parts of the process and streamlining audit functions. Some examples of preventive controls include:
Detective controls are designed to detect an error or problem after an adverse event has occurred.
A detective control is most effective if it results in the discovery of a minor error that can be corrected before it becomes a significant problem. Some examples of detective controls include:
Corrective controls are designed to mitigate the damage from an adverse event and reduce the risk of repeat occurrences of the event. These controls are most effective when developed from post-event investigation results or root cause analysis findings and coupled with preventive and detective controls.
Some examples of corrective controls include:
Think in terms of preventing, detecting, and correcting risks related to process breakdown, fraud, theft, ineffectiveness, and human performance error. Your organization may not have a crystal ball to foresee what internal and external threats are imminent, but you can be better prepared to deal with them if your organization has a digital transformation mindset. Digital Transformation can help you reduce risks, create effective internal controls, and fuel future growth. We define Digital Transformation (DX) as “the commitment of an organization to consistently improve business performance through the use of technology as a strategic asset.” Because of the constantly changing threat landscape and the growing number of regulatory requirements that businesses comply with, digital transformation is not a singular initiative but rather a long-term journey. In fact, we believe it is best described as Continuous Improvement viewed through a technology-filtered lens. For help navigating that journey, fill out this form to download a copy of our Digital Transformation Framework and request a complimentary advisory session with us.
COSO was formed in 1985 to sponsor the National Fraudulent Financial Information Commission (the Treadway Commission). The Treadway Commission was originally sponsored and jointly funded by five major professional accounting associations and institutes based in the United States: American Institute of Certified Public Accountants (AICPA), American Accounting Association (AAA), Financial Executives International (FEI), Institute of Internal Auditors (IIA) and Institute of Management Accountants (IMA). The Treadway Commission recommended that the sponsoring organizations of the Commission work together to mitigate the risk of corporate fraud by developing integrated guidance on internal control. These five organizations formed what is now called the Committee of Sponsoring Organizations of the Treadway Commission. In September 1992, the Commission published the report entitled “Internal Control – Integrated Framework”. This report presented a common definition of internal control and provided a framework against which internal control systems can be evaluated and improved. For full details on the history and mission of the Committee of Sponsoring Organizations of the Treadway Commission, you can visit their website.