One of the expressions we hear rather often in business world is "think global".
This expression may be considered a reference to benefiting from global opportunities, being open to novelties and going beyond local markets however the first thing to do is to build the system on sound institutional ground and make it controllable to allow for necessary openings and healthy growth, be it global or not. The keyword here is "control". Nothing beyond one's control shall belong to one in the long run.
The word "control" has become a part of each and every aspect of our lives. Controlled crossing, losing control, internal control, control panel, control director, control group, out of control, control system, control point... These are what come to my mind at first thought...
I have asked in a recent interview how family businesses in Turkey are doing in the crisis compared to foreign companies. Considering that most companies in Turkey are family businesses I believe that the institutionalized ones will always have some competitive advantage over others. An institutionalized institution shall be able to identify its current and future risks well. Such enterprises have internal control systems that connect with each principle of institutionalization.
I believe that corporate governance has four major principles and I will use a summary of OECD's corporate governance1 principles to make my point:
- 1- Fair Management
- 2- Accountability
- 3- Responsibility
- 4- Transparency
The above criteria shall be "sine qua non" for companies that desire to institutionalize and are in direct relationship with and active and efficient "internal control system".
Is internal control the enemy within or the perfect friend?
Indeed, not having an internal control system may cause an enemy within. I would like to talk about how we can make friends with internal control.
First of all, internal control is a process, that is in relation with the above corporate governance criteria and is designed to provide reasonable assurance regarding the achievement of objectives of the enterprise and is effected by an entity's board of directors, management and other personnel.
The purpose of internal control is to identify errors when they are minor and before they turn into big problems to protect the enterprise against external and internal risks through ensuring
- Reliability of financial statements / reporting,
- Effectiveness and efficiency of operations, and
- Compliance with applicable laws and regulations.2
As its definition suggests, internal control is a process and its existence at an enterprise has direct impact on risk management. Since internal control is a process it requires patience. As we have been offering this service at our company I shall be able to say from experience that establishing an internal control system requires at least 6 months of work.
On the other hand, the internal control system to be built shall be subjected to uninterrupted supervision and the internal control criteria booklet to be prepared must be revised in accordance with the changing economic conditions and needs of the company. What needs to be done here first is to try to get a picture of the internal control system. Risks should be identified and put in an order of priority. Interviews should be held with key persons during risk identification; if available, their job descriptions should be examined and their position and powers within operation should be determined. Work flow charts should be prepared. Reporting responsibilities and information and document flow for each operational process should be described in the work flow charts. If available, the enterprise's internal control criteria should be reviewed. An internal control map for the enterprise should be prepared to determine the risks existing practices are exposed to. The next step shall be to revise internal criteria if they exist or to create them if they do not. Opinions of the management and operation officials shall be sought at each of these stages and each procedure shall be implemented if all relevant persons agree.
On the other hand, the biggest problem regarding the matter is attitude. Business managers are generally quite satisfied with the family order they have established. Even if the business is not running very smoothly, the boss is not willing to change the status quo which the second generation somewhat wishes to change. If indispensible open transactions are involved too, the system is tried to be controlled using notes written on small pieces of paper. Some mistakes will be skipped and some will be spotted for various reasons but the solutions to be found cannot go further than saving the day, they cannot be permanent. If businesses show signs of growth managers start to have nightmares about "how" to handle it. Years are spent sitting on a bomb called risk without knowing what tomorrow's problem will be. Until this system which you think is being controlled fails due to an economic crisis, a bank, Treasury or a competitor...
The attitude adopted by business owners is generally as I have explained above. It is very clear that a disease is in question but nobody knows where to start to cure this disease. And, I have said earlier, change is not very warmly welcome in these cases. The same system –or lack of a system- has worked for years and the company survived, that is all that matters...
If a desire exists to take a step towards changing such attitude that dominates most family businesses, the place to start may very well be the internal control system. An internal control system affects all operations of a company including financial affairs, supply-chain management, personnel transactions, correspondence, meeting management and budgeting. The internal control system has five components.
The control environment is the foundation of the components of internal control. The control environment factors involve elements such as ethical values, employee competence, philosophy of management, method of working, delegation of responsibility by the management, organization and development of employees, interest and direction by the board of directors.
Risk assessment shall be divided into two parts as internal and external risks. Internal risk assessment is related to the identification and analysis of risks that are directly associated with the realization of the company's objectives and creating a substructure for managing such risks. External risk management on the other hand refers to having a structure that can identify and study risks that may result from system changes as economic, industrial, legal and functional factors change in time.
Control activities refer to all policies and procedures which ensure that directives given by the management are fulfilled. These may consist of different activities such as approvals, agreements, operational performance assessment, protection of assets and task distribution. Preventive, corrective or detective measures can be put in place for these.
Information and communication refer to the identification, storage and communication at the right time of information required for individuals to fulfill their tasks within a certain time period. An information technology system to be put in place within the context produces reports that cover information on financial, functional and compliance that are necessary for the establishment to carry on business and be controlled.
Supervision refers to constant supervision of the system from the aspects of performance and position against changes. Factors such as novelties in the establishment and economic changes require that the operation of the internal control system is continuously adapted which constitutes the major reason for the dynamic nature of internal control systems.
I would lastly like to briefly discuss the concept of "internal auditing" which is often confused with "internal control". Enterprises can form and internal control unit if they prefer to be closed. Internal auditing on the other hand refers to the controlling of the system by this unit or by an independent auditor. If BASEL II had been put into force, rating agencies would evaluate active internal control formation by enterprises as a factor that would increase credit ratings although as I have defended back when this issue was being discussed, setting up an active internal control system should be considered a requirement to increase enterprises' competitive power, identify risks on time and ensure smooth operation rather than an obligation. Putting this system in operation and adapting it to new internal and external conditions regularly will definitely prepare the enterprise for the future rather than saving the day.
I would like to add a few words at this point. The operation of an internal control system does not depend on some ERP programs or external consultancy; what needs to be changed first is the enterprise's approach to institutionalization. Unless that approach is changed funds to be allocated to consultants and software will never give the desired results.
1. OECD Principles of Corporate Governance http://www.oecd.org/dataoecd/32/18/31557724.pdf
2. COSO, definition of Internal Control, http://www4.coso.org/resources.htm
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.