What steps should a manager follow in order to implement a control system?

Is your business well protected against errors and fraud? Check it out using the 10 essential steps of internal control.

The internal control system is a central element in reducing the risk of error or fraud. However, it is not always easy for a company to find its way around recommendations such as those of COSO (Committee Of Sponsoring Organizations of the Treadway Commission).

In the 10 steps below, discover the tips learned in the field over the last 15 years.

1- Definition of the scope of internal control

Firstly, the scope of action of internal control must be defined. This is certainly the most important step, the one that will give internal control its backbone. Three plans provide a clear and comprehensive starting framework:

1. The geographical framework, which enables to formalize the locations that will be included in internal control.
2. The activities or processes concerned.
3. The families of risks (called “objectives” in COSO) that internal control will help to better control.

Therefore, three essential questions must be asked to define this scope of action:

1. Which sites and subsidiaries are concerned?
2. Which activities (processes) are concerned?
3. What are the families of risks that internal control will help reduce?

The families of risks can be as follows:

• Financial: risks that could cause the company to lose money.
• Financial statement (or reporting): risks of anomalies in the accounts, incorrect accounting information, etc.
• Compliance: risks that could put the company in a situation where it does not comply with standards or laws.
• Operational: risks that may prevent the company from fulfilling its mission
• Personal health: risks that may affect the physical or psychological health of people connected with the company.
• Information security: risks affecting the confidentiality, integrity and accessibility of information
• Image: risks that can affect the company’s reputation
• Environment: risks that may affect the environment (air, water, soil, space, raw materials, energy, etc.).

Since internal control comes from the accounting field, it often covers at least the risks related to the financial statements (reporting).

2- Identification of the activities carried out

Then, once the scope of action has been defined, it is necessary to list the activities (or processes) carried out by the company in order to identify, in a second step, the risks associated with each process. The idea is to simply answer the question “What do we do in the company? ».

Activities vary from one company to another and it is essential to highlight the activities specific to each establishment.

In other words, the level of detail in identifying activities must be appropriate and consistent across sectors. For example, the following three sentences relate to the same process but do not provide the same levels of information:

• “I do accounting”
• “I pay supplier invoices”
• “I am entering accounting data”

This is why it is necessary to define the right environment to identify the activities that are carried out, without falling into a list of micro-tasks.

3- Identification of risks

The risks to which the company is exposed mainly result from the activities carried out. In this step, the question must therefore be asked for each activity: “What are the risks related to the families of risks selected? ». For example, for the “Payment of supplier invoices” process, what are the financial, operational or financial reporting risks ?

The identification of risks can result in an immeasurable inventory of possible risks. Even if many risks can be envisaged, care must be taken to remain close to reality. One solution is to start with situations already experienced by the company or in its sector of activity. For example, if your company has already made mistakes in salaries, you know that there is this risk that you will have to protect yourself against.

4- Identification of existing controls

In the context of internal control, the word “control” covers all the measures used to control a risk: control action, procedure, regulations, control software, tangible protection measures, etc.

Based on its past experience and knowledge of its business sector, each company already has internal controls and effective procedures to control certain risks. It is important to identify them. Often, 90% of controls already exist but are not formalized.

In front of each risk, it is therefore sufficient to identify the mitigation measures.

In addition, “controls of controls” (or surveillance of controls) should be added here if they already exist. For example: quarterly verification of the realization of the “monthly salary control”.

Simple and useful internal control for everyone with Optimiso Suite

Benefit from a matrix that is always up to date, fully automated control tracking, and an auditor-approved solution.

What are the 5 steps in the control process?

What are the steps of a control system?

What are the 4 steps in organizational control?

What is the process of controlling implemented before the process?