Risk management and internal control in banks.
What are internal controls?
Internal controls are the mechanisms, rules, and procedures that a company implements to ensure the integrity of financial and accounting information, enhance accountability, and prevent fraud.
Besides complying with laws and regulations and preventing employees from stealing assets or committing fraud, internal controls can help improve operational efficiency by improving the accuracy and timeliness of financial reporting.
Main Points
Internal controls are the mechanisms, rules, and procedures that a company implements to ensure the integrity of financial and accounting information, enhance accountability and prevent fraud.
Besides complying with laws and regulations, and preventing employees from stealing assets or committing fraud, internal controls can help improve operational efficiency by improving the accuracy and timeliness of financial reporting.
Internal audits play an important role in a company’s internal controls and corporate governance, now that the Sarbanes-Oxley Act of 2002 makes managers legally responsible for the accuracy of its financial statements.
Understanding internal controls
Internal controls have become a major business function of every American company since the accounting scandals in the early 2000s. In their wake, the Sarbanes-Oxley Act of 2002 was enacted to protect investors from fraudulent accounting activities and to improve the accuracy and reliability of corporate disclosures. This has had a profound impact on corporate governance, by making managers responsible for financial reporting and creating an audit trail. Managers found guilty of failing to establish and properly manage internal controls face serious criminal penalties.
The auditor’s opinion accompanying the financial statements is based on a review of the procedures and records used to produce them. As part of the audit, external auditors will test the company’s accounting processes and internal controls and provide an opinion on their effectiveness.
Internal audit evaluates a company’s internal controls, including corporate governance and accounting processes. They ensure compliance with laws and regulations, accurate and timely financial reporting and data collection, as well as help maintain operational efficiency by identifying problems and correcting gaps before they are discovered in an external audit. Internal audits play an important role in company operations and corporate governance, now that the Sarbanes-Oxley Act of 2002 makes managers legally responsible for the accuracy of its financial statements.
No two systems of internal control are identical, but many core philosophies regarding financial integrity and accounting practices have become standard management practices. While internal controls can be expensive, properly implemented internal controls can help streamline operations and increase operational efficiency, as well as prevent fraud.
Regardless of the policies and procedures established by the organization, only reasonable assurance can be given that internal controls are effective and that the financial information is correct. The effectiveness of internal controls is limited by human judgment. Work often gives high-level employees the ability to bypass internal controls for reasons of operational efficiency, and internal controls can be circumvented through collusion.
Preventive controls vs. detective controls
Internal controls typically consist of oversight activities such as authorization, documentation, reconciliation, security, and segregation of duties. It is broadly divided into preventive and research activities.
Preventive control activities are intended to deter errors or fraud from occurring in the first place and include comprehensive documentation and authorization practices. Segregation of duties, an essential part of this process, ensures that no single individual is in a position to authorize, record and retain the resulting financial transaction and asset. So invoicing and checking expenses are internal controls. In addition, preventive internal controls include limiting physical access to equipment, inventory, cash, and other assets.
Detective controls are backup procedures designed to catch items or events that have been missed as your first line of defense. Here, the most important activity is reconciliation, used to compare data sets, and corrective actions are taken on material differences. Other investigative controls include external audits from accounting firms and internal audits of assets such as inventory.
What is risk management and why is it important?
Risk management is the process of identifying, evaluating, and controlling threats to an organization’s capital and profits. These risks stem from a variety of sources including financial uncertainties, legal liabilities, technology issues, strategic management errors, accidents and natural disasters.
A successful risk management program helps an organization consider the full range of risks it faces. Risk management also studies the relationship between risk and the cascading effect it can have on an organization’s strategic goals.
This comprehensive approach to risk management is sometimes described as enterprise risk management because of its emphasis on anticipating and understanding risk across the organization. In addition to focusing on internal and external threats, Enterprise Risk Management (ERM) stresses the importance of positive risk management. Positive risks are opportunities that can increase the value of the business or, conversely, harm the enterprise if they are not exploited. In fact, the goal of any risk management program is not to eliminate all risks but to preserve and add value to the organization by making intelligent decisions about risks.
“We don’t manage risks, so we don’t take any risks. We manage risks, so we know which ones are worth taking, which ones will lead us to our goal, and which ones have enough payoff to even take them,” Forrester said. Senior Research Analyst Alaa Valenti, specializes in governance, risk and compliance.
Thus, the risk management program must be intertwined with the organizational strategy. To relate it, risk management leaders must first determine the organization’s risk appetite—that is, how much risk it is willing to accept to achieve its goals.
Mike Chapel, Senior Director of Information Technology at the University of Notre Dame explained in his article On Risk Appetite vs. Risk Tolerance, the daunting task is to identify “risks that are commensurate with an organization’s risk appetite and that require additional controls and procedures before they are acceptable.” Some risks will be accepted without further action required. Others will be mitigated, shared, transferred to another party, or avoided altogether.
Why is risk management important?
Risk management has probably never been more important than it is now. The risks faced by modern organizations are becoming more complex, driven by the rapid pace of globalization. New risks are constantly emerging, often associated with and generating the now widespread use of digital technology. Risk experts have described climate change as a “threat multiplier”.
A recent external threat that has emerged as a supply chain problem in many companies – the coronavirus pandemic – has quickly evolved into an existential threat, affecting the health and safety of its employees, the means of doing business, the ability to interact with customers and the company’s reputation.
Companies have made quick adjustments to the threats posed by the pandemic. But, from now on, they wrestle with new risks, including how or whether to get employees back into the office and what to do to make their supply chains less vulnerable to crises.
As the world continues to grapple with COVID-19, companies and their boards of directors are taking a fresh look at their risk management programs. They reassess their exposure to risks and examine risk operations. They are reconsidering who should be involved in managing risk. Companies that are currently taking a reactive approach to risk management — to guard against past risks and change practices after a new risk causes harm — are examining the competitive advantages of a more proactive approach. There is a growing interest in supporting the sustainability, flexibility and agility of the enterprise. Companies are also exploring how artificial intelligence technologies and advanced governance, risk and compliance (GRC) platforms can improve risk management.
Financial industries versus non-financial industries. In discussions about risk management, many experts have noted that in highly regulated companies whose business is considered risk, risk management is a formal function.
Banks and insurance companies, for example, have long had large risk departments usually headed by a Chief Risk Officer (CRO), a title that is still relatively uncommon outside the financial industry. Furthermore, the risks faced by financial services firms tend to be rooted in numbers and thus can be effectively measured and analyzed using known technology and mature methods. Risk scenarios in finance companies can be designed with some precision.