Internal control has rocketed up the board agenda in recent years. And that's a good thing. No, really.

Boring but important.” That probably sums up most FDs’ opinion of internal control. The most boring part? It’s the bit of the job that makes you look like a stereotypical “FD-as-policeman”. The red tape is pretty dull, too – though it’s anything but static.

Since the Cadbury Code highlighted the concept in 1992, a seemingly constant stream of reviews and guidance notes has moved control steadily higher up the regulatory agenda. SarbOx, even though it affects a relatively small proportion of UK companies, has further driven home the message that you overlook internal control at your peril. And the statutory Operating & Financial Review (OFR), which came into force this year, has made it an auditable function. Internal control has become pretty hidebound.

According to a recent survey commissioned by software firm CODA, 92 per cent of UK FDs said their department was spending more time on risk, control and assurance than they did three years ago; 68 per cent reported increased finance function headcount to cope with compliance. But governance regulations are not only distracting finance resources from more strategic, forward-looking activities – they’re also masking the value-creating potential of good control itself.

Jonathan Hayward is CEO of consultancy Independent Audit. He believes regulation encourages an unhealthy level of box-ticking. “Over the past 15 years, internal control and risk management have developed in response to regulatory pressures,” he says. “So they don’t always look well joined-up with the business. There’s still far too much boilerplate. The internal control report is probably the least useful part of the annual report – and there’s some pretty stiff competition for that title.”

It should be about making things go right a lot more often than they go wrong, Hayward goes on. “Organisations are not machines – they’re societies, run by people,” he says. “All societies need rules to avoid chaos. But the effective ones don’t overdo it.”

Hayward is not alone in believing that the UK regulatory environment is close to saturation point. The collective sigh of relief last month when the Flint Review chose to make minimal changes to the Turnbull Guidance, rather than imposing a SarbOx-type regime on UK companies, spoke volumes.

That sigh was loudest in Britain’s finance functions. Most of you are embracing internal control as a fundamental part of your business – and have been doing so for some time, not just in response to recent developments.

“A robust internal control environment means you pick things up more quickly,” says Seamus Keating, FD of IT services group LogicaCMG. “It gives you more confidence to take on large and complex projects for customers.”

Has his day-to-day control role changed in recent years thanks to all this regulatory attention? “It hasn’t really changed my job, but internal control has got a much higher
profile,” he says. “Non-executives and audit committees are more involved now, and they regard it as much more important. So more of my time is spent making sure that everyone understands the control framework and has input into it.”

Keating’s not the only FD who looks beyond the rules. “Our procedures for controlling the business are the same as our procedures for driving the business,” says Becky Worthington, FD at Quintain Estates & Development. “Take our weekly capex meeting on Monday morning. Any spend that hasn’t been budgeted for is discussed in detail, and we have strict rules for getting it signed off.” That’s not a prescribed activity – it’s just smart.

Worthington says that internal control has become a bigger issue at Quintain in recent years. But she puts this down to the company’s rapid growth rather than regulatory pressure. So although Quintain has recently hired an internal auditor, Tory Heazell, she’s there to add value, not tick boxes. “Internal control is about bringing structure to procedures that are there anyway,” Heazell says.

There’s certainly a trend to establish internal audit (IA) as part of the finance family. FTSE 100-listed Kingfisher has built up its IA team to more than 50 people. “That’s mainly because the business is bigger – we now operate over 600 stores – and because we’re a retailer with many different formats in many different countries,” says FD Duncan Tatton-Brown. “Greater external scrutiny is probably the least important reason.”

His day-to-day role has also not changed much. “It’s an important part of every senior manager’s role,” he says. “But as FD, there is a bit more communication to the board on internal control now.”

At a prominent quoted company like Kingfisher, the FD is now more clearly in the spotlight. “The external expectations around risk are higher and there’s far greater public scrutiny,” says Tatton-Brown. But it’s not just these FTSE 350 groups that have to take internal control seriously. Unlisted and smaller companies are also grasping the nettle. While the Flint Review found that 87 per cent of companies capitalised above £500m had implemented and fully integrated risk assessment and internal control, so had 65 per cent of those capitalised at less than £100m.

At the top end of the private scale, there are companies like £1.1bn-rated currency exchange giant Travelex. It has developed internal controls beyond even those required in the tightly regulated financial services sector. “We’ve always prided ourselves on running our business like a public company,” says FD Clive Kahn. True, there’s a high probability that it’ll become one eventually. “We don’t want to wait until the last minute to get the house in order,” he admits.

But Kahn’s belief in internal control runs deeper than that. “We’re doing it because because we think it’s important,” he says. “We’ve got tremendous value out of our internal audit. If people are doing it just because they have to, they’re missing the point.”

That’s endorsed at the other end of the unlisted spectrum by Charles Ogilvie, FD of the £18m-turnover distributor Contender Entertainment Group – a former Sunday Times Fast Track 100 firm. An internal auditor is top of his wish list. “At the moment we have incredibly simple, common-sense controls,” he says. “Because management are also significant shareholders, I look after the money as if it’s my own. But I don’t like the fact that it all depends on me. I would like someone who could troubleshoot processes.”

But can such a small company justify the cost of a full-time internal auditor? Ogilvie seems surprised at the question. “I would expect whoever I employed to find savings and efficiencies to pay for themselves two or three times over,” he says.

Contender is right to see more rigorous control as a potentially cost-effective exercise. The FD of a family-owned publishing business we approached claims his external audit costs halved after he tightened up internal financial control. “The auditors now have to do far less substantive checking, so the process is much cheaper,” he says.
So, at companies of all sizes and types, FDs are moving beyond seeing internal control as a “grudge purchase” to keep shareholders, the audit committee and regulators happy. It just makes good business sense. But why stop there?

While smaller companies still tend to focus on financial controls, elsewhere the scope has broadened away from the finance department – where a control culture is naturally more deep-rooted – to the operational side of the business. This is just smart thinking: a recent PwC survey found that financial risk caused only six per cent of major share price declines, compared with 58 per cent for strategic risk and 31 per cent for operational risk. You can have the best controls within the finance function. But if there’s a breakdown elsewhere in the business, they could make things worse by
convincing you that you don’t have a problem.

SarbOx: Revealing the value of controls?

So what happens when you do have to rely on your controls to keep you out of jail? We British are inclined to look on the bright side. As our own business environment gets more risky and litigious, it’s easy to look at US companies (and some of ours) and think, “At least I don’t have to deal with SarbOx.” Then we resolve to show that our own principles-based system works, if only to avoid the Americans’ fate.

But is our fear of SarbOx justified? There are certainly horror stories, where process rather than good management has informed decisions. Take the FD of the subsidiary of a US company who found his reporting line shifted from his European CEO... to the finance department back in the US – not the CFO, mind you, but two levels down. How can that be a holistic approach to control?

And then there’s the cost of compliance, estimated at $10m for large companies and $3m to $5m for smaller ones. Even the Big Four audit firms, which are making huge fees out of SarbOx compliance, are often sceptical (off the record, of course) about its underlying value. Refco, anyone?

But now that US companies have made – and paid for – the transition, many are determined to extract value from it. Bob Spedding, EMA Head of Internal Audit Services at KPMG, has just returned from the US. “Companies have had to catalogue all their controls and processes in unprecedented depth,” he says. “They should be able to use that information to make sure they are operating as efficiently and cheaply as possible, and to gain competitive advantage.”

Paul Slater, partner at PwC, also believes that there are important lessons to be learned from SarbOx. “I’ve spoken to FDs who believed they had good control frameworks and strong internal audit functions,” he says. “After going through SarbOx, they were surprised at how many gaps were found.” According to Slater, there were two patterns to the gaps. First, they happened where controls were thought to be in place, but were not actually operating. Second, manual controls were still being used where automated ones could have been, at a significantly lower cost.

“SarbOx also forced many companies to create greater transparency in controls at the operational level,” says David Bishop, partner in PwC’s Risk Assurance Service. “Companies want to learn ways of removing complexity in the finance function and focus on a few key controls. They want to take the gems from the SarbOx process and leave behind the compliance burden.” And applying some of the act’s principles could prepare you for the possible introduction in 2006 of the more stringent EU 8th Directive on Company Law covering internal control.

How does all this translate into practical activities for busy FDs? We asked the finance directors and experts we spoke to for some basic rules.

 - Keep it simple. “Don’t overcomplicate internal control. Focus on the key risks to your organisation,” says RSM Robson Rhodes’s Alan Lees.

  - Aim for good business practice, not layers of process. “Keep your eyes on the objective – good management – and apply common sense,” says Hayward.

  - Make it practical. “If I stood in front of the board with a heap of diagrams and buzzwords, I expect I’d be booed out of the room,” says Quintain’s Heazell.

  - Get fresh perspectives. Ask people from one department or region to look at how controls work in other areas. “It’s quite easy to see the gaps when you look at something from the outside,” says Heazell.

  - Sell it to employees. Good controls protect them as well as shareholders, and aren’t there to “catch them out”. “I trust people,” says Heazell. “I don’t like putting controls in place that imply a lack of trust.”

  - Learn from past mistakes. It’s easier to get buy-in if the need for a particular control has already been proven. “You get no credit if things don’t go wrong – because you haven’t proved the need for the control,” says Heazell. So prioritise the existing failures.

  - Seek competitive advantage. It’s a chance to add value, not cost. Use your auditors’ experience of compliance with SarbOx and other regulations to benchmark your own business.

Ideally, of course, internal controls should become so embedded that staff apply them instinctively. And there’s already evidence of employee “self-assessment” on internal control in many organisations. RSM Robson Rhodes’ Lees believes that, over time, internal audit may even disappear altogether as this becomes the norm. Perhaps this is what all FDs should aspire to – and it’ll help you lose the “boring” tag, to boot.

Brief history of internal control in the UK

1992: The Cadbury Code, the UK’s first corporate governance code, includes Principle 4.5 on “reporting the effectiveness of the company’s system of internal control”.

1994: The Rutteman Report on Internal Control and Financial Reporting expands on Principle 4.5 specifying minimum disclosures. But it admits a system of control can provide only “reasonable and not absolute” assurance against misstatements.

1998: The first Combined Code broadens the debate from internal financial control to internal control.

1999: The Turnbull Report says boards should adopt a risk-based approach to establishing a sound system of internal control and conduct an ongoing review of its effectiveness.

2002: The Sarbanes-Oxley Act is passed in the US. Section 404 requires directors to make statements on the effectiveness of internal controls. Foreign companies with US-listed debt or equity will have to be 404-compliant from 2006.

2003: The Smith Report advises on the roles and responsibilities of audit committees. The Combined Code is revised to reflect both this and the Higgs Report.

Jan 2005: The statutory OFR covers current and prospective performance and strategy. It must include information on the principal risks and uncertainties that may affect a company’s long-term value.

Oct 2005: The Turnbull Guidance is reviewed by a group led by Douglas Flint, FD of HSBC. “The overwhelming view was that the Turnbull Guidance continues to provide an appropriate framework for risk management and internal control. Its relative lack of prescription is considered to have been a major factor contributing to the successful way it has been implemented,” says Flint. “Only limited changes have been made to the guidance itself, while a new preface has been added to emphasise the need [for firms] to keep [it] under review and to provide meaningful information in their annual report,” says the FRC.

Does control kill of entrepreneurialism?

About a year ago, we hosted a lunch on risk management with KPMG. “My big concern is perception of controls,” said one FD. “I don’t want people in the business becoming reluctant to come forward with good ideas because they think finance is just going prod it around and analyse it to death. If they think it’s all process and paperwork, they won’t bother.” So how do you marry control with creativity?

In fact, fast-growing, entrepreneurial companies need internal control even more their steady-state peers. Risk-takers are from Mars and controllers are from Venus, then? It’s all about striking a balance. “The benefits have to outweigh the costs,” says Alan Lees, head of risk assurance services at accountancy firm RSM Robson Rhodes. “An over-controlled organisation can be just as unsuccessful as a poorly controlled one if its control systems stop it doing business.”

Risk can never be entirely eliminated – and even if it could be, this shouldn’t be internal control’s goal. Without risk, there is no reward. “It’s not cost-effective to mitigate every risk, and being too risk-averse would hamper what businesses are trying to achieve,” says Tory Heazell, internal auditor at property group Quintain. Her FD, Becky Worthington, agrees: “Having a rule book is crucial, but it should be as thin as possible. It’s there so that people know what really matters, without getting bogged down in endless red tape. People doing deals understand what they need sign-off on. It’s a straightforward process, and that’s essential because you want your deal-makers to be making money, not worrying about which form needs to be filled in.” That, of course, is where finance can do the heavy lifting – providing its staff communicate well.

At Travelex, another large-but-entrepreneurial company, managers can appeal on any control they don’t agree with. “We’re a global operation – we can’t write risk controls for each individual business and region we operate in,” says Clive Kahn, Travelex’s FD. “So while we have blanket controls, local managers can say ‘this doesn’t fit our business’. We try to make sure that lines of communication are open between layers of management – and that there aren’t too many layers.”

Control: The operational benefits

Several of the FDs we’ve spoken to have emphasised the need to push the finance function’s control agenda into the business. Nowhere is that more true than in retail, where the volume of in-store transactions is a massive and explicit risk. Last month we met John Hood, FD of £1.5bn-turnover Lloyds Pharmacy, when he was presenting the results of a project to improve loss prevention across its 1,400 stores using better controls, automated transaction monitoring, enhanced internal audit and better communication.

“I got into retail in the mid-eighties, the good old days,” he says. “Now the environment is tougher for retailers. Margins are slim, and even in our business, where the majority of revenue comes from the NHS, there’s pressure on the top line. That means we have to be a lot tighter on control. Our loss prevention efforts are managed within the finance function: we run a team of internal ‘operational’ auditors and a security team. They have close working relationships right across the business. We also have a security data manager whose role is to look for control lapses in our systems and deliver feedback to operational teams.”

Prior to this new approach, the speed of these feedback loops was a “critical failure”. But new systems, mainly a loss prevention package installed by IntelliQ, have created a much more responsive control environment. So instead of monthly exception reports,for example, the team now gets almost real-time reporting on problems in stores. And, crucially, loss prevention teams get the information directly. “As FD, I don’t want to use these control systems,” says Hood. “They have to be able to use them and see value in using them. I would never have taken these new systems to the board if they hadn’t bought into it – or if I hadn’t seen potential for a return on the investment.”

There’s still a balance between control and keeping the business going. “We never wanted to tie people up in forms and procedures,” says Hood. And it pays to prioritise the controls that will deliver the fastest results. “When it comes to stock loss, process failure is a bigger factor than internal theft,” says Laurence King of Oris Group Consulting. “But the anti-shrinkage spend is usually focus on external theft, the shoplifters.”

Control after calamity

What happens when internal control collapses? Simple: you hire a good FD to fix it.
Brian Hanks became FD of the English subsidiary of Intrum Justitia, Europe’s leading provider of credit management services, at the beginning of July 2003. His first job? To tackle concerns about the finance function and a realisation that internal control had broken down. “We had to make an initial calculation of the problem within two weeks,” says Hanks. “Two of us came up with an estimate: a misstatement of about £6m. It was serious enough for the Swedish parent company to issue a press release about accounting irregularities.”

That brought about an invasion of forensic accountants to calculate the exact error. Was it actually £6m, as Hanks had calculated? Or was it £16m? Or, even worse, £0.6m? “The £6m figure had been a very quick estimate,” says the FD. “In fact, the final number was within spitting distance of it, which proves that the back of the envelope can often work!”

The finance department was about 25-strong, but Hanks took on 20 qualified and part-qualified accountants on a temporary basis to get the reconciliations up to date. “We then had these 30 forensic accountants in from PwC,” he says. “Those guys could have come up with a conclusion that actually everything was OK – that would have been a nightmare for us, especially since Group had acted so quickly after we’d come up with the £6m figure. It all rather focuses the mind.”

Hanks’s first four or five months were all about getting to the bottom of the problem and finding out what allowed it to happen. “That would enable us to move to the next stage: fixing all of those issues and ensuring it didn’t happen in the future,” he says. “Some of the problems were obvious. One of the bank recs had 11,500 unreconciled items on it, for example. We had a lack of control over the posting to ledgers. And we had cash books that contained wrong entries.”

So how had control broken down so badly? “There were three main factors,” says Hanks. “The department was run on manual processes; there was a lack of documentation or review of process; and there was a lack of qualified accountants. So as soon as you got a resignation, for example, the outgoing person would do a hand-over. But if the leaver didn’t fully understand their own job and the new person only picked up half of what they’d been told, it would start to break down completely.”

That meant re-evaluating every process and checking all the data – while keeping the department running and supporting the business at the same time. “If we spotted something that could be fixed immediately, processes were changed that day,” says Hanks. “For example, cheque books were dotted around the building with whoever was a signatory. We pulled all of those back in to be kept secure in finance as soon as we found that out.”

Hanks admits there was tension between the incumbent staff (who took flak for the problem), the forensic guys and the new team members brought in to tighten up the ship. “It was a sizeable enough problem that everybody knew about it,” says the FD. “But that meant we were able to harness resources across the whole business.”

That’s a key point: “Fixing internal control means looking throughout the business,” he says. “Even today we still have quality checks. People may ask why we need somebody else to review their work. But I think it adds a safety level. We don’t want things to go wrong again. And it’s now far easier for us to get the control message across outside finance because I can always say, ‘Here’s what happened in July 2003.’”

Intrum Justitia is more than just back on track – it’s better run now than ever before. “But I wouldn’t say I am happy with internal control,” says Hanks. “I don’t think that any FD can, because there’s always a cost/benefit trade-off. But I am happy that I have the appropriate controls in place and that we now have much more risk awareness. We’ve got departments talking to each other where maybe they didn’t in the past. People question the ‘done thing’.”

Hanks has learned some valuable lessons about handling a breakdown in control – and developing world-class control systems.

  - Be transparent about failure. “The Swedish approach is very open. They explained what they’d found, that they’d put a team in to deal with it – and they made it clear they had confidence in us.”

  - Reducing the cost is not the answer. “You might save overhead by keeping finance numbers low. But accounting irregularities or lack of focus on credit control will cost you. I don’t want to build a finance empire, just a department that’s fit for purpose. If I need more people, I shout for more people. Getting the right people in place is the key.”

  - Focus on documentation. “People should physically sign to authorise things. It’s about leaving an audit trail. People throughout the business must understand their accountability.”

  - Educate people outside finance. “Financial control goes across the whole organisation. A lot of our problems were out in the business – finance just happened to be the department that added the numbers together. You have to get buy-in from the other directors and the rest of management. They need an understanding of how it all links together.”

  - Good systems help. “We could have tried to tweak the system. But there’s a limit to how many tweaks you can make. It’s still about changing the way things happen. So I may have a state-of-the-art accounting suite, but unless I use the outputs and control the inputs correctly, I still won’t have a controlled environment.”

  - Use different people to review controls. “We used people from elsewhere in the group to look at different functions. It gets you back to the ‘why?’ Why is this process like it is? You’ve probably got people in-house who can ask those questions – and they’ll do it a lot cheaper than consultants.”

The end result? Intrum Justitia not only has a tight, effective finance function now. Its new routines ensure that customers can rely on a qualified partner – and that’s the real value from good control. www.intrum.co.uk

Picture source

Related tags: internal control, control framework, financial control, internal audit, ofr, sarbox, internal control and risk management, sarbanes-oxley,