Business Leverage from Internal Control Compliance !
August 2nd 2003
The French Financial Security Act (Loi de Sécurité Financière) becomes applicable to all listed public companies.
1st quarter 2004
For the first time the Annual Reports of French listed public companies include internal control measures. The internal control bodies : AMF, APEF, CNCC, CSOEC, IFACI etc agree that this can take the form of summarised declarations rather than quantified assessments.
However, a few companies begin to carry out assessment of their internal control measures, although on a limited scale. For example, they might give priority to financial processes only or a handful of Business Units in terms of production, distribution, or countries where they have strong market presence, etc.
Various software applications are used on a one-off basis: Notes applications, emails with attached files, Web questionnaires, etc…
Second quarter 2004
All listed companies are now convinced that reports will become more and more detailed under pressure from external control institutions. Some companies change their status to avoid seeking compliance, others react differently :
Companies whose year-end falls December 31st 2003 are now beginning to look around for a software tool to make in--depth assessments.
Those whose year-end falls March 31st 2004 or June 30th 2004, are more interested in last minute solutions rather than in-depth assessments.
Those who have already tested one-off solutions are now beginning to look for solutions which will allow them to consolidate their internal control system and correct defects identified.
To be continued..........................
What problems have been found so far?
1.Certain managers consider that the questions that they are asked often concern basic problems which require more coverage than a question in a questionnaire
2.In some cases, a series of "bad marks" can be de-motivating, rather than encouraging the company to rectify matters
3.Multiple and far-reaching action plans require more resources than are available
4.Organisations change and people come and go,… much information in the annual assessments will be lost or no longer appropriate
Most companies agree:if the Annual Report is to contain a real assessment, the issue of internal control needs to be taken seriously. In other words: internal control should be a matter for every day not just once a year!
Widespread disappointment with one-off solutions:they are found to be counter productive as instead of releasing energy to improve the internal control system they have exactly the opposite effect.
Keyword's position
In response to the above, Keyword has built a solution designed to set up internal control systems including regular assessments organised professionally over the long-term.
The solution has 2 major advantages :
On the one hand, it can be linked to the processes and procedures (Cf. Solution Processus).
On the other hand, it is completely separate from the internal audit system which is thereby able to fulfill its mission of ensuring the internal control system functions as it should (Cf. Solution Missions d’audit).
In the short term, the solution can be set up to provide description of the internal control system for assessment purposes. But, if required, it can be extended to allow users to play an active role in the internal control system in the longer term.
Why link internal control and the day-to-day activities of the company ?
So that authorised members of staff can give (positive or negative) feedback on the control points included in the business procedures. This allows the appropriate managers to be alerted by means of indicators linked to control points. The system becomes an alarm system linking managers and staff.
What are the success factors ?
Give the project time to succeed
Use the project to educate your staff
Think Risk Management
Use the appropriate software tools
1 - Give the project time to succeed
Full deployment of the solution cannot be achieved in a year (between 2 year-ends). It is important to plan all actions as a many year project and to give yourself the time to build a long-term solution. Priorities can be allocated in several ways:
·Begin with the financial processes as this is the legal priority
·Classify risks by gravity and set priorities from the most risky process to the least risky.
·Begin with a reference system set up by a given business unit and then deploy and adapt it for all other business units (the concept used in ISIMAN multiple sites)
·Work « top down » from the risk map of the Managing Director to the risk maps of the next level down and then the next etc
2 - Use the project to educate your staff
Because the operational risks of the company stem from the business operations carried out by company staff, they should be trained in the concepts of internal control. In this way they can play a major role in and help improve the internal control system.
3 - Think Risk Management
This is no time to be writing procedures for the sake of writing procedures. It is now time to be thinking Risk Management and to seek coverage from major risks by means of the internal control system. Assessment of the internal control system in this case will become a routine by-product of the business procedures and, as such, will no longer present a problem of feasibility or of resources.
4 - Use dedicated software
Mere content management software is not appropriate here. Three major groups of functionality are required today if end users are to provide real feedback::
Customizable knowledge base generating intranet site for easy updating
Context-sensitive switch between applications and intranet
Integrated feedback and tracking of results – Reporting and alarm system
In this way internal control compliance can bring the following leverage:
An alarm system for management based on day-to-day activity
