Global

Finance DESIGNING EFFECTIVE

360
FINANCIAL CONTROLS
LEVERAGING THE INTERNAL CONTROL
FRAMEWORK TO ACHIEVE CONTROL
OBJECTIVES
Author: Stephen G. Lynch

Every year corporations lose millions of dollars due to poor internal controls. The
“A strong internal failures include inadequate segregation of duties, lax control over vendor master
control framework records and incorrect customer invoices. Additionally, poor controls around the
flow of data in an organization’s ERP system can result in manual rework to
is the result of clear correct improper accounting entries. Taken to the extreme, inadequate controls
control objectives can result in material misstatements in financial reporting and the associated
regulatory submissions.
and a commitment
With the continued guidance of Section 404 of the Sarbanes-Oxley Act,
by a company’s management is required to publish in their annual reports a statement concerning
Board, the scope and adequacy of the internal control structure and procedures for
financial reporting. Additionally, the company’s auditors must attest to and report
management, and on the assessment of the effectiveness of the internal control structure and
employees to create procedures for financial reporting. An investment in strong internal controls is
essential for the effective governance and protection of the corporation.
and maintain a
Control Objectives
strong control
In designing an effective internal control structure, three objectives must be kept in
environment. It mind as the controls are designed, tested and maintained. These objectives are:
also requires a 1. Ensure that corporate assets are safeguarded against malfeasance and used
commitment to only for business purposes,

properly assess 2. Provide accurate business information to management, investors, creditors,

regulators and other relevant stakeholders, and
organizational risk, 3. Ensure that employees comply with all applicable laws and regulations.
establish and With these objectives established, the internal control structure can be developed and
conduct appropriate maintained using the COSO internal control framework.

control activities,
The Internal Control Framework
generate and
The Internal Control - Integrated Framework report, published by the Committee of
communicate Sponsoring Organizations of the Treadway Commission (COSO), provides a
timely, relevant and framework that consists of five interrelated components. All of these components must
be in place and operating effectively for there to be an effective internal control
reliable information, structure. These five components are:
and participate in
Control Environment
regular monitoring
Risk Assessment
activities.”
Control Activities

Communication and Information

Monitoring

Global Finance 360 | Copyright 2010 | All Rights Reserved 1

About Global Finance 360
Global Finance 360 covers the
world of corporate finance and
accounting and how these
activities are impacted by
globalization. Focus areas
include Finance Delivery
Strategy, Shared Services,
Business Process Outsourcing,
Process Improvement and
Organizational Design.
Global Finance 360 is run by
Steve Lynch. Mr. Lynch is a
Principal in the Finance
Transformation practice of a
global consulting company. He
is responsible for the marketing,
sales and delivery of Finance
Transformation services in North
America and serves as a key
liaison for his company’s global
Finance practice. He brings
more than 15 years of
experience advising global
companies on their service
delivery strategies and has
served over 60 clients in a
variety of industries including
consumer product and industrial
manufacturing, aerospace &
defense, transportation,
technology, entertainment and
financial services. He has also
served as a Controller in private
industry and as an auditor in
public accounting.
Mr. Lynch is an active content
contributor on the topics of
Finance Transformation and
globalization and has presented
at various forums including the
IQPC Shared Services &
Outsourcing conference. He can
be found on the web at
www.globalfinance360.com.
Contact Information:
Steve Lynch
Toll-free: +1.800.216.2512
Office: +1.719.481.2599
1042 W. Baptist Road
Suite 194
Colorado Springs, CO 80921
slynch@globalfinance360.com
www.globalfinance360.com
Control Environment
The control environment is the foundation of a company’s internal control structure and
is centered on the attitudes, actions and awareness of the company’s internal
stakeholders, including the Board of Directors, management and front-line personnel.
The level of importance these stakeholders place on strong internal controls will greatly
influence the existence and effectiveness of those controls.
The control environment is core to a company’s approach to daily business activities
and the way it assesses risk in conducting those activities. According to COSO, control
environment factors include the “integrity, ethical values and competence of the entity's
people; management's philosophy and operating style; the way management assigns
authority and responsibility, and organizes and develops its people; and the attention
and direction provided by the board of directors”.
Risk Assessment
As part of the control structure, a company should have a process in place to assess
risk in relation to its corporate objectives. The risk assessment applies to all areas of
the company and should involve most activities within the organization. According to
the COSO framework, risk assessment is a 3-step process:

Estimate the significance of the risk,

Access the likelihood or frequency of the risk occurring, and

Consider how the risk should be managed and assess what actions must be
taken
An effective risk assessment system will incorporate both internal and external factors.
Internal factors can include people, systems and processes. External factors can
include economic developments, regulatory changes and industry advances. It is the
responsibility of the company’s management to properly assess risk and then to
develop and maintain a program that will effectively mitigate the risk identified.
Control Activities
Control activities are the policies and procedures put in place by management to
ensure that the processes put in place to address risk are being carried out. This
component of the COSO framework is wide-ranging and includes controls designed to
prevent errors as well as controls to detect errors after the fact and enable corrective
action to be taken. Examples of preventive controls include segregation of duties and
physical controls such as locking down cash. Detective controls are focused on
reporting, reconciliations, management reviews and periodic audits to detect errors
needing correction.
A key aspect of the COSO framework is its emphasis on information system controls.
This includes financial, operational and compliance related systems. All of these
systems should have both general and application controls. As the name implies,
general controls pertains to all systems and covers issues such as physical access to
the systems. Application controls are specific to a particular system and includes
individual security profiles and business logic that would prevent unreasonable data
from passing through undetected.
Global Finance 360 | Copyright 2010 | All Rights Reserved 2
About Global Finance 360
Global Finance 360 covers the
world of corporate finance and
accounting and how these
activities are impacted by
globalization. Focus areas
include Finance Delivery
Strategy, Shared Services,
Business Process Outsourcing,
Process Improvement and
Organizational Design.
Global Finance 360 is run by
Steve Lynch. Mr. Lynch is a
Principal in the Finance
Transformation practice of a
global consulting company. He
is responsible for the marketing,
sales and delivery of Finance
Transformation services in North
America and serves as a key
liaison for his company’s global
Finance practice. He brings
more than 15 years of
experience advising global
companies on their service
delivery strategies and has
served over 60 clients in a
variety of industries including
consumer product and industrial
manufacturing, aerospace &
defense, transportation,
technology, entertainment and
financial services. He has also
served as a Controller in private
industry and as an auditor in
public accounting.
Mr. Lynch is an active content
contributor on the topics of
Finance Transformation and
globalization and has presented
at various forums including the
IQPC Shared Services &
Outsourcing conference. He can
be found on the web at
www.globalfinance360.com.
Contact Information:
Steve Lynch
Toll-free: +1.800.216.2512
Office: +1.719.481.2599
1042 W. Baptist Road
Suite 194
Colorado Springs, CO 80921
slynch@globalfinance360.com
www.globalfinance360.com
Communication and Information
Communications and information are actually two distinct components of internal
control. Information must be readily available to organizational stakeholders and the
information must be of sufficient quality that personnel can act on the information,
confident that it is reliable. This information should also be suitable for communicating
with external stakeholders such as investors, creditors and regulators.
COSO recognizes that information can be both structured and unstructured.
Structured information comes from the company’s formal information systems and can
be financial, operational or compliance related. Unstructured information can consist
of conversations with customers and suppliers.
A strong internal control structure enables communication to flow through an
organization, from top to bottom and from the bottom upwards, as well as horizontally
through the various departments. These communication channels are created and
maintained to ensure that information flows to those departments and individuals
requiring information for their financial, operational and compliance related reporting
and analysis responsibilities.
Monitoring
Nothing ever stays the same and internal controls are no different. Due to changing
factors both internal and external, there is an ongoing need to monitor internal controls
to assess their effectiveness and to determine if any changes in the internal controls
are warranted.
Monitoring takes two basic forms: ongoing monitoring as part of a company’s
continuous operations and periodic monitoring based on specific control objectives.
COSO lists various means of ongoing monitoring which includes reviews by
management and supervisory personnel to identify errors and make corrections as
necessary. It also includes the regular reconciliation of physical and financial assets
such as inventory and cash.
In addition to ongoing reviews, it is usually beneficial to make periodic reviews of
specific control procedures. Although a company’s internal audit group may be
involved in the testing and evaluation of internal controls, it is also acceptable for line
management to initiate their own review of internal controls and make updates to the
control structure as necessary to remediate any deficiencies found.
Conclusion
A strong internal control framework is the result of clear control objectives and a
commitment by a company’s Board, management, and employees to create and
maintain a strong control environment. It also requires a commitment to properly
assess organizational risk, establish and conduct appropriate control activities,
generate and communicate timely, relevant and reliable information, and participate in
regular monitoring activities.
Global Finance 360 | Copyright 2010 | All Rights Reserved 3