Where Internal Controls are concerned, 1 +1 > 2.

Artificial Intelligence CAE Control Self Assessment Culture Internal Controls InternalAudit

When something is not working as intended, blame is always given to lack of internal control.

Any practitioner of Internal controls knows that it always take more than one control to ensure that things are working as intended.

When it comes to Internal controls, more than one control gives multiplier effect.

One of the item, Internal Audit in a Retail company used to report, was cases where front-line staff had recorded sales in their personal names. This was going on for number of years. Every quarter these cases were being reported.

Management were wondering why the number are not stopping?

With a focus on eliminating such cases, certain additional steps were taken.

  1. Internal Audit had started meeting showroom manager and started inquiring about these cases.
  2. Showroom manager were also inquired about certain transactions which were falling into probable cases.
  3. These inquires had led to realizations that, in some cases showroom manager were not aware, in some cases, they were aware and used to record such transaction to meet target given by organisation, in some cases they were not aware and made inquiries with front-line staff to understand what is going on.
  4. This had reduced the number of confirmed and probable cases.
  5. Additionally management had decided that in a showroom where such cases are reported for two quarters or two or more two persons were involved, showroom manager will be penalized by levying a monetary penalty.
  6. All such steps had eliminated the cases.

All such steps can be mapped with components of COSO 2013 Internal control framework

  1. Control Environment: An environment had been created where transparency is encouraged. Retail is a very dynamic industry. Front-line staff need to serve the customer Now. They were encouraged to raise issues with management and where required approval to be taken. In case they are not adhering to norms, then their is enough penalizing treatment available.
  2. Risk Assessment: Criteria had been defined based on risk assessment.
  3. Control Activities: Regular monitoring, communication, implementation of new/ revised policies were part of control activities.
  4. Information and communication: Showroom Manager were regularly being informed about whats happening at their showroom. Their merchandisers who monitors them were also being kept in loop.
  5. Monitoring: Internal Audit team monitor the activity on a monthly basis. Besides this they have also created alerts in the IT systems, which used to generate alerts based on criteria defined. This had enabled faster inquiry turnaround time.

Call for action:

Inputs/ comments/ suggestion: I welcome inputs/ comments / suggestions from readers on how to approach this issue. Feel free to correct me, educate me.

Share the Article: If you like it, share it. If you share it with others, and they comment, we all will get more learned.

(Disclaimer: The views expressed constitute the opinion of the author and the author alone; they do not represent the views and opinions of the author ’s employers, supervisors, nor do they represent the view of organizations, businesses or institutions the author is, or has been a part of.)