Pub. 4 2015 Issue 2

The CommunityBanker 12 I Are Your Internal Controls Out Of Control? By Michelle Fowler, CPA, CIA, CISA, CRMA F E A T U R E n 2002, when SOX first became a reality and COSO was widely used and recognized as the internal controls framework, we threw every control and the kitchen sink into our key controls. We were afraid that we might not comply with SOX the first time around. Proactive organi- zations continued to review and fine tune their controls. Others did not. Therefore, there was a big disparity when it came to the work required for updating to the new 2013 COSO framework. However, this is a great opportunity for many of us to do a lot of clean up and get our internal controls back under control. We once had a client who created an elaborate control to comply with one of the COSO principles. The problem was that no one even looked at or cared about this complex reconciliation except when it came to SOX testing. It did not move the company forward towards its goals, nor did it ensure that they complied with regulations. So much time, energy and money wasted. Sometimes this happens if the people developing the controls do not have a good understanding of the business or the impact the control will have. Management and staff (as they will actually be doing the work) need to be integrally in- volved with the development of controls so that they actually make sense and have a business purpose. Back in the “olden days”, you would perform a cost/benefit analysis on controls to determine whether the benefit of the control outweighed the cost. It is time to bring that analysis back. Let’s consider the philosophy of “Less but Better”. Why don’t we replace many “broken” controls with fewer more effective controls that actually have a business purpose? Better means well defined controls that employees truly understand. For example, you often find numerous reconciliations listed as key controls. However, often the people perform- ing the review have little understanding of what they should be focusing on or how the reconciliation fits into the control system as a whole. With our focus shifted to documentation of our review with a sign off and date (which is important), we lose sight of why we are doing the reconciliations in the first place. We seem to be more concerned with the sign off than whether the entries are appropriate, if they are clearing timely, or who is putting the entries through. The point is to make sure that the entries are correct and appropriate not to make sure someone is signing the reconciliation. Another control is the review when signing expense checks. Many times when asked if they reviewed the ac- companying documentation, the person signing will reply they “trust the person”. Trust is not an internal control. It is important that the control is clear about who will approve and review the documentation. Often though there are numerous places when this can happen, everyone thinks that someone else is doing the review so it does not get done at all. This can allow for errors and fraud. It is time to craft internal controls to allow employees to do their jobs with a greater understanding of the controls in place which allows them to be more effective. In today’s environment, we must be agile and flexible to meet the needs of our customers. So let’s not have controls that are so rigid that we cannot succeed, but also not so lax the controls are meaningless. There is nothing worse than a “broken control”, one that does not function properly or one that employees work to circumvent. Then we have the illusion of a control without the support. It is time for management and Internal Audit alike to become more creative with our internal control solutions. We want to ensure that internal controls do not impede progress, but that they improve the process. If we don’t have time to do it right the first time, when will we have time to do it over again? About the Author: Michelle Fowler is President of Fowler & Company, LTD with 25 years of bank and audit experience. She can be reached at 804-350-8654 or mfowler@fow- lerandcompany.com. We are internal audit and control experts and have worked exclusively with Community Banks since 2001 with a spe- cialized focus on Risk, Internal Audit, Internal Controls and Compliance. www.fowlerandcompany.com.