Internal control is a crucial element of risk management. Most of the time it is already implemented in companies, whatever their size or sector. But not always in a formalized way. Often, internal control is an afterthought to a problem encountered. It has become widespread following cases of fraud observed in recent decades, which could have been detected or even avoided thanks to it. How can we move from defensive to anticipatory mode? To do so, it is necessary to integrate it into the global risk management process and to establish a few fundamental rules.
What is internal control?
In summary, internal control is a system that aims to ensure :
- Compliance with applicable laws and regulations;
- The application of instructions and guidelines set by the general management;
- The proper functioning of the Company's internal processes, particularly those involved in safeguarding its assets;
- The reliability of financial and accounting information.
Generally speaking, internal control contributes to the control of an organization's activities, the effectiveness of its operations and the efficient use of its resources.
There are many internal control guidelines for control programs:
- ISO standards imply an annual control of the application of the procedures by an independent expert;
- National/international financial and accounting standards (such as IFRS/US GAAP) ;
- General company rules, especially for groups with several subsidiaries.
For a long time, internal control has been reduced to its financial aspect, but it must be implemented as part of an overall risk review and control process.
How to deploy internal control?
The first stage of the inventory identifies and evaluates all risks that could have a significant adverse effect on the company's business, financial situation, results or ability to achieve its objectives. It can be formalized by means of a risk map, focusing in particular on :
- Operational and strategic risks, such as business continuity in a crisis;
- The economic environment, with a watch on changes in the attitudes of third parties;
- Support functions such as information systems;
- Social, societal and environmental issues. These are also included in the Extra-Financial Performance Statement (EFS), which has been mandatory since the 2018 accounting year. It is part of the transposition into French law of European Order No. 2017-1180 and complements the Sapin II law aimed at fighting corruption.
Once the risks have been identified, classified and prioritized, policies and action plans must be put in place to address them. These will be the subject of :
- Controls of their correct application;
- Evaluation using consistent and measurable performance indicators.
In the event that these indicators are not deemed satisfactory, corrective action must be taken to achieve them, and thus cover the residual risk.
From internal control to risk management
Internal control is generally implemented by the internal audit department, but is not restricted to a team of specialists. It is everyone's business, from management and control bodies to all employees. It is also at the origin of the recent appearance (or rather professionalization) of a new function called risk manager.
For large groups, these functions are becoming more and more essential in a context where risks are multiplying, diversifying and becoming more complex. The proof: most of them are now directly attached to the management and have specific tools. For their part, even if they did not wait for the referencing of this function to take an interest in it (by relying on prudent management as "good fathers"), small and medium-sized companies are further behind on these issues. However, they can call on consultants to provide simple risk management and reporting solutions, as they often have few internal resources to devote.
By helping to prevent and control the risks that could prevent a company from achieving its objectives, the internal control system plays a key role in the conduct and management of its various activities. To be effective, it must be articulated at the heart of an overall risk management system and be adopted by all employees. Today's companies are faced with various and growing dangers; it is therefore essential to disseminate a risk culture within the company.
