Generally, one assumes that the larger or more established the company, the better the controls are. However, recently there have been many examples of controls that either were not strong enough or that were easily circumvented by employees and management. Examples include such one-time corporate icons as AOL, WorldCom and Enron. If these large companies cannot enact effective controls, what can small or mid-sized businesses, which may lack the depth of internal and financial resources of large companies, do to ensure effective controls?
Controls fall into one of three categories -- physical, systemic or psychological. The initial controls that any company enacts are typically physical, from a lock on the supply room door to security guards and modern electronic security systems. Physical controls are effective in preserving physical assets; however, they are not as effective in protecting intangible assets or service industries.
As companies grow, the level and sophistication of systemic controls generally grow as well. Systemic controls are commonly referred to as internal controls, such as segregation of duties, assigning employees various levels of approval or authorization for purchases and disbursements, requiring dual signatures on checks and other codified procedures. Systemic controls provide a greater level of security for companies than do purely physical controls, but are still subject to manipulation and override by employees.
As a result, psychological controls are increasingly used to communicate the expected behavior of employees. These expectations are manifested through a company's policies, including general ethics, fraud, conflict of interest, acceptance of gifts, use of company equipment and confidentiality of corporate or client information. Although psychological controls are less specific than systemic controls, they are effective in setting the tone at the top.
Many companies spend a lot of time, effort and money to develop and tailor policies to their businesses. However, once created, these policies are often allowed to languish. Business leaders need to be proactive in communicating policies to employees. Not only should employees be provided a copy of company policies, they should also be required to sign an annual acknowledgement noting that they have read and understood the policy and that they are in compliance.
Furthermore, once company policies are in place, management must set the example it wants employees to follow. Even the best policies will not be effective if management does not consistently adhere to them.
Obvious examples of management's disregard for its own policies, such as making personal phone calls during working hours, taking home corporate property for personal use or charging personal expenses to the business may cause employees to question management's belief in the policies. And once employees begin to do that, they may begin to rationalize that it is acceptable behavior to convert company resources for personal gain.
In addition, even if management follows the policies, it must enforce them consistently. Management cannot look the other way when certain employees violate a company policy but require others to uphold the same policy. Nothing sends a stronger message of management's seriousness about its policies than enforcing them for all employee violations.
Also, publicizing to the rest of the company action taken as a result of a policy violation reinforces this message. Just communicating the expected behavior is not enough; continuous reinforcement, both positive and negative, encourages adherence to expected behaviors.
There is often a disconnect between management and employee attitudes regarding internal controls. Management cannot have a "Do as I say, not as I do" approach. It must evenly and fairly enforce its policies to reinforce the effectiveness of the psychological controls and avoid any potential legal pitfalls from employees against whom actions were taken.
Clay Busker (email@example.com) is a senior manager with Tauber & Balser PC in the Forensic Accounting Services Group. He has more than 10 years of professional experience providing forensic and investigative accounting, internal corporate investigations, damage calculations, corporate restructuring and due diligence services to clients. He has worked with both publicly traded and privately held companies of all sizes in a variety of industries. Reach him at (404) 814-4934.