Because I was once an auditor, I have an obsession with useless controls. This is where an organisation makes you do something which they think is providing some kind of internal control. However, when you think about it in more depth, you realise it isn’t providing any control at all.
Some examples of useless controls
I had locked myself out of the online portal for an old pension scheme. I rang up and gave my account number. They asked for my full address as a security measure before they reset my account.
My pension account number is an obscure piece of information. I can only remember it by digging out my introductory letter from the scheme. For someone to have this who wasn’t me, one of the following would need to apply:
- They’d need to have access to my personal documents. In which case they have access to my house and therefore know my address.
- They might have intercepted my mail, in which case they would also know my address.
- They might work for either the pension scheme, or for my employer, in which case they would also have access to my address.
I couldn’t think of a single fraud scenario that asking my address would prevent. So I therefore conclude that this is a useless control.
Or let’s think for a moment about the joke that is the Company Seal. Companies have not needed one of these since 1989. However, some organisations (lawyers and banks predominantly) still set store by this. You can buy a fancy embossing company seal online for about £40, or a cheaper stamp for a lot less. Nobody is going to check that you have the rights to the company’s name or logo when you order it.
Why do businesses have useless controls?
Businesses don’t set out to have useless controls. However, they often end up with them. I think the main reason for this is that processes become outdated but people are reluctant to stop doing something that feels important.
Take the example of an online purchase order system. If the business implements this properly, then further invoice approval controls are unnecessary. The purchase order and goods check is a sufficient control. However, it’s interesting how many places do retain some form of invoice approval. Occasionally there are good reasons for this but in many cases they stay because it’s hard to feel confident that you no longer need a control that you’re relied on for years.
A common issue I see is where finance teams produce certain reports from the system for other users, but those users don’t know what the reports are for. When I came across this in a recent not-for-profit housing provider, I realised that the report generation had been put in when the original system came in, perhaps to replicate a previous system. However, nobody used the reports at all. It was a big waste of time (and paper!)
At the other end of the scale, you can come across situations where controls have not been updated to reflect new procedures. For example, if all your business controls now operate online, then the control system is only as good as your IT controls over user logins. If the foundation of your internal control system is not solid, then all the controls built on top of it are useless.
I would go as far as saying that useless controls are worse than no controls at all. They give a veneer of safety while wasting everyone’s time.
How do you identify useless controls?
You need to review your internal controls regularly, and whenever you introduce new systems or processese. The process that I follow is this;
- Define objective(s) for the business process. For example: “pay suppliers on time”, “produce management accounts by working day 4” or “process rent increases accurately and legally”.
- Consider all the risks to this objective. To help identify these, I break this down into:
- Risk that something happens that shouldn’t happen (e.g. we make payments without a valid invoice or authorisation).
- Risk that that something doesn’t happen that should happen (e.g. we lose the invoice so the supplier doesn’t get paid).
- Risks around the accuracy or timeliness of the activity (e.g. we pay the wrong person, or we pay them too late or early).
- Document / draw the process that is currently being followed and identify which risks are being addressed at each stage. Are there any duplicate or missing controls?
- Identify whether the controls you still need could be done more efficiently. How long do these tasks currently take, and what are the barriers and problems to operating them effectively? This also involves reviewing any forms or workflow in detail to identify non-essential information that can be cut out – which is quite common if forms have evolved over time.
The risk identification questions are a simplified version of the audit assertions that auditors consider when assessing the risks to the financial statements.
Getting help with internal controls
If you are a small organisation and perhaps lack the skills, you could always ask someone else to carry out a review.
Your auditors should be able to help you BUT you shouldn’t rely on the fact that you have a successful audit to mean your internal controls are good. The audit opinion does not offer any commentary about the adequacy of your internal controls. However, you could commission your auditors to do a separate piece of work to assess your controls.
Alternatively you could commission a part time finance director or other finance professional with relevant experience to do the work for you. I’m available on a short-term, part time basis to help you review your internal controls. Contact me to discuss this further.