Guardrails for Growth: How CFOs Can Master Internal Control Policies
Internal controls are like the guardrails on a winding mountain road. They keep a business on track, protecting assets, ensuring accurate financial reporting, and promoting efficient operations. For CFOs, understanding and implementing effective internal control policies is more than just a box to tick for compliance; it’s a way to strengthen the business and build resilience.
The challenge often lies in where to start and how to make these controls practical. This article breaks down the process into clear steps, with real-world examples to bring it to life. You’ll gain practical insights you can use right away to improve your internal controls and reduce risk.
Start with a Risk Assessment
Every business has risks, whether it’s fraud, errors, or inefficiencies. The first step in developing effective controls is to understand where your organisation is most vulnerable. Risk assessment isn’t just about identifying problems—it’s about prioritising them.
Take Dixon Enterprises, a mid-sized manufacturing company. They discovered payroll fraud when a manager created a fake employee and diverted their paychecks into a personal account. This went unnoticed for months because there was no independent review of payroll changes. This kind of issue is common in businesses without robust controls.
By conducting a detailed risk assessment, you can pinpoint high-risk areas like payroll, cash handling, and procurement. Involve your team in these discussions. Department managers often know the weak spots in their processes better than anyone else. The key is to document these risks and design targeted controls to address them.
Map Out Your Processes
Once you’ve identified risks, the next step is to map out your core business processes. This means creating a clear, visual representation of how things work—from sales to inventory to payments.
For example, in 2014, Tesco, the UK retailer, overstated its profits by £250 million. The problem was traced back to errors in their inventory valuation process, which included unclear methods for recognising supplier rebates. Because there wasn’t a transparent process, it was easy for these errors to slip through.
Mapping processes are a simple yet powerful way to prevent such mistakes. Create a step-by-step flowchart for each key process. Highlight who is responsible for each step and identify any gaps where errors or fraud could occur. For instance, if the same person approves invoices and processes payments, that’s a red flag. Controls like segregation of duties can address these issues.
Design Controls That Make Sense
Controls are only effective if they fit the organisation’s size, structure, and culture. Avoid overcomplicating things. Instead, focus on designing policies that are practical and easy to implement.
Consider Satyam Computers, a large IT company in India that collapsed in 2009 due to fraudulent financial reporting. The company’s internal controls were poorly designed and rarely enforced, allowing fake invoices and inflated revenue to go unnoticed. This example underscores the importance of designing controls that address specific risks and ensuring they are actively used.
For smaller businesses, simple measures can make a big difference. For example, have one person prepare payments and another person approve them. For larger companies, automated systems that flag unusual transactions can provide a scalable solution. Whatever the approach, make sure the control is appropriate for the risk it’s designed to manage.
Build Controls into Daily Operations
The most effective controls are those that become part of your company’s everyday routines. Employees shouldn’t feel like they’re jumping through hoops—they should see controls as a natural part of how work gets done.
Starbucks provides a great example of this. The coffee giant uses automated systems to track cash deposits and reconcile sales daily. If there’s a discrepancy, an alert is triggered immediately. This simple but effective system not only reduces the risk of theft but also ensures accurate financial records without adding extra work for employees.
Your business might not be Starbucks, but you can adopt a similar approach. For example, you could implement software that automatically matches invoices to purchase orders before processing payments. This kind of automation not only strengthens controls but also saves time and reduces errors.
Monitor and Test Regularly
Even the best-designed controls need regular testing and monitoring to ensure they’re working. Think of it like maintaining a car—if you never check the brakes, you’re asking for trouble.
A cautionary tale is the 2001 Enron scandal. One reason for its collapse was the lack of oversight of internal controls. Senior management ignored red flags, and there were no independent checks to prevent the fraudulent activities that eventually came to light.
Regular monitoring can prevent similar failures. Conduct periodic audits of key processes and surprise checks in high-risk areas. If your company uses software for financial management, review reports for anomalies like duplicate payments or unusual transaction patterns. These reviews can uncover weaknesses in your controls and give you a chance to fix them before they cause serious problems.
Foster a Culture of Accountability
No matter how well-designed your internal controls are, they won’t work if employees ignore them. Building a culture of accountability starts at the top. As a CFO, you play a critical role in setting the tone.
A good example comes from Johnson & Johnson during the 1982 Tylenol crisis. When tampered bottles of Tylenol caused poisoning deaths, the company didn’t hesitate to act. They pulled millions of bottles off shelves at a massive financial cost, prioritising consumer safety over profits. This decisive action was driven by a strong culture of accountability and ethics.
You can foster this kind of culture in your organisation by regularly communicating the importance of internal controls and leading by example. Provide training for employees to understand why these controls matter. Reward compliance and make it clear that cutting corners is unacceptable.
Embrace Technology, But Stay Vigilant
Technology can be a game-changer for internal controls, automating repetitive tasks and providing real-time insights. However, technology is only as effective as the people who use it.
Target learned this lesson the hard way in 2013, when a major data breach exposed millions of customer records. The company had advanced monitoring tools in place, but security alerts were ignored, allowing hackers to gain access.
The takeaway? Choose technology that fits your needs, whether it’s fraud detection software, automated reconciliation tools, or real-time dashboards. Equally important, ensure your team knows how to use these tools effectively and responds promptly to any alerts.
Putting It All Together
Developing effective internal control policies doesn’t have to be overwhelming. Start by understanding your risks, mapping out processes, and designing controls that are practical and easy to implement. Embed these controls into daily operations and monitor them regularly. Most importantly, led by example and create a culture where internal controls are valued, not seen as a burden.
The skills you develop in this process will not only help protect your organisation but also make you a more effective and trusted leader. Internal controls aren’t just about compliance—they’re a foundation for sustainable growth and success.