Strengthening financial control

Strengthening financial control in response to the BEIS white paper

As major UK companies keenly await announcement of a package of measures from the government, following consultation on the March 2021 BEIS white paper Restoring trust in audit and corporate governance, much of the discussion has been focused on what can be done to strengthen internal financial control. But how important is this? And what is the role of internal audit in strengthening internal control?

The importance of strengthening internal control

Firstly, let us consider the circumstances which necessitated government intervention. In recent years, a string of high-profile financial collapses of large organisations (including BHS and Carillion amongst others) has led to thousands of job losses and millions of pounds of costs being passed to the UK taxpayer.

Confidence in corporate reporting depends on the effectiveness of the internal controls and risk management processes that directors put in place and oversee, underpinned by an effective external audit regime. Each of these was found to be lacking (to varying degrees) in the aftermath of these collapses, and therefore public confidence in both audit and corporate governance has been severely eroded. Reform is needed.

The role of internal audit

The government consultation set out a series of options for achieving a strengthened internal control framework. These included strengthening the responsibility and accountability of board members for the effectiveness of internal control and risk management procedures, and options for expanding the role of external auditors in providing assurance that companies’ internal controls are effective.

But there was little comment on the role of internal audit in strengthening internal control. So, what should that be?

As we are all aware, management are responsible for ensuring that internal controls to mitigate financial (and other) risk are in place and operating effectively. It seems likely that the government will seek to strengthen the responsibilities of directors to include attesting to the effectiveness of the organisation’s internal controls (with the scope of this to be determined).

However, it is internal audit’s responsibility to provide at least some of that assurance that controls are designed efficiently and are operating effectively.

The government has set out its intention to introduce the requirement of companies to have an Audit and Assurance Policy. This should give internal audit an opportunity to discuss and formalise exactly what assurances will be required by the board.

Regardless, we need a good understanding of the financial risks that our organisations are facing in order to understand the extent to which controls are required to mitigate them.

We should consider the different types of controls that are in place, and how they operate to mitigate risk, i.e.

  • Preventative - a control that limits the possibility of an undesirable outcome e.g. separation of duties.
  • Detective – a control that identifies errors after the event e.g. reconciliation of a bank statement.
  • Directive – a control designed to cause or encourage a desirable event to occur e.g. policy and procedures that staff are required to read and confirm they will comply with.

Accountability at all levels is important for effective internal control. Internal audit should check that management and operational staff (where applicable) understand and take ownership of the effectiveness of the controls they oversee.

Controls around governance are also within scope. While it is not for internal audit to question the decisions of the board, assurance can be provided on the strategic information that underpins key decisions.

Finally, while providing assurance is core to the role of internal audit, we should not underestimate the value that we can add to strengthening the internal control framework through our recommendations and advice, as long as safeguards are in place to maintain independence and objectivity.

The BEIS white paper provides an opportunity to reflect on the vital importance of internal control in preventing corporate failures that result in terrible financial and social consequences. But we should not narrow our focus to a particular sector, to financial risks only, or to compliance with any new regulations or legislation that may result. We need to continue to be a vocal advocate of the benefits of an effective internal control framework and challenge our organisations to constantly improve.

How effective is your internal control framework? Do your financial controls need strengthening?

Content reviewed: 19 October 2021