Next week I will be speaking at the AICPA Not-for-Profit Industry Conference on “How to Build Trust with Internal Controls.” As I began wading through the 568 pages of the DOJ Inspector General Report on the Actions by the FBI and DOJ, (Yes, I am that kind of geek) I was struck by the common role that weak internal controls play in so many breakdowns of trust of organizations and institutions.
And it has provided me with some teachable moments, not the least of which is:
Trust Once Broken is Expensive and Time-consuming to Repair
The Role of Internal Controls in Rebuilding Trust
The FBI and DOJ are now coming to grips with the wide-ranging impacts of the IG report and must now begin the long process of restoring trust, building better processes, and improving training of personnel.
It will serve them well to remember these five important internal control components that support an accountable, ethical and robust internal control culture:
#1: The Control Environment Sets the Tone for the Entire Organization
The control environment is often called the “tone at the top.”
It is the environment created by senior leadership that affects the manner in which employees carry out their activities and responsibilities to do what is right and in the right way.
It’s easy to look at the actions of a few and forget that when bad things happen they can wither in an accountable culture and thrive in a culture of excuses.
“The Buck Stops Here” was a favorite expression of President Harry Truman meant to remind us of the role leadership has in setting the direction and character of an organization.
And I value that perspective of a true leader.
#2: Risk Assessments Move from Disaster Recovery to Preparedness
If you follow the shift in mindset at agencies like the Federal Emergency Management Agency (FEMA) you will see an increasing emphasis on preparing for disaster rather than reacting to disaster.
Likewise, the risk assessment component of internal controls challenges the organization to plan for what could go wrong and consider the plans to mitigate the risks before they happen.
- Disasters happen all the time.
They happen in nature, in our personal lives and in the life of organizations.
It is our preparedness for the eventual storms of life that will make the difference between a bump in the road and a nosedive from 30,000 feet.
#3: Control Activities Communicate Expectations and Best Practices
Policies and procedures designed to handle a wide variety of circumstances and provide a path for handling the unexpected.
As I read through page 539 with the FBI response to “#3 Issues involving media contacts, dissemination of information, and leaks“ in the IG findings, I saw similar problems that I encounter in my work with federal grant recipients when it comes to writing effective policies and procedures:
- Insufficient consequences for not following the policies and procedures
- Personnel are not fully aware of the policy and the related consequences for noncompliance
- Policies are not updated for best practices and new circumstances
- Inadequate notification processes for when deviations to the policies are observed or contemplated.
Control activities provide a robust framework to prevent, detect and deter bad things from happening.
Are YOUR policies and procedures accomplishing all three of these important objectives?
#4: Clarity of Communication and Information Flows Support the Right Behavior
I want to stress another often-overlooked component of internal controls: Communication.
Personnel must receive clear messages from management that control responsibilities are to be taken seriously.
Likewise, relevant and quality information must flow sufficiently to allow the organization to meet its goals and objectives.
An example from the IG Report was that the highest levels of leadership at the FBI and DOJ didn’t feel comfortable discussing very important issues with each other.
Likewise, the IG Report found delays in communication between internal sources caused critical lapses in information flows within the organization.
Let’s face it.
Communication can be hard!
But effective communication is a key component of strong internal controls and the resulting flow of information supports a well-run and efficient organization.
#5: Monitor for Compliance
Finally, we get to another often-over-looked component of internal controls: Monitoring.
It’s a pretty simple concept.
The best policies and procedures are worthless if no one follows them.
It seems that the FBI has no lack of written policies and procedures covering things like communication with reporters and prohibitions on the use of personal email accounts for work-related emails.
The control environment allowed numerous unauthorized contacts with reporters and there were multiple levels of leadership at the FBI using personal email to conduct official business.
A robust monitoring process would have ensured that policies and procedures were followed.
That is the whole point of monitoring: Are we doing what we say we do?
Unfortunately, it took an IG Report to bring the lack of this critical component of the internal control framework to the forefront of this our collective consciousness.
The Responsibility for Internal Controls-Not Just for Finance Anymore
We often think that internal controls are just about financial statements and accounting departments.
And while reliable financial reporting is certainly one of the objectives of strong internal controls, so are compliance with laws and regulations and efficient operations.
Compliance with Laws and Regulations
Compliances with laws and regulations are something all of my colleagues in the grant profession deal with every day.
And it’s true that different federal agencies can have confusing and conflicting rules and regulations.
But part of the reason that strong internal controls include the components of the control environment, such as the “tone at the top” and communication is to support a culture that ensures regulatory compliance at the organization.
When I first started my career, there was an expression “If you have time to lean, you have time to clean.”
Maybe you have heard that or used it yourself.
As I read the IG report, I am amazed by the sheer volume of text messages on work devices reviewed.
(Now I admit that I was not an early adopter of text messages as a communication tool.)
But if I divide the number of text messages by the number of days in the period in question, it amazes me that there was time to do any actual work!
Was this back and forth an example of “efficient operations”?
In my humble opinion, it was not.
Similarly, Benjamin Franklin noted that “an ounce of prevention is worth a pound of cure” and watching this “Titanic” of an internal control disaster unfold reminds me of the wisdom of this adage.
In fact, I would argue that fixing the results of weak internal controls is the probably most inefficient way to operate.
Whether you are dealing with the results of sexual harassment lawsuits, charges of bias or a toxic work environment, leadership must step up and lead the organization a culture that supports ethical behavior!
Commit to prevent, detect and deter problems with strong internal controls or pay the “big ticket” costs of trust broken and damaged by the actions of a few.
And perhaps I can even offer Christopher Wray, the current Director of the FBI a few tips with my article on How to Write a Corrective Action Plan for the IG findings.
Learn More About Grant Management
Are you a grant recipient? Click here to get your copy of the Basics of Internal Controls
Want to learn more about how to be an even better grant manager?
We offer two-day grant management training online, on-site and at our live training seminars called “Grant Management Boot Camp.”
Lucy Morgan CPA, MBA
CEO, Compliance Warrior