I spoke at the AICPA Not-for-Profit Industry Conference on “How to Build Trust with Internal Controls.” As I began wading through the 568 pages of the DOJ Inspector General Report on the Actions by the FBI and DOJ (Yes, I am that kind of geek), I was struck by the common role that weak internal controls play in so many breakdowns of trust of organizations and institutions.
And it has provided me with some teachable moments, not the least of which is:
Trust Once Broken is Expensive and Time-consuming to Repair
The Role of Internal Controls in Rebuilding Trust
The FBI and DOJ are now coming to grips with the wide-ranging impacts of the IG report and must now begin the long process of restoring trust, building better processes, and improving personnel training.
It will serve them well to remember these five important internal control components that support an accountable, ethical, and robust internal control culture:
#1: The Control Environment Sets the Tone for the Entire Organization
The control environment is often called the “tone at the top.”
The environment created by senior leadership affects how employees carry out their activities and responsibilities to do what is right and in the right way.
It’s easy to look at the actions of a few and forget that when bad things happen, they can wither in an accountable culture and thrive in a culture of excuses.
“The Buck Stops Here” was a favorite expression of President Harry Truman meant to remind us that leadership has a role in setting an organization’s direction and character.
And I value that perspective of a true leader.
#2: Risk Assessments Move from Disaster Recovery to Preparedness
Follow the shift in mindset at agencies like the Federal Emergency Management Agency (FEMA). You will see an increasing emphasis on preparing for disaster rather than reacting to disaster.
Likewise, the risk assessment component of internal controls challenges the organization to plan for what could go wrong and consider the plans to mitigate the risks before they happen.
- Disasters happen all the time.
They happen in nature, our personal lives, and the lives of organizations.
Our preparedness for the eventual storms of life will make the difference between a bump in the road and a nosedive from 30,000 feet.
#3: Control Activities Communicate Expectations and Best Practices
Policies and procedures are designed to handle various circumstances and provide a path for handling the unexpected.
As I read through page 539 with the FBI response to “#3 Issues involving media contacts, dissemination of information, and leaks“ in the IG findings, I saw similar problems that I encounter in my work with federal grant recipients when it comes to writing effective policies and procedures:
- Insufficient consequences for not following the policies and procedures
- Personnel are not fully aware of the policy and the related consequences for noncompliance
- Policies are not updated for best practices and new circumstances
- Inadequate notification processes for when deviations to the policies are observed or contemplated.
Control activities provide a robust framework to prevent, detect, and deter bad things from happening.
Are YOUR policies and procedures accomplishing all three of these important objectives?
#4: Clarity of Communication and Information Flows Support the Right Behavior
I want to stress another often-overlooked component of internal controls: Communication.
Personnel must receive clear messages from management that control responsibilities must be taken seriously.
Likewise, relevant and quality information must flow sufficiently to allow the organization to meet its goals and objectives.
An example from the IG Report was that the highest levels of leadership at the FBI and DOJ didn’t feel comfortable discussing significant issues with each other.
Wow!
Likewise, the IG Report found delays in communication between internal sources caused critical lapses in information flows within the organization.
Let’s face it.
Communication can be hard!
However, effective communication is a critical component of strong internal controls, and the resulting flow of information supports a well-run and efficient organization.
#5: Monitor for Compliance
Finally, we get to another often-over-looked component of internal controls: Monitoring.
It’s a pretty simple concept.
The best policies and procedures are worthless if no one follows them.
The FBI seems to have written policies and procedures covering communication with reporters and prohibiting the use of personal email accounts for work-related emails.
And yet…
The control environment allowed numerous unauthorized contacts with reporters, and there were multiple levels of leadership at the FBI using personal email to conduct official business.
A robust monitoring process would have ensured that policies and procedures were followed.
That is the whole point of monitoring: Are we doing what we say we do?
Unfortunately, it took an IG Report to bring the lack of this critical component of the internal control framework to the forefront of our collective consciousness.
The Responsibility for Internal Controls-Not Just for Finance Anymore
We often think internal controls are just about financial statements and accounting departments.
And while reliable financial reporting is undoubtedly one of the objectives of strong internal controls, so are compliance with laws and regulations and efficient operations.
Compliance with Laws and Regulations
We in the grant profession deal with compliance with laws and regulations daily.
And different federal agencies can indeed have confusing and conflicting rules and regulations.
But part of the reason that strong internal controls include the components of the control environment, such as the “tone at the top” and communication, is to support a culture that ensures regulatory compliance at the organization
Efficient Operations
Have you ever heard the expression in your career, “If you have time to lean, you have time to clean.”
Maybe you used it yourself.
Reading the IG report it was amazing the sheer volume of text messages on work devices reviewed.
(I admit I was not an early adopter of text messages as a communication tool.)
But if I divide the number of text messages by the number of days in the period in question, it amazes me that there was time to do any actual work!
Was this back-and-forth an example of “efficient operations”?
It was not.
Similarly, Benjamin Franklin noted that “an ounce of prevention is worth a pound of cure”, and watching this “Titanic” of an internal control disaster unfold reminds me of the wisdom of this adage.
Fixing the results of weak internal controls is probably the most inefficient way to operate.
Whether you are dealing with the results of sexual harassment lawsuits, charges of bias, or a toxic work environment, leadership must step up and lead the organization to a culture that supports ethical behavior!
Commit to prevent, detect, and deter problems with strong internal controls or pay the “big ticket” costs of trust broken and damaged by the actions of a few.
Perhaps the current Director of the FBI can pick up a few tips from my article on How to Write a Corrective Action Plan for the IG findings.
Ready to Improve Your Grant Management?
How about you?
Would you like to be a better grant manager?
We have another grant management training seminar coming soon.
Click here to get all the details!
Hope to see you there!
Author:
Lucy Morgan CPA, MBA
CEO, Compliance Warrior
Author of “Decoding Grant Management-The Ultimate Success Guide to the Federal Grant Regulations in 2 CFR Part 200” The 2nd Edition is now available on Amazon in Paperback and Kindle versions.
Leave a Reply