Last week I was speaking at an ethics and compliance event in Houston, where one of the other speakers stumped the crowd with a deceptively simple question: What is a control?
After all, compliance officers talk about controls constantly. Effective controls are the lifeblood of what makes a compliance program work. Most of us can rattle off examples of controls, or recognize a control when we see one.
So my fellow speaker asked the audience: What is a control?
Nobody dared answer. We all, me included, were suddenly uncertain that we could define a control correctly.
The speaker who posed this question is Jonathan Marks, partner at Marcum and a prolific thinker on all things forensics, audit, and internal control. Lately Marks has been asking audit and compliance audiences to define a control — and to his dismay, most people can’t.
Before I give you Marks’ definition, let me offer what raced through my head when he put the question to me.
An internal control is something a company uses that’s intended to reduce the chance of an unwanted risk outcome.
I deliberately kept my definition broad, because a control can take many forms: a software routine that blocks a payment to unapproved parties; a policy (with certification required) against bribing foreign government officials; a speech from the CEO assuring employees that it’s better to miss your monthly sales quota than fix a contract.
Those examples are all different in form and substance — but controls they all are. In sequence, they are a transaction control (block the payment), a process control (train employees), and an entity control (senior executive issues guidance on corporate priorities). They all work together toward the objective of reducing corruption risk.
Still, my definition is based on example and practicality more than anything else. I know a control when I see it — but is that the same as understanding the abstract concept of a control, and how it fits into a compliance program?
Enter the Marks Definition
I mumbled my one-line definition of a control when Marks posed the question to our Houston audience. Then he asked me to read aloud his definition, which he had graciously emailed to me minutes before.
It’s a mouthful, but Marks’ definition hits on all the right points, and emphasizes the most important point right in the top line. An internal control is a process of interlocking activities that use properly designed policies and procedures. The rest is all correct, but more helps you to understand what a control does; his opening lines explain what an internal control is.
It’s a process. It does something.
That might be why people hesitate to define a control when Marks asks. Our brains hear “define a control” and instinctively envision a noun — a thing unto itself. In everyday language we say sentences like, “This control isn’t working” or “We need stronger internal controls in our accounting process.” As if we could deliver an extra shipment of internal controls to the door of some weak business process, like relief workers air-dropping supplies onto a suffering population.
That’s not what really happens, however. What really happens is that we adjust the weak business process to (ideally) make it stronger. If the process is particularly bad — one might even call it materially weak — we make multiple adjustments at once.
That’s what Marks captures in his opening line: an internal control is a process rather than a thing, and the raw material the process uses are policies and procedures. The mission of the audit or compliance executive is to see that those raw materials are properly designed so that they work together effectively and the internal control then fulfills its mission.
Other Control Definitions
Marks’ definition of internal control didn’t emerge from a vacuum. The COSO framework for internal control and federal securities law have their own definitions, too; and those definitions long preceded Marks.
For example, Section 13(b)(2)(B) of the Exchange Act defines for elements of internal control:
Those four elements are good as far as they go, but they only pertain to financial reporting and accounting fraud. Do they work for books-and-records expectations around the Foreign Corrupt Practices Act? Yes, although you have to consider materiality thresholds: what’s material for corporate financial statements (a few percentage points of a line item’s total value) will generally be much larger than a bribe that could lead to FCPA enforcement.
The greater problem with the SEC’s definition is that it only applies to financial concerns. It won’t much help you to define internal control for, say, cybersecurity, harassment, or reputation risk — although effective internal control is crucial for all three.
COSO, meanwhile, has this definition from its internal control framework:
Marks’ definition clearly descends from COSO’s concept. COSO’s definition is more versatile than the statutory definition in the Exchange Act. Still…
What I like about Marks’ definition is that it frames internal control as interlocking activities — that is, multiple steps the company takes, all reinforcing each other to reduce a risk to some acceptable level. That’s something compliance officers can easily grasp. Especially if, say, you’re rolling out a new policy stressing ethical values, while the CEO is peppering his or her emails with the importance of hitting sales targets at all costs.
Marks also stresses the importance of properly designed policies and procedures. By saying those words, he helps the reader ask: does this policy or procedure fit the objectives and risks I have? That point matters, especially to compliance officers who come from a legal background and might not be as versed in control design as someone from an audit background.
We use shorthand phrases in ethics and compliance all the time, “internal control” perhaps more than any other. It’s good to know what that phrase actually means before we go putting it to use in organizations all over the place.