The Control Activities aspect of the COSO compliance framework encompasses all the policies, procedures, validations, qualifications, authorizations, etc. that (should) exist within the organization. This can be summarized as the system of checks-and-balances: no one person or department should hold so much power that it compromises decisions in the best interest of the organization or leaves the it susceptible to fraud.
Control activities define how operational activities are carried out:
- Who is responsible for what, when, and how. What limits exist?
- What software applications are used, and how (what functions) are used?
- What sign-offs are required?
All control activities should be documented and reviewed as the organization’s business changes and grows. Sarbanes-Oxley documentation is living – it truly represents how an organization does things, and it changes as the organization changes.
Control activities help to mitigate fraud. Several high-profile frauds here in South Florida: From the $500,000 caper suffered by the Town of Davie to the $2.4M siphoned by an accounting clerk at Workforce One over the course of 10 years. In each case, like so many others, fraud was able to happen because of either a lack of internal controls or the failure to enforce them. The more that fraud is controlled and contained, the better chance the organization has to meeting its operational goals, such as the production of timely and accurate financial statements.
With the holistic understanding that the supply chain is both internal and external, control activities really play a very large part in defining how the supply chain will function, encompassing the interactions between employees, suppliers, and customers. Control activities are an organization’s standard operating procedures; they govern how the organization will operate.
One example of internal controls is the employee manual. Here’s where the employee learns what is and is not acceptable behavior. For example, should the employee be able to receive gifts from outside the organization? If so, what are the gift-value limits? Should attempts to give the employee gifts or loans of greater than the limit is reported, and if so, to whom? Should employees be allowed to provide (expensive) gifts to customers?
Another example, already mentioned, is the standard operating procedures documents. This documentation usually goes hand-in-hand with the subjective business software applications documentation. Most software comes with objective documentation which describes the basic functions of the software and defines forms, reports, and data fields. It does not describe how the business software application will be used to run the organization’s (supply chain) operations, because each organization is different, even if in the same market or industry. The subjective documentation describes how the business software application – one of the tools an employee will use to perform their designated tasks – will be used within the particular organization. User roles and rights, organizational department structure, employee titles and responsibilities are all important aspects which factor into our internal controls documentation, which the standard operating procedures and subjective system documentation are a part of.
One document often overlooked is the vendor compliance manual, which typically contains information on barcode labels, shipping instructions, electronic business-to-business requirements, etc. In the same way that the employee manual defines what behavior is and is not acceptable for the employee, so too should the vendor compliance manual document what behavior is and is not acceptable for the supplier. Using the example above, if our organization places a $100 limit on total annual gifts to employees, then this needs to be stated in both the employee manual and the vendor compliance manual. The vendor should be informed as to the correct procedure for reporting an employee trying to extort a gift (or loan) of great than the limit. This is an excellent example of how internal controls provide a check-and-balance system against abusive behavior.
The examination of an organization’s supply chain operations to develop internal controls helps to identify risks by finding gaps in procedures and information. By better defining and refining how the operations function, the organization moves from exception management to management by exception, improving operational efficiency by increasing throughputs and decreasing costs. This helps the organization achieve its goals.
Our thanks to this article’s author, Norman Katz, CFE, President of Katzscan, Inc. (www.katzscan.com). of Katzscan, Inc. is a consulting firm located just 20 minutes north of Fort Lauderdale, Florida, specializing in supply chain technologies & operations. Norman graduated from the University of Florida in 1985 with a Bachelor of Science degree in Business Administration majoring in Computer Information Sciences. Norman is a Certified Fraud Examiner, a Florida licensed Private Investigator, and holds a Certification in Corporate Governance from Tulane University College of Law. Information on detecting and reducing fraud in the supply chain can be found at www.supplychainfraud.com. Information on supply chain governance can be found at www.supplychainsox.com. Norman can be e-mailed through his web sites or contacted by telephone at 954-942-4141.
DISCLAIMER: This Corporate Governance article is provided as an informational resource and does not constitute legal advice. The information provided in this article is based on the laws in effect at the time the article was published. Laws related to this article’s topics may change over the course of time. Visitors to this website should not rely upon or act upon this information without seeking professional legal counsel.