Internal Controls for the Treasury: The missing piece...
by François Masquelier, Head of Corporate Finance and Treasury, RTL Group, and Honorary Chairman, EACT
Many companies, because they are listed on the American stock exchange, have had to comply with Sarbanes-Oxley for five years or more. They must produce detailed reports of their internal controls, and treasury is no exception. In Europe, the gradual transcription into domestic law of the EU’s Eighth Directive (e.g., the German BilMoG) makes it mandatory to document the existence of internal controls, thus supplementing risk management system measures. Unfortunately, although rules and policies often exist, the controls have not been made official and are not effective, particularly with respect to the treasury. In this article, we describe an approach for implementing these controls.
People often speak of internal controls, but few can define what an ‘internal control’ really is. It is the process by which an organisation structures its activities to accomplish its mission effectively and efficiently. It is an integrated process used by the managers and staff of a company or a department to handle risk. It also serves to provide reasonable assurance that, within the context of the organisation’s mission, the following general objectives will be met:
1. Completion of well-ordered, ethical, economical, efficient, effective operations;
2. Fulfilment of accountability obligations;
3. Compliance with current laws and regulations;
4. Protection of resources against loss, improper use and damage.
This applies on three levels: (1) performance, (2) information, and (3) compliance (with current standards). The treasury department must respond appropriately to the operational, financial, legal and market risks with which it is confronted. Yet it must also improve the quality of the financial information provided, both internally and externally. In addition, it must encourage compliance with the internal and external rules applicable to the company. In fact, it is a set of good governance rules focused on quality assurance and identifying and analysing risk. These are rules and procedures, combined with various controls, that are intended to mitigate or eliminate a risk. Consequently, this is a fairly vast concept, as these controls are supposed to cover delegation of authority, chains of command, management of sensitive information, access to systems, procedures, infrastructures, risks of fraud, internal charters, definition of roles, identification of risks and more (see COSO Framework: Guidance on Monitoring Internal Control Systems, 2007).
Integrated framework for internal controls
The famous ‘COSO’ framework mentioned above (Committee of Sponsoring Organisations of the Treadway Commission - www.coso.org) is a private initiative intended to improve the quality of financial reporting, corporate governance and internal controls. According to COSO, an internal control is a process carried out by an entity or one of its members at various levels designated as responsible for providing ‘reasonable’ assurance that its objectives in terms of operational effectiveness and efficiency, the reliability of financial reports and compliance with applicable laws and regulations, will be met. These control activities cover tasks such as approval procedures, authorisations, segregation of duties and even reconciliations, for example. Although the controls sometimes have their limitations, which are occasionally felt by the company (decisions by the management to get around or to overstep a rule, collusion, cost/benefit analysis or the judgement/subjectivity aspect, among others), it is nevertheless essential and now even mandatory for some to prove the existence of these internal controls.