Are Your Internal Controls Effective and Efficient?
by François Masquelier, Head of Corporate Finance and Treasury, RTL Group, and Honorary Chairman, EACT
This article examines the new reporting requirements for internal controls following the transcription of the 8th Directive into the legislation of some European countries. Compliance with the Directive may offer companies unaffected by the Sarbanes-Oxley Act the chance to benefit from this cumbersome exercise. How should we carry out a review of internal controls? How can this undertaking be linked to ERM reports?
The 8th European Directive (2006/43/EC- 17 May 2006)
The 8th European Directive supplements its two sister Directives (the 4th and 7th Directives – 2006/46/EC) which dealt with corporate governance and reports on internal controls and risk management systems from a specifically accounting viewpoint. This Directive is of major importance for business finance professionals.
In particular, it describes aspects of the independence of financial experts sitting on supervisory boards and other audit committees; the broader obligations of auditors in terms of financial reporting; auditors’ recommendations to audit committees; and the requirement to set up audit committees. It also addresses the requirements for more specific monitoring of supervisory audit bodies (i.e., supervisory boards and audit committees).
These new measures, which are or should be internally adopted by EU State Members, require, inter alia, the supervisory board to monitor the effectiveness of the risk management and internal control systems currently in place. Companies therefore have to comply with these new requirements which have been laid down at European level .
It is desirable, at the very least as a first step, for a pragmatic approach to be adopted, its starting point being those main generic processes which are well known and understood within the company. The starting point is very often the adoption of guidelines or policies relating to risk management. This is a bottom-up process, like Enterprise Risk Management (ERM) reporting processes.
Internal controls and other existing procedures, together with any necessary improvements which may be made (parallels can be drawn with Sarbox) need to be formalised and documented.
Companies have to comply with these new requirements which have been laid down at European level.
Materiality thresholds (often comparable with ERM reporting) must be defined, as well as the format and frequency of reports. The perimeter must also be predefined broadly but not necessarily exhaustively. It must be possible to define a materiality limit which will enable coverage of the principal and significant part of the activity (e.g., 80% of the main subsidiaries, which would cover more than 95% of turnover).
The prerequisite in terms of format is to establish a complete framework, most often in the form of an Excel spreadsheet-type table. This matrix will enable all processes, sub-processes and their attributes to be consolidated in a systematic, co-ordinated and aligned way. The success and the quality of the outcome depend on the limit which has been set and the time spent achieving it. What is recommended is the adoption of a gradual, progressive approach which can be improved over time (e.g., greater thoroughness, more completeness, wider scope, better quality of information reported and described).