A natural disposition of every management of a company is to create such a management tool that would prevent the emergence of unexpected losses as much as possible. In it, the management combines the need for creation of rules and procedures with the need of these rules and procedures being respected by all employees.

By creating a refined and interlinked system, which enables observance of these rules and procedures, the company creates an internal control system. How perfect this system is or is not influences the profits of the company. Every unexpected loss only points out that this management tool is not perfect. An unexpected loss or failure of the internal control system can be seen for example in the payment of unapproved payments, payment of fake invoices, the emergence of extraordinary losses in the production process, as well as the leak of insufficiently safeguarded data, which competitors as well as the respective authorities can punish a company for. 

Can you trust your internal control system so much that it ensures your internal peace?

Experiences from audits confirm that failures and imperfections of internal control systems occur and that many companies do not consider it necessary to elaborate their internal system into written form – into internal company guidelines, so that its control could be set more clearly by the company and could be carried out more easily.   

In addition, the often neglected part of management of a company, the internal control system, is currently becoming a relevant topic. On May 25, 2018, the General Data Protection Regulation (GDPR) of the EU for personal data protection will come into operation and will influence all companies and public institutions regardless of their business and their size. GDPR is not only about technologies, many newly introduced duties relate to the way an organisation is managed and controlled. In most companies, it will thus be necessary to carry out a revision of internal corporate guidelines, among other things.

What is, then, considered an internal control system? In the introductory part of the article, we said that it is a refined and interlinked system or rules and control, created by the management for the purpose of managing the company.

Its main aims include especially:

• to ensure completeness of records and their conformity with legal regulations,
• to guarantee correctness of reporting, especially financial reporting,
• to achieve efficient and safe course of corporate processes in all areas of activity of the company,
• to set up corporate rules (especially approval processes) and to ensure that they are observed.

The control system should be designed so as to be able to prevent and detect erroneous or intentionally misused operations in time. In many companies, though, we encounter a situation, where the control system arises spontaneously and only after some damage or fraud has already emerged, and it is thus not a tool for preventing all damage and frauds but a mere reaction to their specific form.

An important part of the internal control system is the accounting itself, and as such it is equipped with a number of its own control elements.

These control elements include for example:

• formal and factual re-examination of correctness of accounting documents,
• suitably defined competence of employees,
• regular inventory-taking of assets and liabilities (especially stockpile, assets, cash, liquid valuables)
• multi-level authorisation of payment orders.

In practice, we often come across these processes being simplified, which may lead to failure of the above-mentioned control elements.

We mainly see the risks of failure of the internal control system in:

• unsuitably set competences, as a result of which cash or liquid valuables may be alienated,
• in incorrect, incomplete or inconclusive records of accounting cases due to formal and factual re-examination of the correctness of accounting documents only by the accounting department,
• in neglecting or formal realisation of asset inventory-taking, which may lead to fraud or ti situations, when items that the company no longer owns continue to be registered among the assets,
• in an outdated accounting system, the irregular updating of which may cause erroneous accounting according to invalid legislation,
• in insufficiently set controls, where erroneous entering of data into the system may occur,
• in misusing payments from bank accounts of the company due to insufficient authorisation of payment orders.

We also see risks in a wide range of areas, which may be adjusted in every accounting entity upon its discretion, in keeping with the valid legislation. These include for example the setting of the account schedule of a company, the depreciation plan, the form of valuation of foreign currency assets and liabilities, creation of reserves and adjusting entries, evaluation of stocktaking differences, the setting of natural shrinkage of stock and others. In our experience, most accounting entities use the option

of adjustment, but in many cases, individual procedures are only set orally. Yet, the written form is required not only by legal regulations, but also because by written form, procedures are standardised and the risks of mistakes and losses from disrespecting the procedure are eliminated or can be detected. The written form ensures the existence of a tool for control in case of departure of employees from the company and the arrival of new ones.

Internal corporate guidelines serve the purposes of written form. Their aim is to apply legal regulations by means of corporate rules and procedures to the specific conditions of the respective accounting entity. Active use of the guidelines leads not only to easier orientation of employees in operational activities, but also to readiness of the accounting entity in case of possible internal or external examination (for example by the financial office). As a communication tool, they eliminate potential misunderstandings and ambiguities and help make work more efficient by providing a manual for how to resolve the given situations.

Every company should pay attention to a functioning internal control system and the related creation of internal corporate guidelines, their regular revision and continuous control of compliance with them. Especially in the process of preparation for requirements related to the GDPR, that is the safeguarding of information in the company.