When at the gun factory...

... do as the gun runners? Or make out like bandits? You'd hope that companies dealing with lethal products have excellent standards regarding hiring people and internal processes.

Any company dealing, especially those dealing with highly sensitive systems, secrets, military and related products, money, high-tech products, and so on, must have air-tight internal controls. That is easily said but much harder to do.

A major manufacturer of weapons in Belgium found itself out of 15 million euros, apparently due to lacking internal controls. It turns out that a staff member of the procurement department set up a system with falsified invoices and put the monies paid toward these in his pocket. He subsequently skipped town to an African nation. The unions already notified the then-CEO back in 2014  and the vice minister-president of the Walloon government at the time that internal controls were insufficient at the company. That was over six years ago.

A rule does not make a control.

Controls, in this context, are mechanisms, rules, and procedures that try to ensure the integrity of processes used within a company to protect it from mistakes, faults, fraud, and other things.  In this particular case, the internal controls of the procurement department were put into question.  

Some good examples in a procurement department could be the following rules;

• Staff cannot have the right to enter an invoice into the accounting system and approve the payment
• Staff cannot negotiate with suppliers if there is a family relationship
• External staff cannot enter into a contract with their own company
• Payments over a certain limit must be subject to the four-eyes principle or escalation to management
• Managers cannot have family members as subordinates
• The CEO cannot order payment without additional approvals 

Rules by themselves are not controls. We all know that we should not ignore a red light in traffic. Have you always abided by that rule? Of course not! Late at night, when there's no traffic at all, we can see cyclists and pedestrians routinely ignore a red light. Why do they do that? Because the perceived risk is very low.

When that same person is riding a motorcycle or driving a car, perception changes, not necessarily of the risk, but of the consequences, should it go wrong. These can take the form of a member of the police who sees the infraction and the fine that follows or when you actually run over a person.  The risk  (as opposed to consequence) only comes into play when it is not easy to oversee the crossing over a larger area. 

Even in this example, which can have devastating consequences, you can see how our internal thought processes combine the rule with the chance of getting caught. That is only human. We don't live by absolutes, not even in totalitarian regimes. And our perception of reality is our own, but that is another discussion...

So how do you enforce this simple "do not cross on red" rule? By putting a monitoring system in place, like a camera. And how do you do that in the procurement department? Adding a user access rights system into the software, as most modern accounting systems have. And, of course, by configuring it correctly. That also needs to be monitored. 

It can be as simple in less technologically inclined companies as "put the checkbook in a locked drawer."  For most companies, it means separate payment approvals to a central team and comparing Purchase Orders and Purchase Approvals to incoming invoices. The general tenet is that approval should never be done by the same person who ordered something.

Then what makes a good control?

Nature has already shown us that unilateral rules don't work. A dog will take another's bone if it estimates it can get away with it. It is all about estimating risk, and what is acceptable within the environment we operate, and the likelihood of consequences.

For controls to work, we need an agreed framework within which we operate. For that, we must have:

1. A defined control environment: the set of overall attitudes, awareness, and actions that management shows us and employees embrace about internal controls.
2. A clear risk assessment process that identifies, evaluates, and prioritizes risks to the company's objectives while considering the company's risk culture.
3. Policies and procedures that help ensure that management's directives are carried out, such as approvals, authorizations, and reconciling procedures. These are called control activities.
4. Information and communication processes for creating, collecting, and disseminating information to support decision-making that meet operational, reporting, and compliance needs.
5. Monitoring: reviewing and evaluating the effectiveness of internal control and making necessary improvements.
6. An organizational culture, which includes ethical values, behaviors, and practices embraced by management and employees, that fosters a strong commitment to doing the right thing.
7. An HR culture that supports the above points.

There is no one-size fits all answer typically embraced by big-box consultants who use a fill-in-the-blanks ISO-whatever approach. Control compliance starts with understanding your company. Use toolkits to guide you, but always adapt them to your culture. When you hire a consultant to implement anything, always ensure the person does so with respect to how people work and operate. Yes, change will probably need to happen, but it will happen faster and more lasting when doing it in line with your corporate values, way of thinking, and working.