Effective internal control system decreases to an acceptable level risks of not meeting the objectives

28 July 2020
Knowledge Base

by Alex Movchan

We recently had an opportunity to speak with a man named Edmund Saunders, CICA, CFE (President of Institute for Internal Controls Europe, ex-advisor from the UK government to Polish officials in the banking sector). He is also very experienced and dedicated in the following fields of internal control, fraud, internal auditing, risk management, international banking and anti-fraud and anti-corruption – identification, avoidance and combatting techniques. Dear Edmund, thank you for finding time for the interview. I know that you have a lot of experience in building internal control systems, mostly in financial institutions, all around the world (in UK, Switzerland, USA, Poland, etc.). In your opinion, what should be the core focus, the main 2-3 objectives to focus on, while building an effective control system within an organisation?

Edmund Saunders : “My international banking and internal controls experience covered Europe (UK, France, Germany, Italy, Switzerland, Czech Republic, Poland), USA, Colombia (South America), Egypt, Kuwait, Asia (Pakistan, India, Sri Lanka, Malaysia, Singapore, Indonesia, Thailand, Taiwan, Hong Kong, South Korea).

In my opinion, to build an effective internal controls system in any organisation, it is essential to fully understand the three main COSO publications, especially COSO 2013 and to fully differentiate internal controls from internal audit.”

In the early nineties, you’ve moved to Poland, where your parents come from, as a representative of British government helping Poland to build proper internal controls in the financial system in line with the world’s best practices. Now the Polish economy has one of the highest GDP growth rates in the EU year after year. What advice would you give to the management of both public and private financial institutions in Eastern Europe to bring their organisations to the level of global best practices in governance and risk management?

Edmund Saunders : “Yes, in 1990 the UK government sent me to Poland as a British Know How Fund (BKHF) Adviser to the Polish officials in Banking Sector. To build effective governance and risk management, an essential first step is to define what is meant today by “internal controls” following COSO 2013 principles.

To help people differentiate between internal controls (i.e. the internal controls system), I used this expression: ‘an organisation can function without internal audit, but it will never function for long without an effective internal control system’.

Do not think of internal controls as an EU or government (state) requirement, accept it as something essential for the safe and professional functioning of any organisation, a means of reaching one’s objectives.

The most important sentence in COSO is: ‘An effective system of internal control reduces, to an acceptable level, the risk of not achieving the objectives of the organisation.’

The sentence is important because it emphasises the fact that the purpose of controls is to address risk, and that you have ‘enough’ control when the risk is at the desired levels.

To me, this means that:

  1. Before you assess the effectiveness of internal control, you need to know your objective(s), because we are talking about the risk to objectives – not risk out of context.
  2. You need to know the risk to those objectives.
  3. You need to know what is an acceptable level of risk for each objective.
  4. And you need to be able to assess whether the controls provide reasonable assurance that the risk is at acceptable levels.”

You’ve built a great career, cooperated directly with David Rockefeller during your work in New York, and on top of that you’ve built strong leadership in the professional environment with your expertise setting the standards on the global scale, being founder of IIA and ACFE chapters in Poland and the Institute for Internal Controls (the IIC) globally. A lot of young professionals in internal controls, auditing and risk management, including myself, consider yourself as an example to follow. What would be your advice to young professionals in internal controls and auditing on building a bright career?

Edmund Saunders : “I was very lucky to have the career I had as I was in the right place at the right time and I managed to get the maximum work experience, also keeping focus on the world’s best practices and application of those in practice. I firstly concentrate in getting my professional banking qualification as quickly as possible, becoming a member of the British Chartered Institute of Banking. Secondly, I’ve chosen the job functions that gave me the most experience in banking that I could get. The rest was a lot of hard work and the willingness to change not only banks, but even countries, e.g. moving to Luxemburg and the Rome with what later became to UE. After that, I came to New York and then the rest of the world.”

Edmund Saunders with David Rockefeller

The author, Alex Movchan CIA CICA CFE is the President of the Institute for Internal Controls (Ukraine and Belarus chapter). He is also currently the Head of Internal Controls in a global medical company. 

Leave a Reply

Your email address will not be published. Required fields are marked *