[NOTE: this post is the first of a four-part series]
No, this suddenly isn’t a personal advice blog with tips on how to be a better person by taking control of your life! This post is about implementing a solid internal control program in courts. It troubles me that too often courts do not have such a program to minimize risks in place. Every court needs to have a comprehensive approach to the critical area of internal control of operations. Why is this so important?
Here are a few horror stories from courts that did not have good internal control (all of these scenarios actually happened):
- A traffic court deputy clerk steals cash payments received in the mail and deposits them into her personal bank account while not recording the proper payments in the court records.
- An I.T. manager with procurement responsibilities arranges to receive kickbacks from a technology vendor awarded a court contract.
- A court hires a new employee into a position handling confidential criminal case information without doing a criminal background check; the employee later divulges pending warrant information to a local criminal gang in which he once belonged and was convicted of several offenses.
- A court’s electronic information system for both case management and probation services is hacked, compromising highly sensitive data.
- A court procurement clerk sends court furniture out to be refinished, but some of the pieces never come back and are sold by the vendor, who shares the profits with the clerk.
- A denial of service (DoS) attack on a court’s website makes the site unavailable for several days.
- A state passes a new law revising the fines and fees for lower level offenses, but a local court continues to use the old amounts for several months after the effective date.
- A court is the victim of ransomware and has to pay a hefty cash amount to unlock its case management system.
One can easily imagine what the news media could (and did, in most instances) make of these incidents! If these courts had effective internal control policies and procedures in place, these events should not have happened. Before I go further, let’s make sure we know what is meant by the term “internal control”:
Internal control…is a process for assuring an organization’s objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization. It is a means by which an organization’s resources are directed, monitored, and measured. It plays an important role in detecting and preventing fraud and protecting the organization’s resources, both physical (e.g., machinery and property) and intangible (e.g., reputation or intellectual property such as trademarks).
Notice that internal control spans all court operations, protecting all resources. Too often we only think of internal financial control, which is certainly vitally important and deservedly gets lots of attention. As the definition above shows, a comprehensive approach covers not only financial, but also human capital, technological, data, property, and intangible resources.
The U.S. General Accountability Office (GAO) has published a detailed guide for governmental entities to implement internal control. The guide (also known as the “Green Book”) shows how internal control is a basic means for an organization to put its mission, strategic plan, goals, and objectives into action. The guide then outlines five key components of internal control:
1. Control Environment – the foundation that provides the discipline and structure to help the organization to achieve its objectives.
2. Risk Assessment – evaluating the risk facing the organization as it seeks to achieve its objectives. The assessment provides the basis for developing appropriate risk responses.
3. Control Activities – the actions that management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system.
4. Information and Communication – the quality information and communication management and personnel use to support the internal control system.
5. Monitoring – the activities management establishes and operates to assess the quality of performance over time and promptly resolve the findings of audits and other reviews.
Internal control is clearly not a simple function and requires continuous effort to do it right. Since internal control is very important to the proper functioning of any organization, what actions should be taken to implement the components listed above? I will explore this in my next blog post: Risky Business, part 2 of 4: Internal Control – how do you do it?
Meanwhile, I welcome any questions or comments – including any examples of issues, problems, and solutions you have seen.