Friday May 22, 2026
Friday May 22, 2026
Friday, 22 May 2026 00:21 - - {{hitsCtrl.values.hits}}
A post-mortem of the recent governance failures at the National Development Bank (NDB) and Sri Lanka’s Finance Ministry points to a laxity in implementing the ‘three lines of defence’ model in risk management and internal control where in the first line, the business unit, owns and manages risks directly, in the second line, the compliance, risk, and internal audit functions, provide oversight and frameworks, and in the third line, external auditors and regulators, offer independent assurance to the board and senior management. The lapses evidence that internal control is only as strong as its weakest link, and that fraudsters are always searching for that loophole. When management is ‘easy’ on controls, and/or the Board remains passive, the entire ecosystem of transparency dissolves, transforming organisational character into a vehicle of institutionalised complacency. Without a robust, independent application of these controls, “governance” remains a mere buzzword while the organisation’s resources are methodically drained.
Internal Control is not a bureaucratic anchor
In the high-stakes theater of modern commerce, we are often captivated by leading acts such as disruptive innovation, market expansion, artificial intelligence (AI), and digital transformation. These are the flashy elements that fuel investor sentiment and dominate headlines. Yet the structural integrity of the entire performance rests on a quiet, foundational discipline that is increasingly ignored. That is Internal Control. Internal control is often misunderstood as a bureaucratic hurdle and, at times, it is dismissed as just a checklist for police-like auditors.
Internal Control is not a bureaucratic anchor. It is the structural integrity that prevents a corporate edifice from collapsing under the weight of its own ambitions. Internal Control serves as the central nervous system of an organisation and is the silent guardian of the three pillars of corporate survival, these being:
The modern business world is littered with the wreckage of giants who believed they were “too established to fail.” These failures have seldom stemmed from a lack of talent. They arise from the corrosion of the core, a corrosion in which accountability is sacrificed for pace and transparency is traded for convenience. A meaningful system of internal control does not stifle innovation; it enables it. By anchoring a bedrock of accuracy, reliability, transparency, integrity, authenticity, and intellectual dissent, it provides the safety required to take calculated risks. To treat internal control as a secondary compliance task is akin to leaving the cockpit of a flying supersonic jet unattended. In today’s market, control is not just a requirement. It is the only thing standing between a legacy of success and a headline of disgrace. In an era defined by algorithmic speed, borderless transactions, and relentless disruption, the absence of a robust control framework is not “agility”; it is institutional negligence.
Internal control is not a singular event but a continuous process. It is a “living” system designed to provide reasonable assurance covering the achievement of objectives, operational effectiveness, public reporting, and compliance with laws. To understand the logic of its applicability, we must distinguish between the pillars of, and the vehicles used in its application. These are the mechanisms and processes that operationalise control throughout the organisation.
The pillars represent the environmental conditions and mindset that must exist for the processes to be effective. Without these, even the most sophisticated software or audit trail will fail, as the “human element” will eventually find a way to bypass them. Very broadly, they are,
This is the most critical pillar, and it drives the culture of the organisation. The ‘Tone from the Top’ signals the importance that the Board and Management place on internal controls. If the leadership views controls as “red tape” to be circumvented for the sake of speed, that attitude will permeate every level of the organisation. High-performing Organisations (HPOs) are known to display zero tolerance of instances where employees flout laid-down policies, procedures, and processes. Whilst this may sound authoritarian in the first instance, HPOs negate its sting by ensuring that employees have the skills necessary for their specific tasks through regular need-based training and development. These proactive steps help to reduce ‘error-based’ control failures. HPOs also facilitate employee empowerment through psychological safety and unambiguous decision rights while maintaining strict codes of conduct, which clearly specify the boundaries within which employees can operate.
Controls do not exist in a vacuum. They are responses to risks. Progressive organisations understand the balance between risk and reward and are usually aware of the magnitude of their risk appetite. They have in place a robust pillar of risk assessment that proactively searches for what could go wrong. Risk is not static. A shift in the economy, a new competitor, a technology change, and/or tech-enabled employee freedom require a fresh assessment of where “leaks” may occur. Controls must be aligned with corporate goals, and the effectiveness of such alignment must be reviewed regularly. If a control does not mitigate a specific risk to the achievement of an objective, it is deficient and redundant and must be terminated.
For a control system to function effectively, information must flow both vertically and horizontally. This pillar ensures that the right people have the right data at the right time to make informed decisions. Great organisations have little to hide. Every individual must be made aware of the logic and purpose of the control. ‘Whistleblowing’ that allows employees to report irregularities without fear of retribution must be a part of the operating model. The grapevine usually provides the gossip on sudden lifestyle changes! A precursor to fraud.
These can be thought of as the“control of the controls” and must be operationalised through periodic internal and external audits, which provide an objective opinion of the system’s efficacy and general health. Over time, processes outlive their usefulness and become obsolete, or people become complacent. Further, users become smart and invent ways and means of circumventing the system! Therefore, systems must be reviewed regularly and modified, as necessary.
While the pillars provide the foundation, the vehicles are the moving parts that execute control. These are the tangible tools and routines that maintain order in the day-to-day life of the organisation. The more prominent among these tools are,
Standard Operating Procedures (SOPs) are the structural blueprints of a resilient organisation. Without documented, measurable, and auditable protocols, internal controls are nothing more than aspirations. Documentation transforms tribal knowledge into institutional memory, ensuring that critical processes are not dependent on individuals, but are rooted in a consistent, repeatable framework. To be effective, an SOP must be measurable. Metrics provide the data necessary to detect deviations before they escalate into systemic failures. Without quantifiable benchmarks, “performance” is subjective, and accountability becomes impossible to enforce. Furthermore, an SOP’s value is solidified by its auditability. A control that cannot be verified is no control at all. Auditable trails provide the transparency required for rigorous risk governance, allowing internal and external stakeholders to confirm that the organisation is operating within its defined guardrails. In an era of increasing complexity, these documented standards function as the “load-bearing walls” of the enterprise, providing stability and discipline essential for sustainable success and the prevention of malfeasance. SOPs turn unglamorous internal controls into a meticulous routine, ensuring that nothing is left to chance.
This is the primary vehicle for preventing fraud and error. No single individual should have the power to execute, record, and reconcile a transaction. By splitting these responsibilities, one creates a natural “friction” that requires wider collusion for fraud to occur. This significantly raises the barrier to misconduct. The Sarbanes-Oxley (SOX) methodology of Segregation of Duties entails dividing critical financial and IT responsibilities among different employees to prevent any single individual from controlling the critical nodes of a process from initiation to reconciliation. This demands clear separation of authorisation, recording, custody, and reconciliation. If separation is impossible or perfect segregation suffers from a benefit versus cost imbalance, then extra monitoring, such as detailed management review of reports and audit logs, must be introduced as additional means of prevention. Under SOX, a SoD Matrix is created to reveal overlapping and conflicting roles. The SOX methodology also ensures that developers of information technology-enabled and other automated systems cannot move code into production without specific authorisation, separating system access from user duties.
Delegation of Authority (DoA) is the cornerstone of a robust internal control framework, transforming a flat organisation into a disciplined, governed hierarchy. It is not merely the shifting of tasks, but the precise assignment of decision-making and approval rights through formal Authority Levels. Every financial or operational commitment must be tied to a specific level of authority. By establishing clear financial and operational thresholds, an organisation ensures that risk is managed at the appropriate level of seniority. This structure prevents the “concentration of power” and mitigates the risk of unauthorised transactions or fraudulent activity. When authority is clearly defined, every commitment, from procurement to capital expenditure, is backed by an accountable individual with the requisite expertise and oversight. As was described earlier, structured authority levels facilitate Segregation of Duties, ensuring that no single person controls all phases of a transaction. This clarity eliminates ambiguity, enhances transparency, and fosters an environment of “earned authority,” where responsibility is matched by institutional trust. A well-defined DoA manual serves as both a shield against internal control failures and a catalyst for organisational agility.
This is the “first line of defence” in a resilient internal control environment. They serve as the mechanical verification that recorded assets exist and remain protected from unauthorised interference. Physical verification is the process of periodic reconciliation, such as inventory counts, fixed-asset audits, debtors’ confirmation et cetera. It acts as a powerful deterrent against misappropriation and ensures that the balance sheet reflects physical reality. Without it, digital records can become decoupled from truth, masking losses, or theft. Complementing this are Access Controls. Physical controls (biometrics, restricted zones) protect tangible assets, while digital controls (multi-factor authentication, role-based permissions) safeguard the “crown jewels” of data. Together, they enforce the Principle of Least Privilege, ensuring that individuals only access what is necessary for their specific roles. In an era of sophisticated fraud, these controls are the essential “locks and bolts” that maintain organisational integrity and prevent the erosion of institutional trust.
Robust internal control is not merely a compliance exercise; it is the bedrock of organisational integrity. In high-stakes corporate environments, the breakdown of basic hygiene, specifically the failure to perform rigorous reconciliations and variance analysis, is often the precursor to systemic fraud and catastrophic reputational loss. Suspense and parking accounts are frequently the “dark corners” of a balance sheet. Without regular, forensic review, these accounts become convenient repositories for unresolved discrepancies, unauthorised transactions, or deliberate concealment. A lack of oversight here transforms an accounting tool into a liability, masking inefficiencies or, worse, enabling the misappropriation of funds. True internal control demands more than just identifying differences; it requires intellectual curiosity to investigate the “why” behind every variance. Discrepancies are early warning signals. When leaders treat reconciliation as a mechanical routine rather than a diagnostic tool, they lose their visibility into the operation. To maintain earned authority and safeguard assets, a culture of transparency and intellectual dissent must prevail. Controls are only as strong as the discipline behind them. Rigorous, periodic reviews ensure that the organisation’s financial “foundations” remain uncompromised, preventing minor cracks from evolving into structural failures.
Audit Committee
Effective internal control is not a solo endeavour; it is an interlocking defence system where distinct layers of oversight form a cohesive barrier against failure. The Board of Directors, as the ultimate custodians of governance, sets the “Tone at the Top,” while Shareholders provide external pressure for accountability and long-term value preservation. Within this structure, Board Committees serve as specialised sentinels. The Audit Committee ensures financial reporting integrity, while the Risk Committee identifies the structural vulnerabilities that could jeopardise the enterprise’s future. Management owns the execution, translating these high-level strategies into the daily discipline of the “first line of defence.” Their efforts are validated by Internal Audit, which provides the objective “intellectual dissent” necessary to challenge complacency and verify control efficacy. The system is further fortified by the External Audit, offering an independent lens on financial health, and Regulators, who define the mandatory guardrails of the industry. When these roles function in harmony, they create a robust ecosystem of transparency. This collective vigilance ensures that internal control is not just a checklist, but a living, breathing component of organisational character, protecting assets and upholding the earned authority of the leadership.
A sophisticated system of pillars and vehicles can still crumble if it is built on a foundation of “groupthink.” One of the most overlooked “internal control” is the culture of intellectual dissent. In the boardroom and the C-suite, the absence of dissent is a risk in itself. When subordinates are too intimidated to point out a flaw in a senior’s logic, or when a Board lacks the “grit” to challenge a chairman’s view or the CEO’s ambitious but risky plan, the internal control system has failed at the highest level. True internal control requires a meritocratic environment where the best idea, or the most valid warning, wins, regardless of the rank of the person delivering it.
Furthermore, social discipline plays a vital role. In organisations where punctuality, meticulousness, and adherence to process are ingrained from the entry-level clerk up to the Managing Director, internal controls are not seen as an external imposition but as a shared professional standard. The strength of a corporation is not found in its grand successes, but in its ability to prevent catastrophic failures. Internal control is the “quiet” guardian of corporate value. By reinforcing the Pillars of environment, risk, communication, and monitoring, and by meticulously maintaining the Vehicles of segregation, authorisation, and reconciliation, a leadership team creates a “fail-safe” culture.
Internal control is about predictability. In an unpredictable global economy, the ability to ensure that internal operations remain disciplined, ethical, and transparent is the greatest competitive advantage a firm can possess. It is a difference between a company that survives a crisis and one that is consumed by it. It is time to introspect.
(The author is currently, a Leadership Coach, Mentor and Consultant and boasts over 50 years of experience in very senior positions in the corporate world – local and overseas. www.ronniepeiris.com)
