The Concept of Control and Internal Control Culture

The most comprehensive and internationally accepted definition of an internal control system or process in literature is: “a set of processes or systems that are affected by the board of directors, senior management, and all other employees of any entity, established to provide reasonable assurance regarding the effectiveness/efficiency of operations, compliance with existing regulations, and the reliability of financial statements.”

When further scrutinizing the definition, it is understood that internal control is a system that consists of a process that should be adapted and implemented by all employees. In this regard, internal control is a dynamic process where all employees take part, involving not only the control activities but also the management structure, authorities and responsibilities, operations, and decision-making mechanisms.

The internal control system should be continuously reviewed to ensure that risk-related measures are implemented promptly

Internal control defines the control process of an activity starting from the beginning to the end. For this reason, its continuation is essential during the activity, and therefore it must be applied by the ones in charge of the activity. This factor is the primary difference between the definition of audit and control. This is because an audit is conducted after completing the activity or work subject to audit.

In this respect, it would be correct to differentiate the job descriptions of internal control and internal audit units within the framework of the factors mentioned above. For example, internal control can be designed to play a role in the process design and process control steps to prevent potential risks, as well as putting all of these in writing with workflow diagrams. On the other hand, internal auditing can be designed to ensure the compliance of the processes with the actual implementation and workflow diagrams, as well as the accuracy and effectiveness of the control steps defined during the processes. This will ensure that the segregation of duties principle is fully compliant.

Internal control is a management tool designed to assist the bank or participation finance institution to achieve its objectives

Internal control is based on risk. When we define risk as situations or events that may cause unexpected damages or prevent the execution of activities aimed at achieving the strategic objectives of banks and participation finance institutions, each mechanism developed to counter these risks is internal control. In this regard, internal control is not an absolute goal. On the contrary, it is a management tool designed to help the bank or the participation finance institution achieve its goals.

Internal control begins with a strong internal control environment, and its own by the management. It covers all the functions and activities of the organization. In this sense, it concerns all departments. Internal control should not be conducted in addition to the current workflows. Instead, it should be designed and operated as part of the workflows. In the internal control system, the links between the processes and the workflows in which the relationships are defined must be present. The workflows in question should primarily include the activities that need to be performed to achieve the strategic objectives established by the bank or the participation finance institution. Risks related to these activities must be identified, and systematic and/or manual control mechanisms (internal controls) must be established against them.

These workflows and internal controls to prevent risks should be continuously reviewed. Additionally, steps should be taken for areas deemed necessary for improvement. Thus, a common risk perception and culture will be produced, and implementation standards will be established. Ultimately, this will contribute to establishing a database to measure the effectiveness of control.

With the establishment of the internal control system in this way, errors based on loss of assets, ease of misuse, loss of customers and/or income, and administrative decisions will be limited. Consequently, the prospect of difficulties in achieving the set goals will be reduced.

In the projections aimed to increase the share of participation finance institutions receive from the Turkish banking sector, in addition to the extensive fund allocation process, it is foreseen that the product variety for both resource allocation and fund utilization will gradually increase. As a result of these developments, it is natural that the risks exposed will also tend to increase in terms of quality/quantity. Therefore, it must be noted that designing an internal control system as a secondary control for all of these transactions in the hectic transaction volume and complexity would bring additional and substantial costs in terms of time and labour. It is important to note that such control mechanisms, which will be implemented after the process is complete, will not be sufficient to prevent the risk from happening.

It is vital for all employees to have open access to the established internal regulations

By identifying the issues that may cause the half-empty glass not to fill completely and contributing to the development and implementation of the measures that will affect the glass to remain full (in other words, the measures to be taken and applied to prevent breaking the jug before it is broken) are essentially the activities that form the basis of the internal control culture. It is vital for all employees to have open access to the established internal regulations regarding such activities.

In contrast, acquaintance and understanding of such regulations is a significant deficiency in the Turkish banking sector. From this point of view, the internal arrangements in question should be designed to be easily accessible, understandable, and applicable. What is more, they should also contain examples of everyday problems or previous risky transactions. Subsequently, the use of awareness as a benchmark of performance would be crucial to the formation, placement and expansion of the internal control culture of banks and participation finance institutions.