28
FMI
*
IGF JOURNAL
VOLUME 25, NO. 2
INTERNAL CONTROLS – THE LOST VALUE PROPOSITION
a control operates. In other words,
are we doing what we say we’re doing
consistently? However, before you
can assess how consistently a control
operates one must first consider its
design. All too often, organizations
design and implement controls which
are meant to address what is perceived
as the key risk, failing to meet the
compliance requirement of a policy (e.g.
the Treasury Board’s Policy on Internal
Control,
This
has resulted in controls being put in
place to meet the requirement to have
controls, a cycle that has repeated itself
across too many organizations.
This was most evident in the response
to one of the better known internal
control requirements, Sarbanes Oxley
Act 404 (SOX 404). In early 2000,
the US public markets were shaken
by the collapse and demise of large
organizations such as Enron and
WorldCom. In response to these
failures and to mitigate further loss of
faith in the markets, law makers in the
US created several pieces of legislation
which would require publically traded
companies to be more transparent and
forthcoming in their disclosure of how
they identified and dealt with risks,
both internal and external to their
organizations. Organizations scrambled
to meet deadlines for reporting on these
new legislative requirements, and in
that scramble, most found themselves
in a position of creating controls for the
sake of having controls.
Control design
The design of a control must consider
the nature, extent and timing of the
underlying risk before being considered
for implementation:
• Nature of the risk: is the risk related to
areas where significant judgement is
involved? If so, the control should be
designed to ensure the right person/
people with the right knowledge to
exercise the judgement are involved.
• Extent of the risk: how significant
is the risk from a value perspective?
Value could represent dollars, loss of
time or other intangible measures.
The control should be designed
to include the appropriate level of
scrutiny to address the level of value.
• Timing of the risk: how frequently
does the risk present itself? Design
of the control should consider the
frequency to appropriately respond
to the risk (i.e. daily, weekly, monthly,
quarterly, and annually).
If the design of a control doesn’t
adequately address these factors, the
likelihood of it effectively mitigating the
identified risk(s) is greatly diminished
and as a result will likely result in
controls which add no value to the
organization or its key decision makers
and stakeholders.
Control operation
The effective operation of a control,
as alluded to at the start of this article,
is the ultimate desired outcome. For
controls to be effective, they must
operate consistently without exception.
The ability to demonstrate the
consistency of operation is fundamental
to an organization’s ability to rely on
the control to prevent or detect a risk
(or group of risks). Being able to rely on
a control, as noted earlier, is significant
as it provides its stakeholder with the
ability to expect and predict a result with
greater certainty than simply assessing
detailed results. For example, if you
can test the consistency with which
an employee performs a pre-defined
procedure that prevents the incorrect
coding of an entry, you will have
greater assurance that when thousands
of transactions have been coded there
are relatively few errors. If in contrast
the employee processed those same
transactions with an inconsistent
approach, you would need to examine
a significantly higher proportion of the
coding results to get that same level of
assurance. This example illustrates the
importance of being consistent in the
operation of a control.
Interpreting exceptions
When organizations and key decision
makers do not understand or appreciate
the need for controls to operate
consistently, exceptions are typically not
dealt with or reported appropriately.
One of the most common failures is the
application of the materiality principle.
Materiality can be described as the
value (typically expressed in dollars as it
relates to financial reporting) at which
an error or omission would impact a
decision maker. Materiality, although
important when considering the impact
of a specific error or event, should only
be considered in the realm of internal
control assessments when performing
the initial risk assessment. For example,
in the context of internal controls over
financial reporting the key risk is that
of material error or omission in the
financial statements. Materiality, in
partnership with risk, is important in
the identification of what processes
and accounts could cause significant
errors to the financial statements.
However, once a process/account has
been determined to be material to the
financial statements and the related
risks and controls have been identified,
materiality should not be considered
further in the effectiveness assessment
of those controls. The assurance which
can be gained through leveraging
effective controls can be quickly erased
by improper consideration of noted
exceptions.
When a control fails to operate
as expected the materiality of the
exception or exceptions should not
be considered when determining how
to interpret the results. For example,
assume a large organization with total
expenditures in excess of $1 billion
per year has several controls which
reduce the risk of inappropriate travel
expenses being claimed by employees.
One of these key controls is the review
and pre-approval of travel plans by cost
centre managers before travel has been
incurred. This control is tested using a
random sample of 25 individual travel
claims for expenses incurred during the
period being assessed.
The test results in 23 claims in
which the evidence of the manager’s
pre-approval was clearly documented
and performed in accordance with the
design of the control. In the remaining
two samples the evidence of the
managers pre-approval was not found.
The two travel expenses in question
were for $500 and $1,500 respectively.
It would be easy to take these results