Working In Uncertainty

Matthew Leitch column: Easier Turnbull compliance

by Matthew Leitch, first published 2003.

(This article first appeared under the title ‘The Matthew Leitch Column: evaluating is no substitute for taking action: time to make your mind up’ in Emerald Insight's publication ‘Balance Sheet’, volume 11 number 4, 2003.)

Which is more important, to know the effectiveness of your organisation's controls or have better controls? It's not a difficult question so isn't it odd that corporate governance regulations and the efforts they have led to focus on evaluating effectiveness above all?

For example, both the UK's Combined Code and the Sarbanes-Oxley Act's notorious sections 302 and 404 remind management that they are responsible for establishing and operating an effective control system, but the action they require is evaluation.

Less audit, more real action

The obvious way to meet regulatory requirements on internal control is to concentrate on doing the actions required by the rules. However, the obvious way is not the best way.

By concentrating instead on designing and implementing better internal controls you can get more value from controls experts and meet the regulatory requirements for evaluation more easily. This means shifting resources away from audit and evaluation and towards design and implementation.

Put it another way. What would you rather your internal control experts spent their time on: writing reports on how bad the controls are or working on projects to reduce overpayment of suppliers, eliminate incomplete billing, reduce customer order errors, increase systems availability, make management information more reliable and timely, cut fraud, reduce rework, and reduce the risk of releasing incorrect financial information to investors?

Easier evaluations

Refocusing on controls development is a way to cut controls evaluation costs. Here's how it works.

Firstly, control weaknesses consume much of the evaluation effort. Time is sucked into investigating, discussing, negotiating, drafting reports, redrafting reports, and then agonising over whether the weaknesses are important or not. The fewer weaknesses you have the quicker the evaluation.

Secondly, good control systems need to be designed and that means documented in advance. This documentation is just what auditors need if they are to understand the processes, controls, and coverage of risk.

Thirdly, good control systems for large scale processes use high level monitoring reports that summarise statistics about the health of the process (e.g. its error rates and backlogs). These are powerful, continuous evidence of effectiveness and auditors and management can use them to evaluate controls effectiveness very efficiently.

How to make it happen

Obviously this doesn't work if the controls do not improve enough, the design documentation is poor, or the control systems lack process health monitoring. Technique matters as well as resource allocation.

The right leadership is vital. An Audit Committee is needed for regulation and good governance but it is not the right group to drive internal control improvements. It is a non-executive body that reactively monitors information and evaluates assurance. What is needed is an executive committee at the same level to take decisions, proactively, and make the right things happen.

One of the most important activities for that top team is to anticipate where internal controls development effort and expertise will be needed. New systems, new products, new acquisitions, areas that are long overdue for attention - all should attract the committee's attention.

Architects and craftsmen

It is also vital to direct effort at the right types of controls. Organisations need to be able to design their internal control systems at a high level and deduce what expertise will be needed to build what has been designed. They need architects to ensure the system as a whole is well designed, structure the work into sub-projects, identify which builders and craftsmen are needed, and see the whole thing through to completion.

Organisations typically have many builders and craftsmen, but not enough skilled architects. Fortunately, being a controls architect is not as difficult as you might think. By looking at relevant characteristics of anticipated changes it is surprisingly easy to anticipate what is needed.

For example, if the plan is to sell insurance by telephone then the complex, abstract nature of the product (insurance) and the lack of written communication are huge hints that work will be needed to script or at least structure the sales conversation and test it, and that training call centre staff will need special attention. The computer system used will need to be ergonomically superb and the whole ensemble will need to be tested and refined together. These activities will be packed with internal controls.

The top team and its controls architects need to be particularly alert for occasions when risky changes come together. For example, if a company were to make its first overseas acquisition at the same time as adopting a long list of international accounting standards and relocating the group finance team, alarm bells should ring loudly. Relocation suggests distraction but also possible loss of key people at a bad time. New accounting standards and an overseas acquisition suggest a possible need to start capturing new data, or making new estimates. There may be retrospective calculations where data are hard to obtain. It may be necessary to start work on these as early as possible and alongside the task of finding the data is the task of ensuring the data are reliable i.e. the controls work. If the new acquisition has a history that suggests weak controls then a further project to pull it into shape may be needed, alongside work to harmonise it with the rest of the group.

Risk is an important driver for these decisions but not the only factor. For example, if there is very little time to build controls, that may mean that automated comparisons are not practical and clerks with spreadsheets will have to do the checking, at least initially. The people needed to put clerks and spreadsheets in place are different from those who would have developed automated controls.

Follow the leaders

A number of leading organisations have already moved in this direction by having executive Risk and Control Committees, separating risk managers from internal audit, and creating teams of doers. These are not luxuries that only the biggest companies can indulge in. They are sensible, efficient steps to get the best value from internal controls work.