Research SeriesA Top-Down Approach to Risk Management and Internal Control Relying on Ongoing Monitoring to Test Controls Performance, to Reduce the Scope of Separate Testing Issue 4...
Trang 1Research Series
A Top-Down Approach to Risk Management and Internal Control
Relying on Ongoing Monitoring to Test Controls Performance, to Reduce the Scope of Separate Testing
Issue 4
Trang 2FERF Research Series April 2007
A Top-Down Approach to Risk Management and Internal Control –
Issue #4: Relying on Ongoing Monitoring to Test Controls Performance, to
Reduce the Scope of Separate Testing
By R Malcolm Schwartz
Purpose
This four-part report presents a business-centric and cost-effective approach to internal control and risk management using systems thinking and systems This approach provides business benefits and helps enable compliance with the Sarbanes-Oxley Act of 2002, and other laws and regulations This document is the fourth of the series, and it explores the use of monitoring to test the performance of controls This FERF research series is being sponsored by BWise B.V
Executive Summary
It is unrealistic to assume that the costs for risk management and internal control will be reduced simply by repeating the same process year after year Experience alone will not generate all of the possible benefits An approach that specifically addresses business benefits while enabling compliance is necessary The purpose of this four-part series is to suggest how to do that by considering both the technical and managerial tools
Selecting technical tools software is not the first step First, have your managerial design in place Otherwise, you will risk using software that does nothing more than make
a marginal approach more efficient and lose the opportunity to become more effective This is what is happening to many companies after their early Sarbanes-Oxley compliance cycles To improve effectiveness as well as efficiency:
1 Have a business process focus tied to business planning: Integrate management and governance with operations and transactions processes to reduce costs of overlap and maintenance;
2 Use an aggregated risk assessment, to reduce documentation costs;
3 Use a process, and not a financial accounts, point of view to reduce further the costs
of documentation as well as testing costs; and
4 Rely on ongoing monitoring to test the performance of controls and to reduce the scope of separate testing
These are the issues examined in this four-part report This part examines issue #4
You can reduce costs and become more effective if you start with a focus on the business processes and:
• Prioritize to reduce the effort to what is necessary and valuable,
• Organize to use accountability as a key to control and performance,
Trang 3These four management issues must be addressed first, and then the right projects and systems support can follow Furthermore, if a template of a generic solution to the management design is the basis of your effort, then your work can focus on tailoring that generic design solution, and not on the larger effort of creating one from scratch
In sum, begin with a management design that addresses risk management and internal control from a business-centric focus Next, select systems and tools that will support this approach Then, follow with audit activities as part of your business plans and operations Financial executives are well aware that most business processes and most software applications treat compliance as a standalone function This leads to added effort to develop separate programs and then integrate them The problem is compounded by the extra work to maintain the integration and connectivity as one or more programs change But a new approach to compliance and internal controls reporting will solve the problem: assess the relevant activities of the business and then develop a top-down approach to financial controls reporting
Issue #4: Relying on Ongoing Monitoring to Test Controls Performance, to Reduce the Scope of Separate Testing
Too often, companies have created a separate program for testing the design and performance of internal controls, with little or no reliance on ongoing monitoring performed
by persons who are accountable for processes and their activities and controls That reliance on separate evaluations fits with an audit-centric perspective, because separate evaluations are what auditors do Managers tend to rely on ongoing monitoring, because that is what managers do Using ongoing monitoring as the basis for assessing the performance of controls is consistent with a management-centric approach The issue is not whether or not to rely on ongoing monitoring, because you should be able to do so; it
is how to make ongoing monitoring sufficiently rigorous that it can become the basis of assessing internal control performance
Relying on rigorous ongoing monitoring of the performance of control activities does not eliminate separate evaluations They still are needed to assess:
• The design of internal control activities ongoing monitoring can only be used to assess the performance of internal control activities and not their design and
• The conduct and effectiveness of ongoing monitoring
Nonetheless, using separate evaluations to assess the performance of ongoing monitoring, distinctive from using separate evaluations to assess the performance of controls, substantially reduces the scope and cost of separate evaluations; and reinforces the accountability of your people for results and the quick correction of deviations
Trang 4Relying on ongoing monitoring also is consistent with The COSO Framework,* each of whose five components need monitoring
• Control Environment – for the control culture and framework of your organization
• Risk Assessment – for the process of linking business objectives through risk management to internal controls
• Control Activities – for the specific reviews, approvals and other forms of control activities, and for the activities that they control
• Information and Communication – for information content and technology, and for how information is passed to and from various stakeholders
• Monitoring – for applying the sub-components of ongoing monitoring, separate evaluations and reporting deficiencies to the internal control framework
Relying on ongoing monitoring depends on and enables:
• Integrating managing and monitoring transaction, management and governance processes;
• Building accountability for monitoring employees’ sense of responsibilities;
• Measuring what is monitored;
• Addressing problems as they occur, and
• Reducing the scope and cost of separate evaluations as a means of testing control activities, and integrating separate evaluations with ongoing monitoring
The design and conduct of an ongoing monitoring program can be made even more efficient if it is supported:
• with software that integrates controls and risk management with business planning and
• from a process perspective
*Internal Control - Integrated Framework, Committee of the Sponsoring Organizations of the Treadway Commission, September 1992, American Institute of Certified Public Accountants Publications Division Sarbanes-Oxley requires that a complying company use a framework The Securities and Exchange Commission in turn cited The COSO Framework, and the Public Company Accounting Oversight Board uses it extensively As a consequence, most complying companies claim that they are using The COSO Framework, but many have confused it with the illustrative evaluation tools attached to it This has led to it being both misunderstood and misused
Trang 5Integrating Managing and Monitoring
Addressing control as a management-centric, and not an audit-centric, issue makes sense Earlier in this series it was stated that elaborate management design is much less costly than elaborate execution An analogy was made to quality control, for which it has been stated that $1 spent on quality design will save $10 in quality inspection, or $100 in quality correction This does not eliminate the need for inspection and correction or monitoring and correcting deficiencies Effective design cannot eliminate monitoring, because you must deal with whether or not the design is effectively performed But, with effective design, you can expect that monitoring finds fewer problems and corrects them quickly Such a design, as discussed earlier, depends on:
• A top-down, business-focused risk assessment, which in turn depends on a granular, bottoms-up business design;
• Comprehensive business process design, which can enable reduced documentation; Segmenting the process steps to their component activities; and then, for example, relating these activities to specific programs, such as the various financial statement accounts for Sarbanes-Oxley compliance, or the various selling and supply chain activities for launching a new product;
• Having detailed insights to the information contained in business documents, in order
to understand how to integrate them; and
• Having accountable ongoing monitoring in place at the activity level, so that testing can rely largely on ongoing monitoring
To illustrate this integration of managing and monitoring across The COSO Framework, consider staff competency, part of the Control Environment component In order to certify the accounts receivable process,* the competencies of the staff involved accounts receivable clerks, and the controller need to be assessed, by considering:
• The position descriptions which should include control and monitoring accountability;
• The current appraisals to assess performance as compared to what is in the position descriptions; and
• The development plans to determine that any gaps in competencies are not only identified but also corrected
*One process example “Maintain accounts receivable reserves” is being used throughout this four-part research series, so that a great deal of specifics about the selected process can be shown and discussed “Maintain accounts receivable reserves” was selected because it involves:
(1) Both operations and financial reporting objectives, so it helps to explain the value of
integrating business and compliance planning and management;
(2) Judgments and estimates, so it relates to the area of major risk regarding accurate financial statements;
(3) Transaction, management and governance processes, so it illustrates how these different types of processes can be integrated; and
(4) A number of different forms of documentation, so it illustrates how they can be integrated
Trang 6These are outputs of human resources processes The design of forms and the procedures for generating and approving position descriptions, appraisals and development plans also are outputs of human resources processes So, the sub-component, in The COSO Framework, of Control Environment that deals with the matter
of competency includes, integrates and leads to monitoring of:
• A transaction process dealing with the valuation of accounts receivable;
• A management process that identifies the accountability for the design and operation
of these human resources processes; and
• A governance process that oversees and monitors the above processes
Every one of these processes and their activities should be monitored, particularly if their effect on objectives and for Sarbanes-Oxley, these are financial reporting objectives can be substantial So, integrating management and monitoring includes integrating the monitoring of the transaction, management and governance processes For the example being used, this leads from gaining comfort in human resources processes to gaining comfort in an accounts receivable reserve process that is well-controlled, and then leads
to enabling its certification
The outputs of the human resources processes in this case provide outputs that become inputs for a number of transaction processes all of which depend on competent staff performing them and in turn depend on the evaluation of staff and the ensuing development plans These outputs of managerial processes can be monitored, which increases their visibility and control This level of control through monitoring is more difficult with checklists and spreadsheets, because the lack of integration leads to more effort and cost, and reliance on them can cause control risk
Building Accountability for Monitoring Employees’ Sense of Responsibility
By integrating control activities with management activities, you should expect personnel
to monitor the activities for which they are accountable Testing should begin as ongoing monitoring performed by the owner of the process or activity Then, independent testing separate evaluations can be done of this ongoing monitoring, and not of the performance of the controls as such This leads to better monitoring, faster responses to problems, and lower costs for separate, built-on testing (only ongoing monitoring is built-in testing, and separate evaluations by their very nature are built-on testing)
Ongoing monitoring also enables integrated certification, by the process owner – a
“horizontal” certification based on monitoring the process for which the certification is to be issued When these horizontal certifications are aggregated, then the “vertical” certification can be done at both the business unit and corporate levels by the CEO and CFO
Trang 7Accountability of this sort also is important to cost-effectiveness; recent research* indicates that managers and how they monitor and how they are motivated principles of good control are more important to company performance than other structural factors
In other words, mediocre management and control correlate with mediocre monitoring and corporate results This research notes that, in studying a set of 18 management practices:
• One company used monitoring only when output dipped, to spur action, and then discontinued the monitoring when output rose; so there was no way to track performance with business objectives; this is sporadic and not ongoing monitoring
• A second company monitored performance indicators continually, but did not share this information with operating personnel, thus depriving them and the company of improvement efforts; this is non-communicative ongoing monitoring
• A third company used displays to show personnel where their performance ranked with daily targets and other goals Managers met with operating personnel every morning to discuss the previous day’s performance and today’s agenda; provided a monthly overview and summary; and used lunch breaks to provide feedback on performance, achievements and improvement opportunities This is effective ongoing monitoring
There are several lessons from this research, which had a statistically supportable correlation in performance among these companies:
• Good people enable good performance
• Good management techniques provide a setting for good people to perform better
• Control as envisioned in the principles of The COSO Framework beginning with
a control environment of, among other components, competent people, designed policies and procedures, effective communications, and reinforcing human resources policies is built into those good management techniques
well-• Good management techniques rely on monitoring of actual performance compared
to targets to provide a focus for goals, for performance in the context of current practices and for improving current practices The result is accountable people working smarter, not harder
Working smarter and those good management techniques include a good, integrated approach to monitoring, with a heavy reliance on ongoing monitoring As noted earlier and for various reasons, companies often treat monitoring of controls performance as a separate program that is neither well-linked to their business objectives nor to accountability This audit-centric approach can lead to wasted effort, lack of reinforcement
of accountability for performance and control, and wasted time and cost
_
* Conducted in 2005 by McKinsey and the Center for Economic Performance at the London School
of Economics
Trang 8Exhibit 1, shown before in this series and repeated below, illustrates how monitoring is linked with business planning and improvement This monitoring – for minor, operational and control risks involves the organization broadly Monitoring this way enables you to focus on what is done to produce the results that you plan to have, and to make course corrections You get your desired results by controlling what people do and their commitment to doing it And, by linking monitoring and accountability, you are able to continually address results in terms of risks and controls
Exhibit 1 Management and Monitoring for Internal Control and Risk Management
Operational risks
Control risks
Focused documentation
Operational risk
Trang 9Link monitoring and accountability for both internal processes and their outputs – such as
a sale posted to the sales ledger – and for processes that rely on external outputs and stimuli In the generic business model in Exhibit 2, many important business risks are consequences of external parties and their actions For the accounts receivable reserve, threats to revenue, and market threats and opportunities from changes in revenue patterns, to economic downturns, to natural disasters can influence customers’ ability to pay
So, ongoing monitoring can address not only how well activities are performed, but also what might happen in the future In this regard, the first activity in the accounts receivable reserve process is “Review economic trends;” this is an operations activity that involves monitoring external influences on future performance From the standpoint of internal control related to financial reporting, the last step of the process “Certify accounts receivable reserve maintenance” can include monitoring that the review of economic trends was performed timely and well
Exhibit 2 The Generic Business Model in Context
Generic Business Mo del – Context Level
Oth er Sou rces
Rev en u e O ppo rtun ities & Th reats
Co mp lian ce
& Persu asion
Sh ared Ven tures Rep o rts
Fun d s
Mark et Th reats
& O ppo rtun ities
Sk ills & Ex p erien ce Staffing Needs
Av ailab le Tech no logy Cap ab ilities
Sp ecificatio n s
Pu rch ase Ord ers
Pu rch ased G ood s &
Serv ices
Pu rch ase Req u ests
Sh ipp ed Pro du ct Serv ice
Inbound Operations Outbound M arketing& Sales Services
Procuremen t
Technology Development
Human
R es ources
Admin Run the
Enterprise
This generic model of the business in the context of its surroundings puts monitoring accountability in all business processes And, because an activity might be part of several processes, accountability for monitoring should be in each activity
The question then is: how should you do ongoing monitoring on an activity?
Trang 10Measuring What is Monitored
The quick answer is that an activity should be monitored ongoing by measuring its output In the example of maintaining the accounts receivable reserve, the result, or output, of the connected set of activities being performed is the update of the accounts receivable reserve value in the general ledger But, it is more than that The output – of the
process overall, and of each of the activities has certain measurable values associated with it These values, where appropriate, can include: accuracy, completeness, compliance (with both external laws and regulations, and with internal policies) and timeliness – so the output of this process is better stated as “accurate, compliant and timely posting of the reserve value to the general ledger (which, by the way, clearly states that the risks associated with this process involve inaccuracy due to misfeasance or malfeasance, non-compliance, and/or lack of timeliness).”
By dealing with these dimensions of risk and control, issues of fraud and mismanagement can be incorporated and addressed as part of the basic process, and not as separate processes; this also leads to reduced costs and risks, and to better control For the illustrative process and in the generic template, Exhibit 3 shows which measures of risk and control which key control indicators, or KCIs apply to which of the activities
Exhibit 3 Key Control Indicators by Activity in “Maintain Accounts Receivable
Reserves”
Activity Accuracy Completeness Compliance Timeliness
Maintain and communicate credit policy
Approve accounts receivable reserve
Post accounts receivable reserves to general
Approve accounts receivable reserves posted
Certify accounts receivable reserves
The control of the review of economic trends primarily depends on its being complete The
control of the calculation of the reserve, and approval of it, depends on the accuracy of the
calculation and on its compliance with policy and procedure; the control on timeliness can
be determined following the next activity in the process, which does not need to be monitored for compliance if the preceding calculation activity is compliant And, the certification monitoring depends on the completeness and compliance, of the activities themselves and of the associated monitoring
Trang 11As an aside, and as noted previously, these key control indicators correlate well to the statements of assertion, as shown in Exhibit 4; so using KCIs for monitoring also enables addressing the statements of assertion, if appropriate for Sarbanes-Oxley compliance By serving two purposes, the use of KCIs provides even more a cost-effective solution
Exhibit 4 Correlation of Key Control Indicators with Financial Statement Assertions
Accuracy Completeness Compliance Timeliness
Correlation of Key Control Indicators with Financial Statement Assertions
Key Control Indicators Financial Statement Assertions
Account Assertions