"Controls" Is Not a Dirty Word - Insights Into Controls Challenges and Solutions
Few words spark more angst in business circles than “controls”
|Wednesday, July 29, 2015|
July 29, 2015
Few words spark more angst in business circles than “controls.” No one wants to be controlled, yet controls are an integral part to any business. Unfortunately, many people equate the word to a costly compliance exercise, largely thanks to the Sarbanes-Oxley Act of 2002 (SOX). This is not an article on SOX, but rather a look at how and why controls should be understood and appreciated by all organizations, regardless of type, industry or size. Defining and assessing controls is simply a sound business exercise regardless of regulatory compliance considerations.
However, before we leave SOX, there is a common question I want to address. Private companies and nonprofit organizations often inquire if SOX makes sense for them. First of all, let’s put this in perspective. SOX contains 66 sections within 11 titles covering a wide range of governance, audit, business, regulatory and enforcement topics. By far, the most common section is 404 entitled Management Assessment of Internal Controls. So for simplicity of addressing this question, I will approach it from this single section. Section 404 requires an annual management assessment of the effectiveness of the Internal Controls over Financial Reporting (ICFR), as well as an external audit opinion on ICFR for public companies reaching certain size thresholds. The answer is a definite “yes” regarding periodic management assessments, as this is simply a prudent business practice. As it pertains to additional attestation work, this is likely not warranted for most organizations. Instead, companies should ask their auditor to point out areas for control improvements as they obtain an understanding of ICFR for planning their audit of the financial statements. This independent feedback can be a valuable piece of the audit value proposition.
Challenges and Solutions
The challenge in implementing Section 404, or any controls project, is turning it from a potential value destructive exercise (where costs are greater than benefits) to one of value creation (where benefits are greater than costs). Keep in mind that “controls” are simply policies, procedures and actions within a process to help reasonably ensure that Board and management objectives are carried out. The objectives can relate to any business facet. Three distinct but overlapping categories of objectives are defined by The Committee of Sponsoring Organizations of the Treadway Commission (COSO) in their publication entitled Internal Control – Integrated Framework, 2013:
Keep in mind that SOX 404 only addresses financial reporting controls pertaining to the audited financial statements. This is a relatively small sliver of scope when compared to a company’s entire array of objectives. For many organizations this is a lost opportunity, as they often restrict their control assessment focus to ICFR. Much value can be unleashed when applying control assessment practices to a wider scope of objectives.
Regardless of the scope of the implementation and assessment effort, the key to success is to understand the objectives and relating risks, and then focus on controls to mitigate those risks to best meet objectives. Never start with controls, as this is a recipe for disaster. Everyone involved with controls, starting with the Board of Directors down to control owners, needs to understand why controls exist through direct linkage to objectives and relating risks. If a control can not be traced to an objective, then it is likely not serving a cost-beneficial purpose.
Additional challenges and implementation considerations regarding control assessments include:Objectives and Risks:
Take Action: Robust controls and assessments are akin to buying an insurance policy in that you can’t buy it retroactively after the damage is done. Strong controls need to be in place at all times. Taking ownership of objectives, risks and opportunities to preserve and maximize shareholder value is accomplished through controls. Organizations should be vigilant in educating their people on the importance of objectives, risks and controls. Management should take appropriate action to ensure that controls are properly designed and operating correctly.
In summary, controls should be viewed as your friend, not your enemy. Don’t be intimidated by the semantics of the word. Instead, realize that business controls should be leveraged to maximize shareholder value across all three areas of objectives – operations, reporting and compliance. Perhaps it is time to revisit your controls effort to ensure that the return on investment is positive.