Control Effectiveness: Management’s Role
The views expressed are those of the author and do not necessarily reflect the views of ASPA as an organization.
By Kevin P. Riley
May 21, 2019
Controls and control effectiveness were discussed as topics among a group of state government public servants.
The group, operating as a risk assessment team, was identifying controls to mitigate a range of identified risks. At one point internal audit was nominated as the control activity to mitigate a specific risk.
This led to an active discussion about two key questions:
- Is internal audit a control?
- And if internal audit is not a control, what is management’s role in ensuring that controls are operating effectively?
There were quite a few differing opinions expressed and it made me consider the questions more fully.
Internal Audit
The Institute of Internal Auditor’s mission statement for internal audit is:
“To enhance and protect organizational value by providing risk-based and objective assurance, advice and insight.”
This answers the first question: Internal audit is not a control. The mission statement makes it clear that internal audit provides an organization’s accountable authority (the board, secretary or chief executive) with assurance, advice and insight.
This is consistent with what is often referred to as the three lines of defense model. This model identifies:
- The first line—Business units and operating functions: These are responsible for owning their risks and measuring and managing the risks on a day-to-day basis.
- The second line—Risk and compliance functions: These are responsible for establishing the risk and control policies and frameworks, processes and procedures and gathering information to support decisions by the accountable authority on risk and control criteria.
- The third line—Internal audit: This is responsible for providing independent assurance of the second and first lines of defense.
Of course, this then leads to the much more significant question: If internal audit is not a control, what must management do to achieve control effectiveness?
Management’s Review of Controls
From my experience many managers are almost completely unaware of the fact that the actions they take, policies and procedures they follow and approvals and reviews they apply and undertake are controls. From the perspective of many managers, internal controls are the things the finance, procurement or legal departments do. Better identifying and integrating control activities and embedding them in day-to-day management actions is a starting point to enhancing control effectiveness.
However, it is also important to distinguish management’s monitoring activities from the specific control activity, especially when the control activity involves supervisory review. Supervisory reviews are controls to respond to a specific risk. Management review activities are designed to assess whether controls are operating as intended.
The table below sets out examples of supervisory reviews as controls and management reviews required to ensure the control is operating.
|
Supervisor Reviews as Controls
|
Management Reviews of Control Effectiveness
|
|
A delegate reviewing the business case for a proposed procurement.
|
Review of a sample of procurements to ensure material procurements have been subject to a business case review.
|
|
Reviewing and acting on exception reporting.
|
Reviewing the frequency of exceptions including by type and nature and of the follow-up action.
|
|
Regular performance reviews and feedback discussions with staff.
|
Reviewing to ensure performance reviews and feedback discussions with staff are occurring as required.
|
Formalizing the Process of Management’s Review of Control Effectiveness
There are several actions that organizations can take to support more formalized management review of controls. These actions will not only act to test the effectiveness of controls, but also strengthen the first line of defense.
Better integrating controls into business processes
Designing in the most appropriate controls at the most appropriate point in the business process is a key management function. It will contribute to:
- Lifting the level of awareness about controls.
- Focusing the control on the specific risk.
- Removing unnecessary or redundant controls.
- Simplifying business processes.
Cross functional teams undertaking a review will ensure that the evaluation of controls is being viewed from an end-to-end business process perspective.
Ongoing or separate control evaluation reviews
Evaluation reviews focus on the operating effectiveness of controls. Management, on a predetermined timeframe, reviews and evaluates the controls to ensure that they are operating as intended. The control evaluation reviews must include identifying why breakdowns in controls are occurring. This will form the basis of redesigning the control and the business process.
Business events and transactions that have higher levels of risk are typically reviewed more frequently.
Risk performance reporting
Utilizing key risk indicators and regular reporting of risk events can inform management on the operating effectiveness of controls. Regular reporting will also raise the level of awareness of risks.
When assessed against a baseline, management can identify when a deep dive may be required to test the effectiveness of controls.
Conclusion
As we move towards more risk-based operating models we need to know about better balancing risk and control.
Formalizing management’s responsibility for demonstrating control effectiveness will contribute to strengthening the organization’s control environment, including a more positive culture around engaging with risk. We can positively engage with risk when we know the controls are operating as intended.
Testing control effectiveness, in design and in practice is a key management responsibility, and not one to be left to internal audit.
Author: Kevin P Riley is the Managing Partner of GPA Partners, a Canberra based firm advising on governance, performance and accountability matters. Kevin was born in Warwick, R.I. and continues to follow U.S. governance arrangements closely. Kevin is a Fellow with both CAANZ and CPA Australia and is a Qualified Accountant with the UK based CIPFA. Kevin is a National Councillor of the Institute of Public Administration Australia Inc. Kevin can be contacted by email at [email protected].
(1 votes, average: 5.00 out of 5)
Loading...
Control Effectiveness: Management’s Role
The views expressed are those of the author and do not necessarily reflect the views of ASPA as an organization.
By Kevin P. Riley
May 21, 2019
Controls and control effectiveness were discussed as topics among a group of state government public servants.
The group, operating as a risk assessment team, was identifying controls to mitigate a range of identified risks. At one point internal audit was nominated as the control activity to mitigate a specific risk.
This led to an active discussion about two key questions:
There were quite a few differing opinions expressed and it made me consider the questions more fully.
Internal Audit
The Institute of Internal Auditor’s mission statement for internal audit is:
This answers the first question: Internal audit is not a control. The mission statement makes it clear that internal audit provides an organization’s accountable authority (the board, secretary or chief executive) with assurance, advice and insight.
This is consistent with what is often referred to as the three lines of defense model. This model identifies:
Of course, this then leads to the much more significant question: If internal audit is not a control, what must management do to achieve control effectiveness?
Management’s Review of Controls
From my experience many managers are almost completely unaware of the fact that the actions they take, policies and procedures they follow and approvals and reviews they apply and undertake are controls. From the perspective of many managers, internal controls are the things the finance, procurement or legal departments do. Better identifying and integrating control activities and embedding them in day-to-day management actions is a starting point to enhancing control effectiveness.
However, it is also important to distinguish management’s monitoring activities from the specific control activity, especially when the control activity involves supervisory review. Supervisory reviews are controls to respond to a specific risk. Management review activities are designed to assess whether controls are operating as intended.
The table below sets out examples of supervisory reviews as controls and management reviews required to ensure the control is operating.
Supervisor Reviews as Controls
Management Reviews of Control Effectiveness
A delegate reviewing the business case for a proposed procurement.
Review of a sample of procurements to ensure material procurements have been subject to a business case review.
Reviewing and acting on exception reporting.
Reviewing the frequency of exceptions including by type and nature and of the follow-up action.
Regular performance reviews and feedback discussions with staff.
Reviewing to ensure performance reviews and feedback discussions with staff are occurring as required.
Formalizing the Process of Management’s Review of Control Effectiveness
There are several actions that organizations can take to support more formalized management review of controls. These actions will not only act to test the effectiveness of controls, but also strengthen the first line of defense.
Better integrating controls into business processes
Designing in the most appropriate controls at the most appropriate point in the business process is a key management function. It will contribute to:
Cross functional teams undertaking a review will ensure that the evaluation of controls is being viewed from an end-to-end business process perspective.
Ongoing or separate control evaluation reviews
Evaluation reviews focus on the operating effectiveness of controls. Management, on a predetermined timeframe, reviews and evaluates the controls to ensure that they are operating as intended. The control evaluation reviews must include identifying why breakdowns in controls are occurring. This will form the basis of redesigning the control and the business process.
Business events and transactions that have higher levels of risk are typically reviewed more frequently.
Risk performance reporting
Utilizing key risk indicators and regular reporting of risk events can inform management on the operating effectiveness of controls. Regular reporting will also raise the level of awareness of risks.
When assessed against a baseline, management can identify when a deep dive may be required to test the effectiveness of controls.
Conclusion
As we move towards more risk-based operating models we need to know about better balancing risk and control.
Formalizing management’s responsibility for demonstrating control effectiveness will contribute to strengthening the organization’s control environment, including a more positive culture around engaging with risk. We can positively engage with risk when we know the controls are operating as intended.
Testing control effectiveness, in design and in practice is a key management responsibility, and not one to be left to internal audit.
Author: Kevin P Riley is the Managing Partner of GPA Partners, a Canberra based firm advising on governance, performance and accountability matters. Kevin was born in Warwick, R.I. and continues to follow U.S. governance arrangements closely. Kevin is a Fellow with both CAANZ and CPA Australia and is a Qualified Accountant with the UK based CIPFA. Kevin is a National Councillor of the Institute of Public Administration Australia Inc. Kevin can be contacted by email at [email protected].
Follow Us!