Wednesday, January 20, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

“Controls” Is Not a Dirty Word – Insights Into Controls Challenges and Solutions

by Ron Kral
July 29, 2015
in Featured, Governance
“Controls” Is Not a Dirty Word – Insights Into Controls Challenges and Solutions

This is an article reprint from the Governance Issues™ Newsletter, Volume 2015, Number 3, published on July 17, 2015.

Few words spark more angst in business circles than “controls.” No one wants to be controlled, yet controls are an integral part to any business. Unfortunately, many people equate the word to a costly compliance exercise, largely thanks to the Sarbanes-Oxley Act of 2002 (SOX). This is not an article on SOX, but rather a look at how and why controls should be understood and appreciated by all organizations, regardless of type, industry or size. Defining and assessing controls is simply a sound business exercise regardless of regulatory compliance considerations.

However, before we leave SOX, there is a common question I want to address. Private companies and nonprofit organizations often inquire if SOX makes sense for them. First of all, let’s put this in perspective. SOX contains 66 sections within 11 titles covering a wide range of governance, audit, business, regulatory and enforcement topics. By far, the most common section is 404 entitled Management Assessment of Internal Controls. So for simplicity of addressing this question, I will approach it from this single section. Section 404 requires an annual management assessment of the effectiveness of the Internal Controls over Financial Reporting (ICFR), as well as an external audit opinion on ICFR for public companies reaching certain size thresholds. The answer is a definite “yes” regarding periodic management assessments, as this is simply a prudent business practice. As it pertains to additional attestation work, this is likely not warranted for most organizations. Instead, companies should ask their auditor to point out areas for control improvements as they obtain an understanding of ICFR for planning their audit of the financial statements. This independent feedback can be a valuable piece of the audit value proposition.

Challenges and Solutions

The challenge in implementing Section 404, or any controls project, is turning it from a potential value destructive exercise (where costs are greater than benefits) to one of value creation (where benefits are greater than costs). Keep in mind that “controls” are simply policies, procedures and actions within a process to help reasonably ensure that Board and management objectives are carried out. The objectives can relate to any business facet. Three distinct but overlapping categories of objectives are defined by The Committee of Sponsoring Organizations of the Treadway Commission (COSO) in their publication entitled Internal Control – Integrated Framework, 2013:

  • Operations objectives pertain to effectiveness and efficiency of the entity’s operation, including operational and financial performance goals and safeguarding assets against losses.
  • Reporting objectives pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency or other terms set forth by regulators, standard setters or the entity’s policies.
  • Compliance objectives pertain to adherence to laws and regulations to which the entity is subject.

Keep in mind that SOX 404 only addresses financial reporting controls pertaining to the audited financial statements. This is a relatively small sliver of scope when compared to a company’s entire array of objectives. For many organizations this is a lost opportunity, as they often restrict their control assessment focus to ICFR. Much value can be unleashed when applying control assessment practices to a wider scope of objectives.

Regardless of the scope of the implementation and assessment effort, the key to success is to understand the objectives and relating risks, and then focus on controls to mitigate those risks to best meet objectives. Never start with controls, as this is a recipe for disaster. Everyone involved with controls, starting with the Board of Directors down to control owners, needs to understand why controls exist through direct linkage to objectives and relating risks. If a control can not be traced to an objective, then it is likely not serving a cost-beneficial purpose.

Additional challenges and implementation considerations regarding control assessments include:

  1. Objectives and Risks: Objectives will come in many different varieties, from high-level strategic initiatives down to departmental, functional and project objectives. These should be clearly articulated, followed by a risk assessment in achieving the objectives. Only then should controls be considered to mitigate risks to acceptable levels. Once objectives are determined, the resources expended on controls should follow the higher levels of risks in terms of probability of occurrence and significance in achieving the objective. This is known as a risk-based approach.
  2. Factor in Changing Landscapes: Operating, marketplace, regulatory and competitive landscapes are frequently changing. Objectives and risks should not be viewed as static, but rather as constantly evolving. As a result, controls must also change to keep pace. Yet this is a common mistake, as organizations often opt to review their controls on an annual basis. Controls need to move in tandem with both internal and external changes. For example, changes will need to be made to the ICFR of companies on U.S. GAAP as a result of new accounting pronouncements, such as ASU 2014-09 – Revenue from Contracts with Customers. Cybersecurity objectives and risks is another common example, which can directly impact all three categories of objectives – operations, reporting and compliance.
  3. Scalability: The depth and rigor of any controls effort will vary greatly between companies as it is dependent on a host of variables. The larger and more complex the business, the more risks in terms of shareholders, regulators, creditors and other stakeholder groups. As a result, more resources are warranted for larger, more complex organizations toward ensuring that strong controls are present and functioning.
  4. Leverage a Framework: Control frameworks are an excellent tool for jump-starting a controls implementation or assessment project. A framework should be thought of as a starting point rather than an end-point, since a company’s controls are unique to them and should not blindly conform to the details of a framework. It is much easier and more cost efficient to leverage control efforts starting with a strong framework, such as COSO’s Internal Control – Integrated Framework, 2013.
  5. Focus on Substance over Form: Substance over form is a powerful dynamic typically in the middle of defining successful control efforts. The substance of any controls evaluation is simply ensuring that people (and systems) understand what needs to be done and ensuring that people and systems are acting accordingly. The first part of this previous sentence addresses the design of controls, while the second part deals with the operating effectiveness of controls. Both need to be evaluated for a successful controls assessment. Unfortunately, too many companies get overly caught up in the documentation element of a controls implementation effort, thus focusing on the form over the substance of controls. As a result, resources may be wasted with little benefit to show.
  6. A Dose of Independence: As with any assessment, it is beneficial to have people who are not involved with the control environment conduct the assessment. While management should clearly be supervising and monitoring controls under them, an independent assessment introduces objectivity and the opportunity to bring in fresh ideas. Utilizing an internal audit function or competent third-party resources are viable options.
  7. Take Action: Robust controls and assessments are akin to buying an insurance policy in that you can’t buy it retroactively after the damage is done. Strong controls need to be in place at all times. Taking ownership of objectives, risks and opportunities to preserve and maximize shareholder value is accomplished through controls. Organizations should be vigilant in educating their people on the importance of objectives, risks and controls. Management should take appropriate action to ensure that controls are properly designed and operating correctly.

In summary, controls should be viewed as your friend, not your enemy. Don’t be intimidated by the semantics of the word. Instead, realize that business controls should be leveraged to maximize shareholder value across all three areas of objectives – operations, reporting and compliance. Perhaps it is time to revisit your controls effort to ensure that the return on investment is positive.


Tags: internal controls
Previous Post

Free eBook Download: The Art of the Internal Investigation

Next Post

The Saintliness of Burly Sinners

Ron Kral

Ron Kral (CPA, CMA, CGMA) is a partner of Kral Ussery LLC, a public accounting firm delivering advisory services, litigation support and internal audits. He serves public and private companies to protect and grow shareholder value, as well as nonprofits and governments on internal controls to combat errors and fraud. Ron has worked with hundreds of clients as a public accountant offering robust solutions on accounting, auditing, controls, ethics, anti-fraud programs, governance and SEC regulatory matters. Prior to forming a predecessor firm to KU in 2003, he was a general manager for a large technology company traded on the NYSE. Ron was also a principal consultant with PwC leading operational audits and internal control projects. He began his public accounting career with a California CPA firm as a financial auditor and was responsible for signing audit opinions upon becoming managing director of the firm’s Orange County office. Ron launched his career as a performance auditor with the California State Auditor. Ron is a highly rated speaker and facilitator, including for COSO’s Internal Control Certification Program for the AICPA. He also served on FEI’s working group for the development of COSO’s 2013 control framework and is a member of four of the five COSO-sponsoring organizations: the AICPA, FEI, IIA and IMA. Ron holds an MBA from Arizona State University and a BBA from the University of Wisconsin-Madison. He can be reached at www.linkedin.com/in/ronkral.    

Related Posts

man working on smartphone and laptop

Adverse Media Screening: Relying on Google Alone Can Expose Organizations to Risk

January 19, 2021
hand showing three fingers on gray background

A Culture of Compliance: The 3 R’s

January 19, 2021
2021 with light bulb in place of zero on orange background

Why 2021 is a Fresh Start for Compliance Training

January 18, 2021
challenge and solution concept with person standing at large gap

General Counsel Post-Pandemic: A Catalyst for Risk Fragmentation

January 18, 2021
Next Post
Real Life Design / Shutterstock.com

The Saintliness of Burly Sinners

Access realtime data

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management culture of ethics cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security internal audit KYC/know your customer machine learning monitoring regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights