The Evidence is the Control

The most comprehensively documented system of internal control does not provide any assurance that the enterprise is effectively, or even adequately, controlled. From a Risk Management perspective, controls are irrelevant; only the evidence of the functioning of the control is the control.

Let's consider the role of Risk Management in providing real assurance, and how to make this real.

I've posted the article on LinkedIn here

And below:

The most comprehensively documented system of internal control does not provide any assurance that the enterprise is effectively, or even adequately, controlled. We are so used to the SOX-generated idea that the system of internal controls needs to be documented, and where there are perceived to be inadequate controls, more controls need to be introduced and documented. This is limited, of course, to “controls over financial reporting”, as required by SArbanes-Oxley (SOX).  

This has resulted in probably hundreds of millions of dollars, probably billions, being spent to document controls over financial reporting, and then Internal Audit (and External Audit) testing of those control. A windfall for the Internal Audit profession and for External Audit firms. After all, well-documented controls, especially when the critical controls are tested, are the backbone of a sound system of internal controls. Or is it? 

We need to move from the paradigm that a documented system of internal controls equates to an effectively controlled entity. Nothing could be further from the truth, and this is why we have both Internal and External Audit. Internal Audit tests the controls, recommends improvements to controls and provides “assurance” to senior management and the board that the controls are functioning. External Audit places limited reliance (anything more and they couldn’t demand the level of fees they do) on the work of Internal Audit and on the controls. 

I’ve missed the “risk” word above. Of course, Internal Audit should determine the controls to test on a risk-assessed basis. Yet too frequently, Internal Audit focuses on the highest-risk areas (that is appropriate) while year after year, the non-high-risk areas effectively get a pass. There simply are not and never will be enough Internal Audit resources to test all areas.  

After all, a fire will destroy the kitchen and house, while the ants will slowly denude the pantry. So we audit the fire alarms, and make sure there is a fire extinguisher (have you checked the date on it recently), but we don’t hunt for ants unless they are right in front of our faces.  

To paraphrase Hemmingway, internal control failures happen slowly, and then all at once.  

So the classic three-year rolling Internal Audit programme never seems to get to the bottom two-thirds of the potential auditable areas. What does this mean? Fundamentally, too much of the entity will never be audited, and there will never the evidence that the controls are or are not functioning.  

And here is our problem. It will be one of those areas, probably not directly related to ‘financial reporting’ that will ‘go bad’, resulting in significant problems and costs. 

The evidence IS the control.  

Who cares if there is a full set of documented controls if operational management knows perfectly well that Internal Audit will never reach two-thirds of the entity? I.E., their function, system, or process? This means more resources that said operational manager could spend on resources, people, supplies, laptops, etc, because they know that the cost of the control can be deferred, because the chances of their every being audited are minimal. 

In some enterprises, the “Second Line” in the form of Risk Management contributes to the identification of appropriate controls, and should be monitoring the control environment. This augments and does not detract from the role of Internal Audit, whose role is to perform detailed reviews of processes, systems, or functions, confirming through testing that the stated controls are functioning.  

So what is the role of Risk Management, as 'second line', in providing assurance over the system of internal controls? Risk Management can provide the framework to ensure that controls are functioning, by providing the repository and process to enforce confirmation of the functioning of controls. So what can Risk Management do?

1. Risk Management assists management in the identification, description (including quantification) of risks, and 
2. Assists management in determining and quantifying the level of risk that is acceptable, and in gaining senior management and board endorsement of the level of acceptable risk (the Risk Appetite applicable to the risk), and 
3. Works with management to identify what ‘controls’ would provide confidence that the risk is being mitigated or otherwise managed within appetite, and 
4. Provides a framework for the regular assessment and reporting on the functioning of the identified controls, and 
5. Provides an independent repository for the collection and retention of the evidence that each control is functioning, and finally 
6. Reporting to senior management and the board on management’s reported assessment of the effectiveness of controls, to confirm that the entity is functioning within Risk Appetite, or 
7. Provide reporting and recommendations to senior management and the board on additional steps that may be required to bring the entity into appetite (which may include the explicit modification, ‘upward’ or ‘downward’ of the actual Risk Appetite. 

In this way, it is not the fact of the existence of a documented control that matters, it is the provision of evidence by management that the control is functioning This evidence is the control. Without the evidence, it must be assumed that the control may not be functioning, and, therefore must be tested by Internal Audit, something that probably will never happen for the vast majority of non-high-risk areas. 

Quite some time ago, you probably started saying, “But this isn’t the job of Risk Management”, and in a purist sense, I agree. But I also know that someone needs to do this, and that someone needs to have access to the board and to management. Relationship management across the first line is critical, as is the ability to synthesise the information provided in the evidence of functioning controls.  

Most importantly, there cannot be an adversarial relationship such as too often exists between Internal Audit and the business, and between External Audit and everyone. Note I’m saying ‘too often’, not that this should be the natural state of things. 

Risk Management has many responsibilities, and this one fits nicely. 

Where there is an ongoing demonstration of performance of the system of internal control, identification of new or evolving risks, and a risk appetite that is both detailed and macro, Risk Management should be there. As risk specialists (both ‘downside’ and ‘upside/opportunity’) with the ability to communicate potential impacts as well as provide  

So consider a framework that includes a quarterly provision of the evidence of each control, coupled with management’s assessment of the effectiveness of that control. Consider also a regular relationship meeting between Risk Management and operational managers to confirm that the range of risks is current, the rating of the risks continues to be in line with management’s understanding of the risk, and the mitigation in place, as evidenced by the provided evidence of the functioning on the controls, ensures that the entity, or at least this risk, continues to be managed within appetite.  

Finally, the evidence provided by management and monitored by Risk Management also enables Risk Management to provide greater confidence in their reporting of the current risk status of the entity, improving the quality of assurance provided.

After all, documented controls by themselves are worthless. The Evidence of the functioning of the control is the Control. 

#Risk #InternalAudit #SOX

Chinese Farm

(I wrote this a month ago, but I am only posting it now, after sharing it with a few people)

All this time, the West has been saying, "No shooting at Russian territory". If you do that, we'll cut off aid. We won't get into a shooting war with Russia. Etc, etc. This mantra has been said so often that it has become a "truth". But this is war, when truth becomes lies, and believing truths can get you in trouble. 

 

This is a war for the very survival of Ukraine. Russian forces are arrayed forward to the front lines, and the Russian high command knows (or assumes) that Russian territory will not be attacked meaningfully. The war is being fought and will be fought on Ukrainian territory (or "Russian territory" currently under the control of Ukraine).  

 

The assumption is that the coming offensive will be to retake Ukrainian territory, probably pushing south to the Sea of Azov and Crimea, busting through Russian well-prepared defences, line after line. Each one is a potential Somme waiting to happen. And for what, a few kilometres of advance while further eroding limited resources?  

 

The invasion has been halted, the Russian winter offensive has failed, and the positions are well established. Logistical lines favour Ukraine with shorter lines to any point on the front, while Russian logistics are stretched. The distance from Kviv to the farthest front line is around 500 kilometres. Realistically, however, forward positioning of materials will put the front lines no more than 150 – 200 kilometres at any point. Contrast this with the Russians' need to be able to deliver forces to any point along a 900+ kilometre front line.  

 

Will Ukraine repeat the Somme, or will they do something completely different? There are enough historical examples to follow, or that provide potential parallels to the current situation. And that has led me to think about what Ukraine may do. This is my "prediction".

If we want to see the future, we need only look at the past: the Battle for Chinese Farm and the two weeks following. I'll not review it in detail, you can look it up on Wikipedia (https://en.wikipedia.org/wiki/Battle_of_the_Chinese_Farm). 

 

What matters here is that the Russian military is exhausted, or they would continue their offensive operations. They've tried to take their own version of the Gidi Pass and Mitla Pass, and failed. Ukraine is contemplating how and where they will use the new Western armour and APCs, and how they will use their limited artillery resources. Western doctrine calls for the establishment of air superiority before engaging in ground operations, and the inability of either side to accomplish this has been a major talking point throughout.

In 1967, Israel had complete air superiority. In 1973 they were willing (or forced to) accept interdiction of all airspace by both sides, at a high cost. If neither side has air superiority, then the "air" just needs to move higher - space and satellite superiority, and Ukraine has that in spades through Western eyes.

 

They have eyes in the sky, and a massive amount of intel from the West, at strategic and detailed operational levels. They probably know the names of every commander on the Russian side, and probably know where each of them is to within a few hundred meters. They know how much fuel the Russians have, at a unit level. They know where the Russians are, how many they are, and probably what they will eat for breakfast tomorrow. How can I say this with confidence? Because this is the war that NATO has been planning for 70 years. The fall of the Soviet Union did not halt the continued development of Western electronic intelligence-gathering capabilities. 

 

I suspect Ukraine has been looking for the perfect "Chinese Farm" for the past three months or more, but one that will not result in the same desperate battle fought 50 years ago. And when they decide to attack, the objective will not be the Sea of Azov; the objective will be to push tens or even fifty or more kilometres into Russia before turning south and or north. They hope to puncture the front, and, using Israeli (and Soviet) tactics, run amok in the Russian rear, separating the front line and even reserve forces from their logistical bases in Russia, forcing Russian forces to look behind themselves as well as protecting their front.  

 

The frontline Russian forces will not even know that they are being surrounded until it is already underway. It is natural for commanders to limit the amount of information provided to front-line troops to avoid speculating about every piece of gossip or rumour. But this means that rumours will spread, will be denied, and will continue to spread.  

 

I'm going to go way out on a limb here, and suggest that anyone living west of the Russian M4 motorway (which is closer to Bakhmut than Bakhmut is to Kharkiv) may find themselves on the front lines or within the cauldron, with Ukrainian forces using that as the point at which they turn north and or south, aiming to cut off Russian forces from their rear positions and resources.  

 

From there, Ukraine can wait. Certainly, there will be intense fighting continuing all along the front, but that will be holding fighting for Ukraine, and breakout fighting on the part of Russian forces. The war will be over, and Moscow will face some very scary choices. But once Russian troops realise that their supply lines have been cut off, I do not expect morale to hold up for long. Those troops will be bombarded with propaganda more than shells. Breakouts will be attempted and will be stopped. The Russian air force will need to commit all that it can, and will lose the air. 

 

This will leave Moscow with few choices. Escalate to nuclear weapons or find a way to negotiate an end to the war that keeps Putin alive. China, Russia's only meaningful friend, has told Putin that nuclear weapons are off the table.  

 

We will know soon. 

(Since writing this, I've read that Russia is building defensive fortifications well back in Russian territory.)