The most comprehensively documented system of internal control does not provide any assurance that the enterprise is effectively, or even adequately, controlled. From a Risk Management perspective, controls are irrelevant; only the evidence of the functioning of the control is the control.
Let's consider the role of Risk Management in providing real assurance, and how to make this real.
I've posted the article on LinkedIn here
And below:
The most comprehensively documented system of internal control does not provide any assurance that the enterprise is effectively, or even adequately, controlled. We are so used to the SOX-generated idea that the system of internal controls needs to be documented, and where there are perceived to be inadequate controls, more controls need to be introduced and documented. This is limited, of course, to “controls over financial reporting”, as required by SArbanes-Oxley (SOX).
This has resulted in probably hundreds of millions of dollars, probably billions, being spent to document controls over financial reporting, and then Internal Audit (and External Audit) testing of those control. A windfall for the Internal Audit profession and for External Audit firms. After all, well-documented controls, especially when the critical controls are tested, are the backbone of a sound system of internal controls. Or is it?
We need to move from the paradigm that a documented system of internal controls equates to an effectively controlled entity. Nothing could be further from the truth, and this is why we have both Internal and External Audit. Internal Audit tests the controls, recommends improvements to controls and provides “assurance” to senior management and the board that the controls are functioning. External Audit places limited reliance (anything more and they couldn’t demand the level of fees they do) on the work of Internal Audit and on the controls.
I’ve missed the “risk” word above. Of course, Internal Audit should determine the controls to test on a risk-assessed basis. Yet too frequently, Internal Audit focuses on the highest-risk areas (that is appropriate) while year after year, the non-high-risk areas effectively get a pass. There simply are not and never will be enough Internal Audit resources to test all areas.
After all, a fire will destroy the kitchen and house, while the ants will slowly denude the pantry. So we audit the fire alarms, and make sure there is a fire extinguisher (have you checked the date on it recently), but we don’t hunt for ants unless they are right in front of our faces.
To paraphrase Hemmingway, internal control failures happen slowly, and then all at once.
So the classic three-year rolling Internal Audit programme never seems to get to the bottom two-thirds of the potential auditable areas. What does this mean? Fundamentally, too much of the entity will never be audited, and there will never the evidence that the controls are or are not functioning.
And here is our problem. It will be one of those areas, probably not directly related to ‘financial reporting’ that will ‘go bad’, resulting in significant problems and costs.
The evidence IS the control.
Who cares if there is a full set of documented controls if operational management knows perfectly well that Internal Audit will never reach two-thirds of the entity? I.E., their function, system, or process? This means more resources that said operational manager could spend on resources, people, supplies, laptops, etc, because they know that the cost of the control can be deferred, because the chances of their every being audited are minimal.
In some enterprises, the “Second Line” in the form of Risk Management contributes to the identification of appropriate controls, and should be monitoring the control environment. This augments and does not detract from the role of Internal Audit, whose role is to perform detailed reviews of processes, systems, or functions, confirming through testing that the stated controls are functioning.
So what is the role of Risk Management, as 'second line', in providing assurance over the system of internal controls? Risk Management can provide the framework to ensure that controls are functioning, by providing the repository and process to enforce confirmation of the functioning of controls. So what can Risk Management do?
- Risk Management assists management in the identification, description (including quantification) of risks, and
- Assists management in determining and quantifying the level of risk that is acceptable, and in gaining senior management and board endorsement of the level of acceptable risk (the Risk Appetite applicable to the risk), and
- Works with management to identify what ‘controls’ would provide confidence that the risk is being mitigated or otherwise managed within appetite, and
- Provides a framework for the regular assessment and reporting on the functioning of the identified controls, and
- Provides an independent repository for the collection and retention of the evidence that each control is functioning, and finally
- Reporting to senior management and the board on management’s reported assessment of the effectiveness of controls, to confirm that the entity is functioning within Risk Appetite, or
- Provide reporting and recommendations to senior management and the board on additional steps that may be required to bring the entity into appetite (which may include the explicit modification, ‘upward’ or ‘downward’ of the actual Risk Appetite.
In this way, it is not the fact of the existence of a documented control that matters, it is the provision of evidence by management that the control is functioning This evidence is the control. Without the evidence, it must be assumed that the control may not be functioning, and, therefore must be tested by Internal Audit, something that probably will never happen for the vast majority of non-high-risk areas.
Quite some time ago, you probably started saying, “But this isn’t the job of Risk Management”, and in a purist sense, I agree. But I also know that someone needs to do this, and that someone needs to have access to the board and to management. Relationship management across the first line is critical, as is the ability to synthesise the information provided in the evidence of functioning controls.
Most importantly, there cannot be an adversarial relationship such as too often exists between Internal Audit and the business, and between External Audit and everyone. Note I’m saying ‘too often’, not that this should be the natural state of things.
Risk Management has many responsibilities, and this one fits nicely.
Where there is an ongoing demonstration of performance of the system of internal control, identification of new or evolving risks, and a risk appetite that is both detailed and macro, Risk Management should be there. As risk specialists (both ‘downside’ and ‘upside/opportunity’) with the ability to communicate potential impacts as well as provide
So consider a framework that includes a quarterly provision of the evidence of each control, coupled with management’s assessment of the effectiveness of that control. Consider also a regular relationship meeting between Risk Management and operational managers to confirm that the range of risks is current, the rating of the risks continues to be in line with management’s understanding of the risk, and the mitigation in place, as evidenced by the provided evidence of the functioning on the controls, ensures that the entity, or at least this risk, continues to be managed within appetite.
Finally, the evidence provided by management and monitored by Risk Management also enables Risk Management to provide greater confidence in their reporting of the current risk status of the entity, improving the quality of assurance provided.
After all, documented controls by themselves are worthless. The Evidence of the functioning of the control is the Control.
No comments:
Post a Comment