* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Engaging senior management in internal control
Strategic management wikipedia , lookup
Operations management wikipedia , lookup
Management consulting wikipedia , lookup
High-commitment management wikipedia , lookup
Corporate governance wikipedia , lookup
International Council of Management Consulting Institutes wikipedia , lookup
Opportunity management wikipedia , lookup
The Modern Corporation and Private Property wikipedia , lookup
Engaging Senior Management in Internal Control by Philip Ratcliffe Executive Summary • • • • • • Internal control systems must have the backing of senior management to be effective. Internal auditors should make management aware of the importance of sound internal controls, and the serious problems that could arise if they are inadequate. The benefits of sound internal controls include efficiency and effectiveness, protection against losses and unpleasant surprises, optimum use of assets, and motivated staff—all in all, they make a major contribution to organizational survival and prosperity. Key risks resulting from lack of good internal control are fraud, incorrect accounts, inefficiency and ineffectiveness, damage to the reputation of the organization and its management, and a consequent fall in the value of the company. Internal auditors should form their own view of the specific risks facing their organization. If the internal control system is inadequate, they should meet with senior management to explain the need for strong, sound controls and their benefits for the organization. How to Get Senior Management to Take Internal Control Seriously Top managers in any organization have many calls on their time and attention. Vying for their attention will be customers, suppliers, employees, consultants, and many others. Internal controls can easily be squeezed out of their agenda. The problem this can create is that if senior management does not take control seriously, the “tone from the top” will be wrong—and if the people in charge don’t care, then why should anyone else in the organization? Rightly or wrongly, this is the message that will be perceived across the organization, and internal control will suffer. So, as a corporate auditor, how can you push internal control up the priority list? Showing clearly to management the benefits of strong internal control on the one hand, and the consequences of failure of internal control on the other, is one path to this goal. Benefits of Control A key message to communicate to management is that effective, active controls give positive benefits as well as avoiding negative outcomes. Having controls that are effective will ensure that the directions of the board and senior management are implemented as intended; that operations and activities are carried out efficiently and meet their objectives; and that the assets used in an organization are not only properly accounted for, but also that they are used effectively and efficiently for the benefit of the organization. Procedures which follow sound control principles enable people to carry out their work in an environment that is orderly and satisfying to work in. Good internal control will also protect an organization and its staff against the temptations of dishonesty, fraud, and theft. Organizations that have sound internal controls will know where they are, and where they are going, because management information controls will tell the organization’s management what they need to know when they need to know it. If the first imperative of most organizations is survival, then good internal control can play a major role in achieving that objective. Additionally, and very importantly, there can also be an efficiency dividend for an organization if good, cost-effective internal control systems are in place; for example, when processes are streamlined and well controlled, fewer people may be needed to do the work. The Impact of Control Failure Inside the Business All too often, internal control only becomes a concern to top management after it breaks down. Out of the blue comes the sudden discovery of a massive fraud or a major hole in the accounts, or a business segment that was thought to be profitable is dramatically discovered not to be. There is a myriad of such possibilities. Management discovers, painfully, that when there is such a breakdown of control, almost everything else has Engaging Senior Management in Internal Control 1 of 4 www.qfinance.com to be thrown out of the window while the breakdown is investigated. It has to engage with internal auditors, external auditors, consultants, and specialists to uncover the root causes of the problem, as there is no cure without first making a diagnosis. The managers immediately responsible for the failure must be identified, and a conclusion reached on their degree of culpability. And if someone has to be fired, who is going to take on their responsibilities? Then, senior managers have to make up their minds what to do about the underlying problem. What changes have to be made to ensure that it can never happen again? Should they commission reviews in other similar parts of the organization to gain assurance that the problem isn’t endemic elsewhere? Are major investments in systems or capital items needed to fix things? Should procedures be revised? Do staff need retraining or reorganizing? If so, who is going to implement the changes, and where is the money going to come from? Control Breakdown Can Have External Implications Another vital aspect is the impact of a breakdown on external relations. Do investors and the stock markets have to be informed? Is a profits warning necessary? How will stakeholders react? What will the (inevitably negative) impact be on the share price, and therefore the value, of the organization? Often such an announcement will create a loss of shareholder value that is many times the original operating loss. At times like these, an executive director may be lucky to keep his job; at the very least, there is a major risk of loss of personal and corporate reputation. The Opportunity Cost is Great On top of this, in a serious case the opportunity cost of the time that management will lose in attending to the consequences of an internal control breakdown can be massive. Strategic issues, tactical issues, business development—all these and many more normal concerns of senior management will have to take a back seat until the problem is resolved. Add to this the loss of reputation and of confidence, inside and outside the organization, because news will inevitably leak out however carefully those involved try to prevent it. The case here has been made in the context of a commercial organization, but similar considerations apply to all other types of organization, whether governmental, private, or in the not-for-profit sector. Getting Management Backing: Where to Start If the benefits of sound controls are so tangible, and the aftermath of a failure of internal control is so dreadful, how does the corporate auditor make a start on obtaining top management’s backing for a regime of sound internal control? Corporate governance regulations in many countries, and best practice, now require organizations formally to analyze and record the risks they face. The purpose of this requirement is, first, to ensure that organizations actually understand their risk profile, as only then can they seriously and properly consider whether they have the right mitigation arrangements in place. Often a management team, in making explicit the risks they face, will discover that initially they do not have a common view as to what the risks are. Only when they have a unified vision can they expect to come up with a coherent and balanced response. Only then can they hope to design and develop a comprehensive internal control system that meets the needs of the organization. The corporate auditor can assist by becoming involved in the risk identification process, by emphasizing to senior management the immediate impact of failure to mitigate the risks (for example, by pointing out that the accounts will be incorrect), and the secondary, but possibly even more drastic, consequences (for example, that a profits warning will have to be issued and the share price will nosedive.) It is not least by confronting management with the consequences of control failure that it can be helped to take internal control seriously. The internal auditor can help to create an understanding and appreciation of the consequences of control failure by making presentations and having one-to-one meetings with influential people, such as the chairman/president, chief executive, chief financial officer, audit committee chair, other board members, and senior managers. The objective is to create an awareness of internal control in the organization and, through that awareness, to change the attitude to it. Engaging Senior Management in Internal Control 2 of 4 www.qfinance.com While some risks may be external to the organization and not susceptible to internal control, many can be mitigated by internal controls. In some cultures, management is reluctant to accept the need for internal controls, believing that staff should be trusted. Internal auditors should point out to such management that trust is not a substitute for internal control. A proper system of internal controls should be considered a force for moral good, in that it effectively removes temptation from employees by ensuring that undesirable behaviors will be promptly detected and corrected; if employees understand this, they will be less likely to attempt to defraud their employer. Case Study When a new chief executive officer joined his company, the chief audit executive arranged an early meeting with him. The CAE discussed the internal controls in the organization, demonstrated his knowledge of their strengths and weaknesses, and explained his view of the importance of controls and the vital role to be played by the CEO in setting an example—the tone from the top. As a result, the CEO agreed to have regular meetings to discuss internal controls and to review the assurance provided by internal audit and any resultant need for action, undertakings he subsequently fulfilled. Expectation that these meetings would take place helped to ensure that management throughout the organization gave high priority to internal control and to responding to internal audit findings. Making It Happen • • • • • • • Collect evidence about the state of internal controls and any opportunities that exist for improving them. Present the benefits of better controls in terms with which management can identify. Review the organization’s code of conduct or similar document; if none exists, it is worth raising the issue. Seek a meeting with the head of the organization and influential members of the board. Have a clear but short agenda. Aim for some specific goals from your meeting. Go prepared with a succinct presentation and some practical recommendations. Use the opportunity to argue for the importance of tone from the top where internal control is concerned; if the top people in the company take internal control seriously, so will everybody else. Ask whether they like unwelcome surprises, and what they are prepared to do to avoid them. Point up the risks facing the organization, and show how a well-designed control structure can help to avoid or mitigate the worst consequences. Don’t expect everything to be achieved with just one meeting. Be prepared to keep going back with the same messages until they are not only accepted, but also acted on. Conclusion Management’s role in ensuring effective internal control is vital. Management sets the tone from the top. Unless management engages and commits, the rest of the organization will not take internal control seriously. The internal auditor can help management to appreciate the importance of internal control by demonstrating its value—not least, the efficiency dividend to an organization if good, cost-effective internal control systems are in place—and by making management aware of the consequences of failures of internal control. The internal auditor can further assist management by highlighting the need to set tone from the top, to allocate sufficient resources for internal control, and to ensure that internal control processes are suitably designed for the needs of the business. More Info Book: • Sawyer, Lawrence B., Mortimer A. Dittenhofer, James H. Scheiner, Anne Graham, and Paul Makosz. Sawyer’s Internal Auditing: The Practice of Modern Internal Auditing. Altamonte Springs, FL: Institute of Internal Auditors, 2003. Engaging Senior Management in Internal Control 3 of 4 www.qfinance.com Reports: • • American Institute of Certified Public Accountants. “Internal control—Integrated framework.” 1994. Order online at: www.theiia.org/bookstore Financial Reporting Council. “The combined code on corporate governance.” 2008. Online at: www.frc.org.uk/corporate/combinedcode.cfm See Also Best Practice • The Assurance versus Consulting Debate: How Far Should Internal Audit Go? • The Effect of SOX on Internal Control, Risk Management, and Corporate Governance Best Practice • How Internal Auditing Can Help with a Company’s Fraud Issues • Improving Corporate Profitability Through Accountability • New Assurance Challenges Facing Chief Audit Executives • Understanding Reputation Risk and Its Importance Checklists • • • • Corporate Governance and Its Interpretations Defining Corporate Governance: Its Aims, Goals, and Responsibilities Requirements of the UK Combined Code on Corporate Governance Understanding Internal Audits To see this article on-line, please visit http://www.qfinance.com/auditing-best-practice/engaging-senior-management-in-internal-control Engaging Senior Management in Internal Control 4 of 4 www.qfinance.com