Download Engaging senior management in internal control

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Strategic management wikipedia , lookup

Operations management wikipedia , lookup

Management consulting wikipedia , lookup

High-commitment management wikipedia , lookup

Corporate governance wikipedia , lookup

International Council of Management Consulting Institutes wikipedia , lookup

Management wikipedia , lookup

Opportunity management wikipedia , lookup

The Modern Corporation and Private Property wikipedia , lookup

Investment management wikipedia , lookup

Internal communications wikipedia , lookup

Transcript
Engaging Senior Management in Internal Control
by Philip Ratcliffe
Executive Summary
•
•
•
•
•
•
Internal control systems must have the backing of senior management to be effective.
Internal auditors should make management aware of the importance of sound internal controls, and the
serious problems that could arise if they are inadequate.
The benefits of sound internal controls include efficiency and effectiveness, protection against losses
and unpleasant surprises, optimum use of assets, and motivated staff—all in all, they make a major
contribution to organizational survival and prosperity.
Key risks resulting from lack of good internal control are fraud, incorrect accounts, inefficiency and
ineffectiveness, damage to the reputation of the organization and its management, and a consequent
fall in the value of the company.
Internal auditors should form their own view of the specific risks facing their organization.
If the internal control system is inadequate, they should meet with senior management to explain the
need for strong, sound controls and their benefits for the organization.
How to Get Senior Management to Take Internal Control Seriously
Top managers in any organization have many calls on their time and attention. Vying for their attention
will be customers, suppliers, employees, consultants, and many others. Internal controls can easily be
squeezed out of their agenda. The problem this can create is that if senior management does not take
control seriously, the “tone from the top” will be wrong—and if the people in charge don’t care, then why
should anyone else in the organization? Rightly or wrongly, this is the message that will be perceived across
the organization, and internal control will suffer.
So, as a corporate auditor, how can you push internal control up the priority list? Showing clearly to
management the benefits of strong internal control on the one hand, and the consequences of failure of
internal control on the other, is one path to this goal.
Benefits of Control
A key message to communicate to management is that effective, active controls give positive benefits as
well as avoiding negative outcomes. Having controls that are effective will ensure that the directions of
the board and senior management are implemented as intended; that operations and activities are carried
out efficiently and meet their objectives; and that the assets used in an organization are not only properly
accounted for, but also that they are used effectively and efficiently for the benefit of the organization.
Procedures which follow sound control principles enable people to carry out their work in an environment that
is orderly and satisfying to work in. Good internal control will also protect an organization and its staff against
the temptations of dishonesty, fraud, and theft.
Organizations that have sound internal controls will know where they are, and where they are going,
because management information controls will tell the organization’s management what they need to
know when they need to know it. If the first imperative of most organizations is survival, then good internal
control can play a major role in achieving that objective. Additionally, and very importantly, there can also
be an efficiency dividend for an organization if good, cost-effective internal control systems are in place; for
example, when processes are streamlined and well controlled, fewer people may be needed to do the work.
The Impact of Control Failure Inside the Business
All too often, internal control only becomes a concern to top management after it breaks down. Out of the
blue comes the sudden discovery of a massive fraud or a major hole in the accounts, or a business segment
that was thought to be profitable is dramatically discovered not to be. There is a myriad of such possibilities.
Management discovers, painfully, that when there is such a breakdown of control, almost everything else has
Engaging Senior Management in Internal Control
1 of 4
www.qfinance.com
to be thrown out of the window while the breakdown is investigated. It has to engage with internal auditors,
external auditors, consultants, and specialists to uncover the root causes of the problem, as there is no cure
without first making a diagnosis. The managers immediately responsible for the failure must be identified,
and a conclusion reached on their degree of culpability. And if someone has to be fired, who is going to take
on their responsibilities?
Then, senior managers have to make up their minds what to do about the underlying problem. What
changes have to be made to ensure that it can never happen again? Should they commission reviews in
other similar parts of the organization to gain assurance that the problem isn’t endemic elsewhere? Are
major investments in systems or capital items needed to fix things? Should procedures be revised? Do staff
need retraining or reorganizing? If so, who is going to implement the changes, and where is the money going
to come from?
Control Breakdown Can Have External Implications
Another vital aspect is the impact of a breakdown on external relations. Do investors and the stock markets
have to be informed? Is a profits warning necessary? How will stakeholders react? What will the (inevitably
negative) impact be on the share price, and therefore the value, of the organization? Often such an
announcement will create a loss of shareholder value that is many times the original operating loss. At times
like these, an executive director may be lucky to keep his job; at the very least, there is a major risk of loss of
personal and corporate reputation.
The Opportunity Cost is Great
On top of this, in a serious case the opportunity cost of the time that management will lose in attending to the
consequences of an internal control breakdown can be massive. Strategic issues, tactical issues, business
development—all these and many more normal concerns of senior management will have to take a back
seat until the problem is resolved. Add to this the loss of reputation and of confidence, inside and outside the
organization, because news will inevitably leak out however carefully those involved try to prevent it.
The case here has been made in the context of a commercial organization, but similar considerations apply
to all other types of organization, whether governmental, private, or in the not-for-profit sector.
Getting Management Backing: Where to Start
If the benefits of sound controls are so tangible, and the aftermath of a failure of internal control is so
dreadful, how does the corporate auditor make a start on obtaining top management’s backing for a regime
of sound internal control? Corporate governance regulations in many countries, and best practice, now
require organizations formally to analyze and record the risks they face. The purpose of this requirement
is, first, to ensure that organizations actually understand their risk profile, as only then can they seriously
and properly consider whether they have the right mitigation arrangements in place. Often a management
team, in making explicit the risks they face, will discover that initially they do not have a common view as to
what the risks are. Only when they have a unified vision can they expect to come up with a coherent and
balanced response. Only then can they hope to design and develop a comprehensive internal control system
that meets the needs of the organization. The corporate auditor can assist by becoming involved in the risk
identification process, by emphasizing to senior management the immediate impact of failure to mitigate the
risks (for example, by pointing out that the accounts will be incorrect), and the secondary, but possibly even
more drastic, consequences (for example, that a profits warning will have to be issued and the share price
will nosedive.)
It is not least by confronting management with the consequences of control failure that it can be helped to
take internal control seriously. The internal auditor can help to create an understanding and appreciation of
the consequences of control failure by making presentations and having one-to-one meetings with influential
people, such as the chairman/president, chief executive, chief financial officer, audit committee chair, other
board members, and senior managers. The objective is to create an awareness of internal control in the
organization and, through that awareness, to change the attitude to it.
Engaging Senior Management in Internal Control
2 of 4
www.qfinance.com
While some risks may be external to the organization and not susceptible to internal control, many can be
mitigated by internal controls. In some cultures, management is reluctant to accept the need for internal
controls, believing that staff should be trusted. Internal auditors should point out to such management that
trust is not a substitute for internal control. A proper system of internal controls should be considered a
force for moral good, in that it effectively removes temptation from employees by ensuring that undesirable
behaviors will be promptly detected and corrected; if employees understand this, they will be less likely to
attempt to defraud their employer.
Case Study
When a new chief executive officer joined his company, the chief audit executive arranged an early meeting
with him. The CAE discussed the internal controls in the organization, demonstrated his knowledge of
their strengths and weaknesses, and explained his view of the importance of controls and the vital role to
be played by the CEO in setting an example—the tone from the top. As a result, the CEO agreed to have
regular meetings to discuss internal controls and to review the assurance provided by internal audit and any
resultant need for action, undertakings he subsequently fulfilled. Expectation that these meetings would take
place helped to ensure that management throughout the organization gave high priority to internal control
and to responding to internal audit findings.
Making It Happen
•
•
•
•
•
•
•
Collect evidence about the state of internal controls and any opportunities that exist for improving them.
Present the benefits of better controls in terms with which management can identify.
Review the organization’s code of conduct or similar document; if none exists, it is worth raising the
issue.
Seek a meeting with the head of the organization and influential members of the board. Have a
clear but short agenda. Aim for some specific goals from your meeting. Go prepared with a succinct
presentation and some practical recommendations.
Use the opportunity to argue for the importance of tone from the top where internal control is
concerned; if the top people in the company take internal control seriously, so will everybody else. Ask
whether they like unwelcome surprises, and what they are prepared to do to avoid them.
Point up the risks facing the organization, and show how a well-designed control structure can help to
avoid or mitigate the worst consequences.
Don’t expect everything to be achieved with just one meeting. Be prepared to keep going back with the
same messages until they are not only accepted, but also acted on.
Conclusion
Management’s role in ensuring effective internal control is vital. Management sets the tone from the top.
Unless management engages and commits, the rest of the organization will not take internal control
seriously. The internal auditor can help management to appreciate the importance of internal control by
demonstrating its value—not least, the efficiency dividend to an organization if good, cost-effective internal
control systems are in place—and by making management aware of the consequences of failures of internal
control. The internal auditor can further assist management by highlighting the need to set tone from the top,
to allocate sufficient resources for internal control, and to ensure that internal control processes are suitably
designed for the needs of the business.
More Info
Book:
•
Sawyer, Lawrence B., Mortimer A. Dittenhofer, James H. Scheiner, Anne Graham, and Paul Makosz.
Sawyer’s Internal Auditing: The Practice of Modern Internal Auditing. Altamonte Springs, FL: Institute of
Internal Auditors, 2003.
Engaging Senior Management in Internal Control
3 of 4
www.qfinance.com
Reports:
•
•
American Institute of Certified Public Accountants. “Internal control—Integrated framework.” 1994.
Order online at: www.theiia.org/bookstore
Financial Reporting Council. “The combined code on corporate governance.” 2008. Online at:
www.frc.org.uk/corporate/combinedcode.cfm
See Also
Best Practice
•
The Assurance versus Consulting Debate: How Far Should Internal Audit Go?
•
The Effect of SOX on Internal Control, Risk Management, and Corporate Governance Best Practice
•
How Internal Auditing Can Help with a Company’s Fraud Issues
•
Improving Corporate Profitability Through Accountability
•
New Assurance Challenges Facing Chief Audit Executives
•
Understanding Reputation Risk and Its Importance
Checklists
•
•
•
•
Corporate Governance and Its Interpretations
Defining Corporate Governance: Its Aims, Goals, and Responsibilities
Requirements of the UK Combined Code on Corporate Governance
Understanding Internal Audits
To see this article on-line, please visit
http://www.qfinance.com/auditing-best-practice/engaging-senior-management-in-internal-control
Engaging Senior Management in Internal Control
4 of 4
www.qfinance.com