What does it mean to “be in control”? You are in control when you maintain a mind-set over the stewardship of your resources and capabilities that is risk-based, employing your control: objectives; processes; controls; accountabilities; and assurances. This involves having an appropriate control environment that ensures effective controls are developed and implemented with appropriate feedback to manage your risks and service delivery.
Your control environment, when working in harmony with the enablers of modern comptrollership practices, is considered integrated when you have instituted distributed controls over the resources entrusted to you.
The integration of your controls, both horizontally and on a distributed basis, is needed to enhance the way in which your controls work together within your management and governance framework. Integrating appropriate risk-based controls across your processes, systems, people, finances, geography, and delivery mechanisms needs to be managed pervasively – not only vertically, but also horizontally, to be sustainable and effective.
For you to be in control implies that there is alignment, efficiency, and cohesion in the delivery of your key functional and/or service activities across all integrated control elements. This implies a balance between managing inherent risks, information, and integrated controls, to achieve intended results. Therefore, to be in control, and to achieve integrated control, requires an active risk-based mind-set across 5 integrated control elements.
Objectives – refers to the intended results of the various controls implemented. Risk management will determine the level or extent of control applicable (loose vs. tight), taking in consideration their cost and effectiveness;
Processes – refers to all the various procedures and processes where control will be implemented to meet your risks and intended results;
Controls – refers to the means or control instruments needed to effect risk-based decisions to achieve intended objectives and results;
Accountability – refers to roles and responsibilities for decisions and actions at each management level for the development, implementation, management, monitoring, and corrective measures of achieving integrated control; and
Assurance – refers the monitoring / assessment mechanisms put in place to provide you with confidence that the system of integrated controls is efficient, effective, and economical to support your control objectives and risks.
These are the elements that form the nucleus of integrated control that need to be applied in a continuous and sustained manner. When applying the 5 elements to design your control environment, it is important for you to balance:
the extent of the controls (loose / tight) with their distribution (pervasive / focused);
the cost to maintain controls (one-time / ongoing) with their intended use within processes (fluid / strict); and
individual responsibility (individual / systemic) with broader accountability (ownership / delegation).
These factors impact the approach to achieve integration across your control environment. Although there are other important factors that your specific situation will warrant, having an effective integrated set of controls will enable you to be apprised of and manage significant risks, monitor the reliability of controls, and ensure that your controls will be powerful and proactive agents for self-regulation.
Why is control important to you? Control is important because it represents the mind-set of core processes, activities, decisions, information, risk management and monitoring that you need to ensure that all components of your area of influence operate effectively, efficiently, and in harmony. You need to be in control to ensure that resources and assets entrusted to you are safeguarded and appropriately controlled, your resources are managed economically and efficiently in meeting your objectives, and that processes, services, and transactions are in accordance with Acts and regulations.
In the private sector, under Multilateral Instrument 52-109, Certification of Disclosure in Issuers’ Annual and Interim Filings, CEOs and CFOs must certify that they have designed internal control over financial reporting to provide reasonable assurance over the reliability of financial reporting and the preparation of external financial statements in compliance with generally accepted accounting principles. They must also certify that they have caused the company to disclose – in the annual or interim Management Discussion and Analyses (MD&A), as appropriate – changes in internal control that have had or may have a material effect on the company’s internal control.
In the public sector, a similar requirement is set out in Treasury Board policy that requires the Deputy Head and the CFO to make representations that they have reviewed the effectiveness of the system of internal control over financial reporting to provide reasonable assurance over the reliability of financial reporting and the preparation of external financial statements in compliance with generally accepted accounting principles. They must disclose the results of their review in an annual departmental Statement on Internal Control that is to be disclosed in the Departmental Performance Report (DPR). The disclosure will also include any internal control deficiencies and actions that are being taken to correct material deficiencies, along with the Financial Statements Discussion and Analyses (FSD&A) disclosure.
These certifications represent significant undertakings and will require significant judgment on the part of the certifying officers.
The requirements for certifying / reviewing the design of internal control are in place. As soon as possible, management needs to:
The Audit Committee should also be involved, either from being heavily engaged in the oversight of the planning, execution and conclusion stages of the process, or to being only involved at a high level of monitoring the certifications. Whatever level of oversight the Audit Committee adopts, it is important that management understand the Audit Committee’s expectations from the beginning and communicate openly with them throughout the process. Although certification / review is the responsibility of the CEO and CFO, that certification / review addresses an important financial reporting issue and has MD&A / FSD&A reporting implications that are serious accountabilities of the Audit Committee.
Internal control over financial reporting is properly designed when those controls would be expected to prevent or detect errors or fraud that could result in material misstatements in the financial statements.
Evaluating the design involves:
Documenting internal controls can be a significant undertaking. Determining the extent of documentation is a matter of judgment, influenced by the size of the organization, its business environment, and the complexity of its operations.
A “top-down, risk-based” approach can help decide how much documentation is required and where resources should be focused. Focus attention on where material errors could occur and the related key controls.
Internal controls can be documented through policies and procedures manuals or handbooks, narratives, flow charts, risk matrices, or some combination of these options.
Typically in developing a design evaluation process, five major elements are considered:
In addition the organization should consider using walkthroughs when evaluating the design of controls. Such walkthroughs provide evidence to:
The Audit Committee should encourage management to remediate ineffectively designed controls prior to year-end. Prioritizing remediation requirements can help determine that available resources focus on those deficiencies of greater significance.
Management should discuss with the Audit Committee the process for dealing with deficiencies. Together, they should determine the types of deficiencies that management should bring to the Audit Committee’s attention and the nature of such reporting.
Certification / review of the effectiveness of internal control will require that the design evaluation process should dovetail with the organization’s future need for an assessment of the effectives of internal control. The process for evaluating the effectives of internal control builds on the process for evaluating design. Significant incremental elements include:
assessing if the control, when in operation, functions as designed;
determining the consistency with which the controls were applied; and
considering whether appropriately qualified persons are actually carrying out the control.
Carefully planned, the process for evaluating design can simplify the work required for the future evaluation of the effectives of internal control. The Audit Committee should encourage management to develop the design evaluation so it can be used to a maximum extent in the future evaluation of effectiveness of internal control.
Management may want help in documenting controls or evaluating the design of internal controls, or management and the Audit Committee may want to obtain some form of additional comfort on the assessment. External auditors can be asked to assist in various ways. For example, they may:
Management, the Audit Committee and the external auditors should consider these options, while the organization is developing its approach to this evaluation.
All organizations, regardless of size, need to develop a process to evaluate the design of internal control. The requirements for certifying / reviewing the design of internal control are now in place. Starting now will contribute to an effective evaluation and enable management to identify deficiencies early and prior to the reporting deadline. At the same time the Audit Committee should determine the extent of its involvement in the oversight of this process and communicate its expectations to management.
Are your internal controls integrated? Do you have the monitoring and assessment mechanisms to respond effectively? Are you comfortable signing off on your internal control fiduciary responsibilities? icorp.ca’s Insight service can help you discern the inner nature of complex management change. So who is supporting your integrated control needs? GO THERE!™
For more information about icorp.ca’s Insight expertise, contact us.