Tone at the top matters. Without that any exercise become a paper, which get tossed around from here to there and people kept wondering why things are not moving!
It is important to create tools and use techniques to enable process owners and an individual employee to be aware about internal control(s) regarding:
- What is their role in internal control set up?
- How they are impacting it?
- How they are getting impacted by it?
- What is the baseline/ criteria/ measuring tape against which they get measured?
One of the tool available with internal auditors is ‘Control Self-assessment”. (IIA offers a certification program on Control self-assessment where people interested in learning the tricks and methods of self-assessment can enroll and get themselves certified. Internal Auditors can also enroll and learn how they can facilitate the control self-assessment process.)
With SOX in USA, Clause 49 and Companies act 2013 in India, ASX in Australia, UK corporate governance code 2014, and so on requiring management to demonstrate the existence and effectiveness of Internal financial control, it will make sense to invest into learning CSA as a tool and technique.
For meeting regulatory requirements, organization need to create documentation regarding controls. This documentation can be in the shape of SOP/ Process manual/ Process flow chart, narratives, excel sheets containing risk control matrixes and so on.
Organizations where the document exist, they should benchmark documentation against some framework such as COSO 2013. Organization where they are developing the documentation first time, they will be too hard pressed to benchmark against any recognized framework. But this is the time where bench-marking against a recognized framework can do wonders.
An organization in the endeavor to create a more control aware organization has used CSA in a creative manner. They developed a control catalogue which contain certain minimum expectations on internal control environment. Control catalogue basically contain – Control objective, control activity, control frequency. Organization policy and procedure documents were referenced wherever possible.
It was also aware that expecting 100% compliance is a recipe for failure. So they also developed assessment guidelines. Guidelines were very simple as illustrated below:
With the basics of Control self-assessment is in place, various SBUs were asked to self-assess the control environment.
This assessment requires process owners to answer questions in simple “Yes/ No/ NA”. Once an assessment is complete they were also presented with a summary of control environment maturity.
As this tool was MS Excel based, SBU can do experimentation on how to improve maturity. (What efforts are required to improve rating)
After Running this process for few cycles, assessing the control maturity of a given area during an internal audit assignment and presenting IA opinion vis a vis self-assessment, there was a vast improvement in control environment.
To ensure that SBU understand the importance of control environment, result of assessment was made part of balanced score card.
SBUs which were proactive, have used this tool to also develop / streamline their control in other areas as well.
With this:
- Line people were involved in defining controls based on control objectives
- IA were able to test the self-assessment, giving assurance to management on the self-assessment and this testing were also utilized for showing management testing of existence and effectiveness of controls.
- External auditors were comfortable while certifying the annual accounts due to comprehensiveness of internal controls and quality of testing results.
(This is an example of how CSA has been implemented in an orgnisation. Do you also have a story to share?)
Call for action:
Inputs/ comments/ suggestion: I welcome inputs/ comments / suggestions from readers on how to approach this issue. Feel free to correct me, educate me.
Share the Article: If you like it, share it. If you share it with others, and they comment, we all will get more learned.
(Disclaimer: The views expressed constitute the opinion of the author and the author alone; they do not represent the views and opinions of the author ’s employers, supervisors, nor do they represent the view of organizations, businesses or institutions the author is, or has been a part of.)