Latest Blogs from SBS and Company LLP

    The Risk In Control Environment

    Risk Management :


    Risk management is an integral part of the group’s business control. Risks that may pose a threat to achieving business objectives are identified, and measures are implemented to mitigate and monitor the identified risks.


    Responsibility for Risk Management:


    The line organization has the primary responsibility for managing business risks. Line managers are responsible for identifying, monitoring, implementing measures and reporting all relevant business risks. The Chief Risk Officer is responsible for coordinating and monitoring the risk management processes in the group and consolidating the quarterly risk reports for Group Management and the Board of Directors. To support the Chief Risk Officer a Risk Management Committee has been established.


    Risk Areas


    The risk assessment and follow-up is divided into three areas;


    1. Business and financial risks: Business units and head office functions manage business continuity within their respective operational area of responsibility based on specified requirements. A process exists to regularly identify business and financial risks that could lead to material misstatements of financial information. The risks are reported by each sub-entity in a bottom-up process, and presented in quarterly business review meetings.


    1. Corporate responsibility: Corporate responsibility is integrated into the day-to-day business as well as M&A and strategic purchasing processes.


    1. IT and security: Within IT and security, potential threats to the IT environment are identified and plans are established to prevent problems in the continuity of the business. This area also covers preventive security measures and crisis management.


    Challenges in Control Environment:


    The control environment was not routinely discussed in executive or board discussions before the U.S. Sarbanes-Oxley Act of 2002 was enacted. Since that time, auditors have focused on evaluating the existence and execution of elements of the environment. Most discussions reflect how a positive control environment can strengthen the organization’s overall culture and ethics program. However, it can also be viewed in reverse — what risk does a poor control environment bring to the organization?


    “Tone at the top,” “management philosophy and operating style,” and “segregation of duties” are phrases commonly used to describe the control environment. These attributes are difficult to measure accurately. An environment that is not effectively evaluated, measured, and monitored may spawn many unacceptable internal and external risks.



    18  | P a g e


    SBS Wiki                                                                                                                                            


    As if the risk of an improperly functioning control environment is not enough, the concept is com- plicated when internal auditors attempt to communicate control environment weaknesses to management. Many organizations rely on questionnaires and anonymous surveys for their assessments. Organizations must proactively peer through these techniques and evaluate the overall transparency of their assessment methods.


    The subjective, non- transaction oriented nature of the control environment creates many challenges. Organizations establish policies, but as changes occur, those policies may no longer be effective. The control environment changes, as well. To address the risk of a poor control environment, organizations must evolve their assessment methods.


    1. Tone at the Top


    An organization’s tone is often interpreted as the tone conveyed by senior leaders. This makes evaluation a political hot potato. It can be perilous for internal auditors to advise management that certain actions may not be “setting the right tone.” Yet, to address the risk appropriately, auditors must provide assurance that the policies management has put in place are executed effectively. For example, Company A maintains an authorization policy for procurement professionals. On the surface, this appears to contribute to a strong control environment while mitigating the risk of conflict of interests. However, what if the policy does not cover strategic areas such as contract approvals, management overrides, and monitoring methods? Also, assume the policy was created strictly by the finance organization. Taken in the aggregate, each of these factors could create risk to the control environment.


    This situation creates a dilemma. How should theserisks be communicated to management? What if issues are communicated, but management concludes the gaps are not significant concerns? Management’s basis for this conclusion may be that no actual problems have been identified to date. To address the risk appropriately, auditors must ask, “If an issue has not yet come to light or been identified, should that fact minimize the finding?”


    What if the auditor’s opinion of the gap’s severity differs from management’s opinion? Organizational leaders may push back if they receive a poor control environment assessment. An obvious step for internal auditors may be to speak to the audit committee, but this can be challenging. It may be difficult to communicate a control environment gap to an audience that has been preconditioned by management’s view.


    To resolve these dilemmas, auditors can:


    Ensure they have authority to analyze and communicate the situation beyond just the existence of policies.


    Ensure management understands the difference between a control gap and a control failure. It is important to know whether the gap has created a failure, but just because it hasn’t failed to date should not minimize the impact of the gap. The inability to recognize this cause- and-effect relationship will put the control environment at significant risk


    Encourage independent communication with board members. If management and the auditor disagree about the severity of the issue, the board must be open to both sides of the argument.


    19 | P a g e

    The Risk In Control Enviornment



    SBS Wiki                                                                                                                                            


    1. Management Philosophy and Operating Style


    Philosophy and operating style include how management executes its day to day responsibilities and the manner in which executives provide overall direction. Consider an example of quarterly attestations and their impact on the control environment. These procedures often involve business-unit managers providing personal subcertifications on controls for their areas of responsibility.


    Assume the procedure for quarterly attestations was established several years ago. The subcertification states: “To the best of my knowledge, internal control procedures and financial information within my area of responsibility are accurate and complete.” The certification was originally accompanied by specific training for the business-unit leaders. Fast forward several years. Many personnel signing the attestations are individuals who have been promoted into new positions but have not been trained on the attestation requirements. New management views the process as a “step” they must complete each quarter because of compliance requirements. If the auditor assumes the standard process of attestation is effective, there may be a risk to the control environment. Because the attestation is a simple signature, the risk exists that management is simply following alegacy process and does not understand the need for disclosure controls. Outlining the risk may convince management to re-evaluate and solidify the process.


    1. Segregation of Duties


    A strong control environment can only be supported through appropriate segregation of duties. Segregation of duties assist in mitigating the potential for one person to maintain control over an entire process, thus having the opportunity to perpetrate some undesirable behavior. When evaluating the sufficiency of segregation of duties, internal auditors examine responsibilities around transaction authorization, recording, custody of asset, and reconciliation. Depending on organizational resources, it may not be possible for the organization to fully implement appropriate segregation of duties. In this situation, auditors must assess the risk embedded in the processes, attempt to quantify the risk, communicate to management their observations, and provide alternative methods in which management can monitor transaction activity or provide additional checks and balances for the process


    A Thorough Assessment of Control Environment


    The control environment is the foundation upon which an organization can effectively execute strategy. If management focuses only on “check the box” activities, it will miss critical attributes that may result in major gaps that ultimately impact the organization’s viability and control environment. That is why it is important for internal auditors to fully assess gaps or flaws and provide adequate assurance regarding the sufficiency of controls.

    Looking for suggestions?

    Subscribe SBS AND COMPANY LLP updates via Email!