Strong Controls, but the Wrong Controls
by David R. Hancox, CIA, CGFM
Guidance on internal controls is important and the seminal document Internal Control – Integrated Framework issued by the Treadway Commission’s Committee of Sponsoring Organizations provides a great framework for organizations to follow. This document, commonly known as the COSO Report, identifies five components of a good control system: the control environment, risk assessment, control activities, information and communication and monitoring. These components, working together, provide the framework for an effective system to assure an organization complies with laws, rules and regulations, produces reliable financial data and operates effectively.
Unfortunately, auditors and regulators often place too much emphasis on the wrong control components under the misguided premise that policies and procedures (control activities) are the most critical elements of an organization’s success. This misplaced focus causes managers to respond with strong preventive controls over day-to-day activities and ultimately frustrates efforts to correct the real problems in organizations. It’s time for auditors and regulators to identify the right controls that will prevent the past practices that have harmed major organizations based on the scandals that have occurred.
COSO identifies the control environment – management’s attitude, philosophy, operating style, ethics and integrity of people in the organization and the competence of people, as the most critical component. It is, according to COSO, the foundation of any control system. In fact, in the autopsies that have been done of the major scandals, time and again, the control environment is identified as the primary cause of the scandal – it is not the control activities or even the lack of them that causes the scandals. So why is there so much focus on policies and procedures?
Focus on Control Activities
Before we get to the reason for the focus on control activities, we should understand that most employees do not like being “controlled.” They inherently want to feel like a trusted and value part of a team working towards a common objective. The more we try to restrict what people can do or require that they get someone else’s approval or permission first, the more we chip away at that feeling of trust and value. In fact, the more you try to control people, the more they rebel – strong controls, but the wrong controls. It becomes important therefore, to understand what are the right controls to put in place.
Two issues drive auditors to focus on control activities. The first is that it is easy. Control activities are much more objective to assess than control environment issues. It is easy to read the policies and procedures that exist and it is easy to spot situations where duties should be segregated. It is also easy to review documents to see if the policies and procedures were followed – was an approval obtained when needed; were bids sought when required? It is much harder to assess management’s attitude, philosophy and operating style. It is hard to review the ethics and integrity of staff or to assess staff competence.
The second issue driving the focus on control activities rests with the professional guidance and requirements auditors follow. Both the Securities and Exchange Commission and its sister organization, the Public Company Accounting Oversight Board have issued rules and standards that define internal controls over financial reporting as: “A process designed by, or under the supervision of, the company’s principal executive and principal financial officers, or persons performing similar functions, and effected by the company’s board of directors, management, and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:
- Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company;
- Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and
- Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the company’s assets that could have a material effect on the financial statements.”
It’s important that we be clear on this issue. Control activities and the corresponding policies and procedures are an essential component of a good control system. Unfortunately, the focus on control activities is often for the wrong reason. Auditors routinely recommend management segregate duties with the explanation that it is necessary to provide a check and balance on the duties of employees – but the underlying reason that comes through to the employee is often a message that we don’t trust our people.
Conversely, when you segregate duties shouldn’t it be to assure efficiencies in the process and to allow employees to monitor their own work as a team and to correct any errors before the transactions are complete? Employees can accept this reason much easier than a message that says – we don’t trust you! You also accomplish several objectives, increase efficiency of operations, monitor operations and help prevent improper activities all while creating right the control environment.
The Real Cause of Disasters and Scandals
Let’s examine a disaster and a scandal – NASA and WorldCom. These two organizations are typical of the many organizations that have confronted disasters and scandals over the years.
At NASA, seven people died when the space shuttle Columbia broke up on re-entry. The Columbia Accident Investigation Board concluded in assessing the cause of the accident, “Cultural traits and organizational practices detrimental to safety were allowed to develop, including: reliance on past success as a substitute for sound engineering practices (such as testing to understand why systems were not performing in accordance with requirements); organizational barriers that prevented effective communication of critical safety information and stifled professional differences of opinion; lack of integrated management across program elements; and the evolution of an informal chain of command and decision-making processes that operated outside the organization’s rules.” This analysis focused on the real cause of the Columbia failure; issues that are not typical of the areas that auditors focus on when doing internal control reviews in an organization. The Investigation Board though rightly concluded it was the control environment at NASA that was flawed.
At WorldCom, the accounting problems that occurred resulted in the largest bankruptcy proceeding in U.S. history. In any large organization, senior management really has to work through others to “get things to happen.” In trying to manage results, WorldCom’s senior management had to work with the accountants in their accounting department to make the fictitious entries that would result in the appearance of improved financial performance. Toward that end, a number of ideas were pursued; the most significant one was making general journal entries moving line cost expenses to capital accounts. The basic principles governing when to capitalize a cost are simple and often taught in Accounting 101. If an item is to be capitalized, it has to have a useful life beyond a year, you have to have ownership and someone should be able to verify its existence. The accountants knew line costs at WorldCom did not have a useful life beyond a year because they really represented lease costs for lines owned by other telecommunication companies. These were simply day-to-day operating expenses.
Several accountants told their boss this transfer was not good accounting and should not be done. In fact, WorldCom even had an internal accounting policy that prohibited it. Two of the accountants actually thought about resigning instead of making the improper accounting entries. The accountants in the Accounting Department were not the only ones who knew something was wrong at WorldCom. After the general journal was adjusted, it became necessary for the Property Accounting and Capital Reporting Group to adjust its records to reflect the increase in capital assets. Many people in this group knew there was no supporting documentation for these entries and expressed concern – but they did not go outside their group with their questions.
Although the nature of the NASA (Columbia) disaster and the WorldCom scandal were quite different, the root cause was remarkably similar. The root cause was the control environment – the same cause that can be traced to many of the other major scandals that have occurred in the past. It wasn’t the lack of policies, procedures or segregation of duties that caused the problems. It was the control environment and management that chose a certain course of action, including management override of otherwise effective policies and procedures, which resulted in the failures.
If we are to be successful as auditors seeking to find the real cause of the problems we uncover in an organization, we must begin to address all of the control components identified in the COSO Report. We need to assure that we really do understand the control environment and the information and communication systems that exist in an organization. These systems are much harder to assess than the other three components, but are just as critical in assuring the success or failure of an organization. How can we help foster communications, encourage ethical conduct and allow people to work together to prevent or detect errors during the process without onerous control activities that frustrate or discourage people? After all, most people want to do the right thing – we need to help them do it.
Former President Ronald Reagan in his farewell address to the nation on January 11, 1989 was talking about the need to develop a more positive relationship with the Soviet Union. He said, “We must keep up our guard, but we must also continue to work together to lessen and eliminate tension and mistrust. … And we’ll continue to work to make sure that the Soviet Union that eventually emerges from this process is a less threatening one. What it all boils down to is this. I want the new closeness to continue. And it will, as long as we make it clear that we will continue to act in a certain way as long as they continue to act in a helpful manner. If and when they don’t, at first pull your punches. If they persist, pull the plug. It’s still trust but verify. It’s still play, but cut the cards. It’s still watch closely. And don’t be afraid to see what you see.”
I think the same ideas apply to how we as auditors, regulators and managers should approach internal controls – create the right environment, create the right controls and watch organizations flourish.
Copyright – December 2006