For the control environment unacquainted and internal controls well versed alike!
Lots of definitions of internal controls one would come across over the internet but are they worth the knowledge required? From the generic understanding of controls to the specific perspectives in which these are defined, do they really serve the practical understanding desired?
But before you start scratching your head, let’s try to put up a basic understanding through a relational equation:
OBJECTIVES → PROCESSES / ACTIVITIES → RISKS
⇔
CONTROLS
Yes, controls sit at the center; these are what help you achieve your objectives as otherwise foreseen and unforeseen risks impacting the processes and activities will run amok! Objectives are also established through a controlled process to ensure these are aligned to the entity’s strategy and direction. Finally, all processes and activities are designed to have these; no matter how basic or flawed.
Agreed there are upside risks too, but they also need to be controlled to yield the expected benefits; you might secure a greater benefit from these but without controls the costs could run high, the process unreliable and the accomplishment unsustainable.
Impacts of downside risks in absence of controls; well you can imagine yourself!
So now enough of this here and let’s get to why and when controls might not matter.
Ever heard of Control Environment? It occupies the topmost slot at the COSO’s Internal Controls; Integrated Framework and rightfully so! But what is it? Simply put, it is the “Tone at the Top”. Let’s now see what that means.
The Framework lists down the following principles of the Control Environment component:
- Demonstrating commitment to integrity and ethical values
- Exercising oversight responsibility
- Establishing structure, authority and responsibility
- Demonstrating commitment to competence
- Enforcing accountability
Although there’s hardly anything one could think of adding to these immaculately advised principles, I would like to add personal/professional attributes here, i.e., the people responsible for the control environment should be competent, have established ethical credentials and are known to be goals centric!
You see, it’s imperative that people responsible for the control environment have these attributes to exercise the responsibilities expected in the principles. These are the people who sit at the highest levels of an entity, Board and Executive Management, those charged with governance. They are the guardians of the trust of the owners and are the executioners of the entity’s vision and mission. That’s what Tone at the Top means.
So, you must by now be thinking that this was easier to grasp. That if the controls are ineffective or do not function as intended, the aforementioned principles of control environment must have been violated or are non-existent. Well, not just that. If you read between the lines, it means that these principles are non-issues for those charged with governance.
And these could only be non-issues, when those charged with governance are not concerned with the goals of the entity, have been known to have an ethical approach that’s wholly rhetorical and are not focused on competence.
As for the principles, let’s dive deeper through some examples:
| Principles | Examples of being quite the opposite* |
| Demonstrating commitment to integrity and ethical values | Expect others to conduct ethically but do not lead by example when expected. |
| Exercising oversight responsibility | Provide no direction, review, supervision or improvement recommendation. |
| Establishing structure, authority and responsibility | Frequently violate structure and system, promote ad-hocism, disregard authority, do not delineate responsibilities. |
| Demonstrating commitment to competence | Reward and promote people on personal likes, outside a fair system |
| Enforcing accountability | Do not offer themselves for accountability and do not practice self-accountability. |
*These are telltale signs of when controls stop being meaningful.
The controls would matter only when Tone at the Top is unflinchingly resolute about the control environment principles. Since decisions made in this regard impact entity’s viability and sustainability, when those charged with governance have the attributes, we covered above they never would think otherwise of the principles.
The systems for monitoring and evaluation, testing of controls, improvement advisories only add value in a control environment that’s based on these principles. Because only these entities are constantly looking to improve and evolve, aiming for excellence while achieving perfection on the way!
As for the auditors who are required to work for/in a control environment that’s not based on these principles, just focus on getting the engagements checked off your audit plans heads down.
The only thing you should be concerned in such entities is your payday!