Every step I take in learning new things about internal controls, audit or risk management, I like to take two steps back to see the basic concepts which I have learnt years back and see if I understand their meaning in full light. This post is an attempt to do the same. I had written about Internal Controls in an earlier post. That post tried to define Internal Controls by virtue of an example and in relation to the underlying objectives. This post however tries to define controls through answering the question of what is its purpose. Or rather philosophically, from the view point of control, by answering the question “Who am I?”. Mind you, this post is an exploration and therefore may tend to get dragging bordering on spirituality, value systems and existentialism. So bear with me. After all at the year end, one would assume that one looks inward to see what was accomplished in the past year and resolve to do better in the coming year. One is therefore allowed to be a little spiritual at this time. (Don’t worry I am kidding! ) So before I forget, wishing all my readers a Happy New year and hoping that your dreams come true in 2014.
We have always seen Controls from the purview of when they occur (eg. preventive or detective), from the purview of how frequently they are undertaken (daily, weekly etc.), based on who performs (manual, automated, IT Enabled etc.), based on maturity (adhoc, defined, optimized etc.), based on what stage they occur (transactional, monitoring etc.). All these seek to categorize the nature of controls, though its not sufficient to define “controls” in itself. However, they do throw a significant light on how a control has to be viewed.
Now coming to the essence. If you really look at it, a control would not exist if the underlying activity did not exist. I had spoken very briefly about this. Therefore, the purpose of controls is derived from the purpose of its underlying activity. I use the term “activity” very loosely here. It could also be a set of activities (which is otherwise defined as a “process”). The purpose of the underlying activity is precisely why the activity exists in the first place. Therefore, if there is no purpose for the activity, there need not be an activity and therefore, no controls. (Enter concepts of non-value added activities – eliminate them!)
Now how do we define “purpose”. One would say that they are nothing but “Business Objectives” – which is where the all important COSO definition of Internal Control arises from – which is fine, except that the definition links up controls directly with business objectives and rather forgetting the activities in between. Controls are on activities, sets of activities or the organization of various activities. All intended to ensure that these activities are consistently and continuously driven towards their intended purpose.
So we know why activities exist. But what does it require to ensure that its existence is purposeful? In other words – what is it that those activities need to possess in order to ensure that their purpose is served? Enter the simple term called Quality. Activities have to possess a certain amount of qualities to ensure that its purpose is reached.
Think about this example. Payroll processing is a set of activities, its purpose being to compensate for the resources an organization has engaged so that people get due consideration for their effort and drive the business. (Business objective is to drive the business itself, Payroll has to be processed if the resources that you are going to use are continuously and consistently available to you). A set of activities of payroll processing has to have a certain amount of qualities.
1. Every person should be paid correctly – its only fair i.e. it has to have the quality of “correctness” or “accuracy”
2. Every person should be paid – you cannot leave any body. i.e. it has to have the quality of “completeness”
3. No person who is not intended to be paid, should be paid – it has to have a higher quality of “integrity” etc.
Now see the purpose of controls. It’s goal is nothing but to ensure that the activities have the right quality. In that sense controls are nothing but guardians of quality of underlying activities. And they can operate at several levels. For example, an organization as an overall entity needs to operate in a certain structured manner so that the outcomes and behaviors are predictable. It has to have qualities of consistency, reliability and predictability. How do you build this? – You can do it by asking the organization to abide by a certain set of rules or standards – policies and procedures.
So when you look at this, business objectives drives sets of activities. Sets of activities need certain amount of quality. To ensure that quality you need to have certain controls. Those controls result in certain activities. These activities in turn may need controls to ensure that the “right quality” is reached. So where do we stop? That’s a balance an organization has to find for itself. And that’s where the concept of “reasonable assurance” comes in. You cannot ensure 100% quality of all underlying activities – where you decide its enough is your “risk appetite” – In other words you are saying “Its okay if a little goes wrong here”.
One more example to highlight this:
You need to hire the right amount of talent to achieve some of your business objectives. All activities directed toward this purpose need to ensure they have the following sets of qualities:
- It is known what kind of talent is required i.e. it has to have the quality of “specificity”. Reaching this specificity will drive certain further activities which in turn may need controls if its important enough. For example, this can be easily served by having proper job definitions to know exactly what kind of talent is required. – Further activities driven from this are a. ensuring every job has a job description (quality of comprehensiveness), b. All job descriptions are made to certain acceptable standards (quality of standardization) etc.
- It is known where to go and acquire i.e. again a quality of specificity. This may require further activities such as “hiring consultants” – which come with their own quality requirements, having and maintaining databases of people etc.
- All possible connections and approaches are adopted to ensure that you have the right person at hand – “Comprehensiveness”
So when designing controls or identifying controls, look at one consistent theme “What qualities should this activity possess and what needs to be done to protect that quality?” Now that the linkage between purpose, controls, activities and quality is known – it is not hard to figure out why you need to see the bigger picture. Activities or processes do not exist by themselves. They feed into certain higher level of activities and higher level processes – all to reach an organization wide purpose. It would help us as auditors not to be too myopic on our audit scope and enlarge our vision upwards to determine the right amount of “quality” and therefore the right type of “controls” to protect that quality.
CAclubindia
