The control environment was not routinely discussed in executive or board discussions before the U.S. Sarbanes-Oxley Act of 2002 was enacted. Since that time, auditors have focused on evaluating the existence and execution of elements of the environment. Most discussions reflect how a positive control environment can strengthen the organization's overall culture and ethics program. However, it can also be viewed in reverse — what risk does a poor control environment bring to the organization?
"Tone at the top," "management philosophy and operating style," and "segregation of duties" are phrases commonly used to describe the control environment. These attributes are difficult to measure accurately. An environment that is not effectively evaluated, measured, and monitored may spawn many unacceptable internal and external risks.
As if the risk of an improperly functioning control environment is not enough, the concept is complicated when internal auditors attempt to communicate control environment weaknesses to management. Many organizations rely on questionnaires and anonymous surveys for their assessments. Organizations must proactively peer through these techniques and evaluate the overall transparency of their assessment methods.
The subjective, nontransaction-oriented nature of the control environment creates many challenges. Organizations establish policies, but as changes occur, those policies may no longer be effective. The control environment changes, as well. To address the risk of a poor control environment, organizations must evolve their assessment methods.
Tone at the Top
An organization's tone is often interpreted as the tone conveyed by senior leaders. This makes evaluation a political hot potato. It can be perilous for internal auditors to advise management that certain actions may not be "setting the right tone." Yet, to address the risk appropriately, auditors must provide assurance that the policies management has put in place are executed effectively.
For example, Acme Inc. maintains an authorization policy for procurement professionals. On the surface, this appears to contribute to a strong control environment while mitigating the risk of conflict of interests. However, what if the policy does not cover strategic areas such as contract approvals, management overrides, and monitoring methods? Also, assume the policy was created strictly by the finance organization. Taken in the aggregate, each of these factors could create risk to the control environment.
This situation creates a dilemma. How should these risks be communicated to management? What if issues are communicated, but management concludes the gaps are not significant concerns? Management's basis for this conclusion may be that no actual problems have been identified to date. To address the risk appropriately, auditors must ask, "If an issue has not yet come to light or been identified, should that fact minimize the finding?"
What if the auditor's opinion of the gap's severity differs from management's opinion? Organizational leaders may push back if they receive a poor control environment assessment. An obvious step for internal auditors may be to speak to the audit committee, but this can be challenging. It may be difficult to communicate a control environment gap to an audience that has been preconditioned by management's view.
To resolve these dilemmas, auditors can:
- Ensure they have authority to analyze and communicate the situation beyond just the existence of policies.
- Ensure management understands the difference between a control gap and a control failure. It is important to know whether the gap has created a failure, but just because it hasn't failed to date should not minimize the impact of the gap. The inability to recognize this cause-and-effect relationship will put the control environment at significant risk.
- Encourage independent communication with board members. If management and the auditor disagree about the severity of the issue, the board must be open to both sides of the argument.
Management Philosophy and Operating Style
Philosophy and operating style include how management executes its day to day responsibilities and the manner in which executives provide overall direction. Consider an example of quarterly attestations and their impact on the control environment. U.S.-traded companies have procedures in place for affirmation of internal control processes for Sarbanes-Oxley Section 302. These procedures often involve business-unit managers providing personal subcertifications on controls for their areas of responsibility.
Assume the procedure for quarterly attestations was established several years ago. The subcertification states: "To the best of my knowledge, internal control procedures and financial information within my area of responsibility are accurate and complete." The certification was originally accompanied by specific training for the business-unit leaders.
Fast forward several years. Many personnel signing the attestations are individuals who have been promoted into new positions but have not been trained on the attestation requirements. New management views the process as a "step" they must complete each quarter because of compliance requirements. If the auditor assumes the standard process of attestation is effective, there may be a risk to the control environment. Because the attestation is a simple signature, the risk exists that management is simply following a legacy process and does not understand the need for disclosure controls. One solution is to review the Sarbanes-Oxley requirements and potential fines and liabilities to management for improper attestations. Outlining the risk may convince management to re-evaluate and solidify the process.
Segregation of Duties
A strong control environment can only be supported through appropriate segregation of duties. Segregation of duties assist in mitigating the potential for one person to maintain control over an entire process, thus having the opportunity to perpetrate some undesirable behavior. When evaluating the sufficiency of segregation of duties, internal auditors examine responsibilities around transaction authorization, recording, custody of asset, and reconciliation.
Depending on organizational resources, it may not be possible for the organization to fully implement appropriate segregation of duties. In this situation, auditors must assess the risk embedded in the processes, attempt to quantify the risk, communicate to management their observations, and provide alternative methods in which management can monitor transaction activity or provide additional checks and balances for the process.
A Thorough Assessment
The control environment is the foundation upon which an organization can effectively execute strategy. If management focuses only on "check the box" activities, it will miss critical attributes that may result in major gaps that ultimately impact the organization's viability and control environment. That is why it is important for internal auditors to fully assess gaps or flaws and provide adequate assurance regarding the sufficiency of controls.