Published: October 01, 2010
This article examines the new reporting requirements for internal controls following the transcription of the 8th Directive into the legislation of some European countries. Compliance with the Directive may offer companies unaffected by the Sarbanes-Oxley Act the chance to benefit from this cumbersome exercise. How should we carry out a review of internal controls? How can this undertaking be linked to ERM reports?
The 8th European Directive supplements its two sister Directives (the 4th and 7th Directives – 2006/46/EC) which dealt with corporate governance and reports on internal controls and risk management systems from a specifically accounting viewpoint. This Directive is of major importance for business finance professionals.
In particular, it describes aspects of the independence of financial experts sitting on supervisory boards and other audit committees; the broader obligations of auditors in terms of financial reporting; auditors’ recommendations to audit committees; and the requirement to set up audit committees. It also addresses the requirements for more specific monitoring of supervisory audit bodies (i.e., supervisory boards and audit committees).
These new measures, which are or should be internally adopted by EU State Members, require, inter alia, the supervisory board to monitor the effectiveness of the risk management and internal control systems currently in place. Companies therefore have to comply with these new requirements which have been laid down at European level [1].
It is desirable, at the very least as a first step, for a pragmatic approach to be adopted, its starting point being those main generic processes which are well known and understood within the company. The starting point is very often the adoption of guidelines or policies relating to risk management. This is a bottom-up process, like Enterprise Risk Management (ERM) reporting processes.
Internal controls and other existing procedures, together with any necessary improvements which may be made (parallels can be drawn with Sarbox) need to be formalised and documented.
Materiality thresholds (often comparable with ERM reporting) must be defined, as well as the format and frequency of reports. The perimeter must also be predefined broadly but not necessarily exhaustively. It must be possible to define a materiality limit which will enable coverage of the principal and significant part of the activity (e.g., 80% of the main subsidiaries, which would cover more than 95% of turnover).
The prerequisite in terms of format is to establish a complete framework, most often in the form of an Excel spreadsheet-type table. This matrix will enable all processes, sub-processes and their attributes to be consolidated in a systematic, co-ordinated and aligned way. The success and the quality of the outcome depend on the limit which has been set and the time spent achieving it. What is recommended is the adoption of a gradual, progressive approach which can be improved over time (e.g., greater thoroughness, more completeness, wider scope, better quality of information reported and described). [[[PAGE]]]
Risk management textbooks recommend that the starting point should be classic generic processes (see Table 1).
Organisational charts, descriptions of functions and tasks and even flowcharts are excellent reference points for those attempting to scale the internal controls mountain. A mountain offers a good comparison, given that the task seems so enormous to those setting out. It is true that internal controls can be found everywhere to some extent, but they are often neither written down (because they originate in some type of oral tradition) nor formalised and even more rarely monitored, with the result that they ultimately lack effectiveness and efficiency. The knack is to be comprehensive without getting swamped by too much detail. This is a risk experienced by many groups which have over-used their consultants. They have built up huge reporting structures consisting of hundreds of reports only to fail, over time, to achieve their aims. Excess is always harmful, not least when it comes to internal controls.
The design of control matrices should be such that it enables visualisation of the main processes, with the implied killer question: What can go wrong? Next, once it is known what may not function properly, what are the checks and controls guarding against these eventualities? Are they effective and sufficient? If there are deficiencies, what plans exist to remedy them? How can the residual material risk be quantified? Once this initial exercise is complete, it must be updated and upgraded annually. The Chief Risk Officer (CRO) of the corporate centre will each year administer a self- assessment questionnaire to take a snapshot of the current state of internal controls. If responses are rated (assessed and quantified), this exercise can even be used as a Key Performance Indicator for management and to set objectives for managers (e.g., is the control environment ‘not reliable’, ‘informal’, ‘standardised’, ‘monitored’ or ‘optimised’ in terms of its level of maturity?, can the rating be improved in Y+1?, etc.)In the initial stages, it is highly desirable to start with a few pilot schemes within the group in order to test the procedures and matrices which have been drawn up. This will enable tables to be readjusted and populated with generic or specific processes or sub-processes.
The objective is to list, process by process, each risk that the internal control is supposed to limit or to prevent, to compare it in relation to recommended good practice and to describe it in a complete manner, indicating the management actions designed to remedy it over time.
Controls may be:
1. Effective (‘properly carried out’)
2. Partially effective (‘missing control step’, ‘missing action plan’, ‘not formalised’)
3. or Ineffective (‘missing controls’)
Whatever the effectiveness of the control, a residual or even significant risk may remain to be reported, with a probability of occurrence and a (net) total amount to be estimated. This consolidated report should enable detection and prevention of any significant deficiency (that is, a deficiency less severe than a material weakness but which either individually or when aggregated is more severe than a simple deficiency). These shortcomings may lead to important omissions or inaccuracies in the financial reporting. Because of this, one needs to ask the ‘5W’ questions: Who? When? Where? Why? What? By incorporating other checks and controls considered relevant by the external auditors, it is possible to reduce auditing costs by reducing the number of tasks which need to be carried out.[[[PAGE]]]
In most European countries, the control environment has changed markedly in recent years. In this context of constant change, it is necessary to concentrate and focus even more on the compliance function to ensure an appropriate control framework covering reports on key risks for the company.
Fortunately, these new legal constraints can have positive effects by improving organisation and reducing the occurrence of risks (e.g., increased segregation of tasks, policies and procedures, automated systems and interfaces, master databases which are protected and not accessible to users, effective regular reviews of analyses, reconciliation of accounts, application of the ‘four eyes’ principle) [2].
This is an opportunity to review the overall design of existing controls and to set up those which are missing. Since the exercise is gradual, over time one can adjust the focus to cover more and more entities and controls.
Carrying out a complete review of controls (both detection and prevention) has the effect of increasing revenue generation potential and implementing more effective back-up procedures that include Business Continuity Planning and Disaster Recovery Procedures.
Optimists will see in this umpteenth new regulation an opportunity to improve the company’s health as regards preventing and detecting risks. Pessimists will see a new constraint which is either completely useless or disproportionate to possible returns. We prefer to come down on the side of the optimists, since there are so many advantages for those with the skills to ‘sell’ their project. A company and its Chief Risk Officer can make use of existing procedures such as flowcharts and walkthroughs to identify risks and measure controls. As with the ERM process, the CRO must be able to deploy communication, co-ordination and persuasion skills. Not a straightforward role, you might say. This overview of the state of controls will enable internal audit to standardise and systematise monitoring of the group’s various subsidiaries, while improving the process by reference to a benchmark for the group as a whole.
When internal controls are effective but leave a residual risk or when they are partially ineffective with an ultimate potential risk, the CRO should ideally report this. The objective of any control, whether automated or manual, is to detect a risk prior to its occurrence or following an incident and to prevent or repair it, depending on whether or not it has come about. One of the benefits of this exercise (whether Sarbox or similar) is to seize the opportunity to automate manual processes, which by definition are never completely infallible. Even if this quantification continues to represent the main difficulty, when it is applied in a consistent and coherent manner, it enables developments to be monitored via internal controls, just as controls themselves can be rated. Have we made progress compared to last year’s results? Are processes well documented and formalised? Measuring the net impact of a deficiency in dollars or euros (after applying a probability percentage) gives the CFO a more precise idea of the measures which need to be taken and their priority. What is the risk of a double payment or fraud when purchasing plant or materials? Do we comply with current legislation? Do we take account of a client’s credit rating when we offer terms?
Starting with the rather long lists of questions such as these, we can draw up the matrix according to type of activity and process, together with its financial impact (if significant or appropriate). This in fact provides a very useful management tool, although one which remains cumbersome to set up in the first place and restricting thereafter. Should controls be deficient, making a reasonable estimate of a net impact by multiplying it by a probability (itself needing to be estimated) is a tricky exercise which is often based on a personal judgement and on good sense. Precision is less important than adopting a consistent measurement which allows for comparisons to be made over time. Past history, together with historical data can sometimes be useful for quantification. The impact to be evaluated is on EBIT(D)A and Free Cash Flow [3] (to capture the impact of cash or non-cash items).[[[PAGE]]]
A regulatory constraint can sometimes turn into an opportunity to review and formalise internal processes. Examining these often proves that there are numerous gaps to fill. This process is never superfluous or useless. Its regulatory and compulsory aspects may help to sell a project which otherwise would have been rejected or referred back. Every cloud does indeed have a silver lining.
How Thought Leadership Can Reduce the Cost of Sales by Patrik Havander, Havander & Partners A focused attention on the costs incurred by the global sales and marketing processes is becoming increasingly important for corporate banks and their transaction banking departments. While the client/bank relationship remains vital, research has shown that in fact relationship selling […]
