Professional Documents
Culture Documents
Those four steps plan, do, check, act are intuitive and sensible. The 5
components of internal control, not so much.
Here is how I make sense of the five components (Warning: this appears
nowhere in COSO literature!):
First, the organization needs to ask what risks it is facing. Once they have
done this risk assessment, they can apply control activities to keep
those risks from occurring. Then valid reports need to be generated that
provide information and communicate with the stakeholders of the
organization who need to know how well the controls are working. The
organization should not just assume, but monitor to ensure, that the control
activities and reports they put in place to tamp down risk are working. And
all of this effort needs to take place within an encouraging, nurturing
environment that appreciates and supports controls.
Does it still sound like Greek? Dont worry. That whacky, un-intuitive model is
what this book is about, and my desire is that you feel more comfortable with
the COSO model when you are done reading. Lets begin with an overview of
the five components starting where the cube starts, with the control
environment.
Do you care about the environment?
The control environment component directly addresses the attitudes of the
leaders of an organization toward controls. You will also hear this component
described as tone at the top. If the leaders of an organization are
uninterested in excellence in operations, strict compliance with laws and
regulations, and accurate and transparent reporting, efforts toward those
objectives by the underlings will fail.
I have seen a wide variety of control environments, as I am sure you have.
Some control environments are strong and reassuring. Others vary from
strong to weak depending on who is in the leadership position at the
moment, and others are crazy disasters that eventually implode. And no
matter the size of your entity, the leaderships attitude permeates the whole
organization.
One of my jumbo clients sells groceries in 28 countries. Since I am also a
customer of this grocery retailer, I was very pleased to hear an executive in
charge of food safety initiatives talk openly and emotionally about his
responsibilities to keep customers safe. He began his presentation by
sharing the pictures of children in his briefcase that he looks at every day.
These were not picture of his children, but children who had died of food
borne illness from all food sellers groceries and restaurants in the United
States. Then he began to share statistics about how vulnerable children are
to food borne illnesses. It was clear from talking to his grocery managers,
that his serious attitude toward a serious risk had impacted controls.
If his powerful message permeated such a large organization, imagine how
much more the viewpoint of a leader in a small organization impacts
controls. Smaller organizations are particularly vulnerable to the attitudes of
the leadership.
Regrettably, I agreed to be the treasurer for a small organization, the local
chapter of the National Speakers Association and served for three years. We
had about 30 members and 6 of them were on the board. The tone at the top
dramatically altered the control environment every time we elected a new
president.
Most of the members of the local chapter were motivational speakers, and
many of them thought that if you just believed something with all your heart
and mind, you could wish anything into existence. So, when I informed them
at our first board meeting that I had carefully looked over the books and that
we were close to bankruptcy, the response from the president was, Well, if
we just think positive thoughts, everything will work out. A few meetings
later, my less-than-positive prognosis came true. We couldnt pay the hotel
after our monthly Saturday meeting.
The chapters president conveniently disappeared after I informed her of this
fact. Luckily, one of our successful and moneyed members named Jim
stepped in and paid the bill.
Our new savior, Jim, was immediately appointed president. Jim was a six-anda-half-foot tall ex-Marine who knew how to lead. At our first board meeting,
he told the group that we were going to set a strict budget, and that we were
going to talk about it at every meeting. All expenditures had to be approved
by me before they were incurred. I silently clapped and cheered in my little
accounting heart! Everyone on the board was paying attention to my
financial presentation at meetings (or at least they looked like they were
paying attention), and I felt great about my role as treasurer. By the end of
Jims term, we had built our bank account balance up to a healthy $14,000.
But, when Jims term was up, the group elected sweet John to be our leader.
John preferred to spend the board meeting hugging and vision casting rather
than worrying about tacky old money. At our first meeting under Johns
Recently, I bought a beautiful, jumbo Lexus sedan with 100,000 miles on it.
The sedan cost us around $18,000. We park my Lexus in the garage and
repair every little ding. The mini-van is always exposed to the weather, and if
it gets a ding, my husband reasons that it only adds to its character. Because
more of our money is at risk in the Lexus (and more of my ego is on the line
with the Lexus), we treat it better, and we endeavor to control what happens
to it. When a hail storm hits as they do at least once a year here in Austin
my husbands first question is, Is the Lexus in the garage?
What do you care about in your organization? Is it that your assets are
safeguarded? Is it that your customers and employees are safe? Maybe you
care the most about making a difference to the disadvantaged? While it
would be nice to have the time and the resources to worry and control
everything, no organization in the history of the world has been able to pull
that off.
What risk assessment does is lay out all of the possible things you might care
about on the table (or in an Excel table!). It gives you a way of ranking them
and deciding where you will to focus your efforts. Controls cost time and
money, and you want to be intentional about applying them.
I have seen a wide variety of risk assessment models and risk assessment
documentation. You can really go nuts refining the risk assessment and
contemplating every eventuality, but at a very basic level, all you have to do
is decide if you care. Simply ask yourself what could go wrong. And if you
dont care about the resulting answer, you dont need any controls over it.
So, if I ask myself if I will care if my Lexus suffers hail damage, I would say
that I care the mini-van, not so much.
What most people think of when they think of controls
The third component control activities is what most people think of when
they think of applying controls. Control activities include such things as
segregation of critical duties, transaction approvals, timely reviews of
transactions, and documentation.
The Green Book contains a fabulous list of control activities that we will
discuss in later chapters.
You arent in this alone!