In this dispatch from the front line author Jim Kaplan, founder and CEO of AuditNet, shares his insights on the importance of internal controls and their role in corporate defense with Sean Lyons.

Jim Kaplan: In my opinion the COSO approach is as relevant in today's environment as it was when the sponsors met and agreed on a common framework for evaluating controls in organizations. COSO is dedicated to guiding executive management and governance entities toward the establishment of more effective, efficient, and ethical business operations on a global basis. It sponsors and disseminates frameworks and guidance based on in-depth research, analysis, and best practices. Control framework and standards must be able to adapt to changes in the environment and COSO has done just that. While the original charter examined the causal factors leading to fraudulent financial reporting, they subsequently examined enterprise risk management and internal controls over financial reporting for small companies. The most recent draft document covers guidance on monitoring internal control systems. This demonstrates the commitment of the sponsoring organizations to ensure that changes in the business environment take into consideration control frameworks. 

Sean Lyons: Section 404 of the Sarbanes Oxley act of 2002 requires organizations to report on the effectiveness of their internal control over financial reporting. From your experience what impact has this act had on how US companies view controls and the responsibility for controls within an organization?

Jim Kaplan: In my opinion companies have reached a point where they recognize the importance of controls and where responsibility has been assigned within the management structure. While the method of getting companies to this point may not have been ideal it has had the impact of ensuring compliance through evaluation and reporting. Companies have implemented different approaches to reach the compliance mandate but the important thing is that they are getting there. Controls are no longer viewed as a necessary evil but rather as a part of doing business and an effective control system actually aids in achieving operating objectives.

Sean Lyons: Traditionally in many organizations internal controls have been fragmented throughout the organization with the operational responsibility lying with individual business units. Where do you think responsibility for ensuring that the organization has an integrated internal controls framework in place should ideally be positioned within an organization's corporate structure?

Jim Kaplan: This is an area where each company needs to examine where oversight for an integrated internal control framework needs to be positioned. As senior management and the Board will ultimately be responsible then they should decide on an entity wide approach to this issue and assign responsibility accordingly. Some companies have set up compliance officer functions while others have assigned the responsibility to internal auditors. The assigned unit should have the full support of management, the Board and the Audit Committee.

Sean Lyons: An organization's internal control requirements should reflect the organizations profile in terms of risks, threats and vulnerabilities. As these can obviously change over time, how can an organization ensure that their internal control environment is adaptable and flexible enough to address the changing nature of this profile?

Jim Kaplan: This is one of the reasons that there needs to be periodic reviews of the control environment. Through the natural course of events there will be new risks, threats and vulnerabilities over time and the control structure must adapt to changes in the overall risk environment of the company. There should be a coordinated effort by the internal as well as the external auditors to monitor the controls environment and adapt to changes that take place in the course of business maturity. As the business experiences paradigm shifts that impact risk factors then the control environment must be reevaluated and modified to reflect changes.

Sean Lyons: Clearly control objectives should be aligned with business objectives at all levels, including strategic, tactical and operational. In your opinion what are the main obstacles which organizations are faced when attempting to address this challenge? 

Jim Kaplan: While it may be clear regarding the alignment of control objectives with business objectives this is an area where conflicts can sometimes arise. Organizations can no longer look at these areas in a vacuum based on the legal and regulatory requirements (Sarbanes-Oxley, Foreign Corrupt Practices Act etc.) that are now in place. Organizations therefore need to have a strategy in place that ensures a coordinated effort aligning the two. There should be a strategic plan in place that addresses business objectives in terms of compliance with control objectives. The reporting status of the Internal Audit function to the Audit Committee and Board can assist in ensuring that control objectives are closely aligned with business objectives.

Sean Lyons: Business process control objectives should focus on such issues as integrity (e.g. validity, accuracy, completeness), confidentiality or timeliness etc and the resulting control measures (e.g. preventative or detective) required to be put in place should be based on these control objectives. Can you suggest how organizations can best address this process in a systematic manner?

Jim Kaplan: The most obvious answer to this question is that a strong and disciplined internal audit function is the means to ensuring that control objectives and the control measures are in place and operating as intended. The organization's management is responsible for establishing and maintaining controls. The established policies and procedures should be clearly written and communicated to all personnel. Management needs to conduct periodic assessments of the control objectives and determine whether the control measures are reasonable and address risk exposures. The internal audit group should be examining and evaluating the control environment as part of their audit plan to identify and report on control weaknesses in the systems.

Sean Lyons: The control measures selected for implementation should reflect the level of comfort or confidence required by the organization while also considering the potential impact on the business process in terms of efficiency and effectiveness. This can often lead to disputes between the business and those responsible for controls. In your experience what is the best way of addressing this issue?  

Jim Kaplan: There is a fine balance between the need for controls and the cost and impact of those controls on the business. When evaluating the control environment auditors must consider the risk exposure of the organization and the cost benefit of the control to cover that risk. Obviously if a control will significantly increase cost or impede the organization from operating in an efficient and effective manner then the auditor needs to consider the efficacy of recommending such action. However there are some situations in which the risk is so great that that, in the auditor's opinion, the absence of a control could impact the continuation of the business. The best way to ensure that controls are necessary and reasonable is for the auditors to discuss with management the risk exposures and possible control solutions that will meet management's objectives while minimizing the business impact.  

Sean Lyons: Improving technological solutions has resulted in many organizations replacing traditional manual controls with automated control processes. A strong case can be made for this in terms of cost savings however some commentators suggest that moving towards complete automation can create its own new set of risks which can potentially out-weight any cost savings. Do you have a view on this, or do you think it possible to achieve a happy medium?

Jim Kaplan: Obviously there will be risks associated with automated control solutions. This merely highlights the importance of a strong IT audit presence. Technology advances mean that auditors can no longer look at reviewing systems and transactions from a historical perspective. The advent of continuous auditing or monitoring of automated systems is a necessity in the current environment. So the answer is yes there are new risks that could out weigh potential cost savings. Mitigation of these risks can be accomplished by organizations having a strong audit function with auditors having the necessary skills to operate in this environment. Additionally these auditors need to have the appropriate automated tools, such as ACL, Caseware IDEA and other advanced data monitoring tools to identify and detect control weaknesses and prevent, or at least minimize significant losses. 

Sean Lyons: We have seen many organizations address risk and compliance issues by setting up centralized functions requiring specialist skills in these areas. Some believe that in general there is not a sufficient appreciation of the specialist skills and expertise required in order to manage the required control infrastructure. In your view does the importance of internal controls warrant the set-up of a specific internal controls function within an organization similar to a risk or compliance function?

Jim Kaplan: In my opinion the responsibility for reviewing and evaluating internal controls rests with the internal audit function within the organization. By design external auditors will also review controls as part of the assurance function. When organizations set up multiple centralized functions it raises the possibility of internal conflicts. If organizations chose to go this route then there needs to be coordination between the units to ensure that there are no duplication of efforts. Obviously there are costs associated with setting up multiple units for compliance and oversight and to do so without coordination does not make good business sense.

Sean Lyons: Effective controls require investment however tangible returns on control investment are difficult to calculate. What advice would you give to those responsible for internal controls when preparing to put forward the business case for control investment within their organization?

Jim Kaplan: When making the business case for control investments within their organizations, I would advise managers to take into consideration both the actual as well as the intrinsic costs and values of control investments. The risk criteria must include both financial and non-financial items. For example here is a list of risk factors used by one internal audit function:

IMPACT RISK FACTORS

1. Volume and Dollar Value of Transactions
   A measure of exposure from the volume and/or dollar value of transactions.
   Select the higher value of either the annual volume or annual dollar value
   when scoring the risk factor. (Weight 10%)
2. Financial Statement Significance
   A measure of exposure arising from the entity's relationship to the asset,
   liability and revenue accounts. (Weight 5%)
3. Proprietary Nature of Information
   A measure of the degree of loss or embarrassment from the misuse of
   information produced or collected by the entity's operations. (Weight 10%)
4. Impact on Reputation
   A measure of the reputation effect on the organization, the business entity
   and/or customers resulting from a process or control breakdown. The greater
   the potential negative effect, the greater the impact scoring. (Weight 20%)
5. Impact on Customers
   A measure of the effect on customer services resulting from a process or
   control breakdown. Activities performed incorrectly or inefficiently that
   result in disruption, delay or slow down of delivering services to customers
   will have a high impact score. (Weight 20%)
6. Failure to Meet Organizational Goals and Objectives
   The greater the effect that a business unit or process has on organization
   or department strategic objectives and goals, the greater the related impact
   score. (Weight 15%)
7. Regulatory Scrutiny and/or Penalties
   The greater the extent that activities are covered by enforceable standards,
   regulations and/or legal requirements, the greater the possibility of
   noncompliance. (Weight 20%)

As mentioned before the cost of the control should not exceed the benefits derived from implementing that control. But managers must be mindful of the
difficulties in assigning dollar values to risk criteria.

Sean Lyons: What do you consider to be the biggest challenge currently facing those responsible for internal controls in terms of getting business buy-in on the importance of controls to an organization and generally speaking from the business perspective how important are controls to an organization?

Jim Kaplan: In the current business environment controls are perhaps more important than ever. When the economy turns south there is enormous pressure levied on individuals and business managers. According to research conducted by the Association of Certified Fraud Examiners (ACFE), U.S. organizations lose an estimated 5 percent of annual revenues to fraud. When the economy suffers, organizations with weak internal controls could see an increase in fraud for the benefit of the individual as well as fraud perpetrated by managers seeking to mask poor performance. Also as businesses retrench and layoff employees the ability to segregate duties becomes an increasing challenge. When this happens it is important that managers initiate controls to mitigate the risk of fraud and misappropriation due to inadequate segregation of duties.

Sean Lyons: Other defense related activities such as governance, risk management, compliance, intelligence, security, resilience and assurance all heavily rely on the quality of the internal controls in place. In your view where do internal controls currently fit into the broader concept of corporate defense and how do you see its impact developing going forward?

Jim Kaplan: Internal controls are an important component of the corporate defense scheme and will continue as long as a business exists. Organizations must also implement other initiatives such as employee fraud awareness programs to highlight that fraud and internal controls are the responsibility of each and every employee within an organization. In a recent survey conducted by AuditNet (www.auditnet.org) 62.3% of the individuals responding indicated that their organization did not have a fraud awareness training program. This goes to the basic premise as to who is responsible for internal controls within the organization. Managers have the responsibility to establish and maintain adequate controls to minimize risk. Every employee should also be aware of situations where controls are not working. Organizations need to have a program such as a fraud reporting hotline in place to handle employee reporting of control weakness. There also needs to be an effective internal audit function in place that ensures that internal controls are in place and operating as intended. The internal control framework has many components and they must all be considered by corporate management.