eBook - ePub

Intelligent Internal Control and Risk Management

Name: Intelligent Internal Control and Risk Management
Author: Matthew Leitch

Designing High-Performance Risk Control Systems

Matthew Leitch,

270 pages
English
ePUB (mobile friendly)
Available on iOS & Android

eBook - ePub

Intelligent Internal Control and Risk Management

Designing High-Performance Risk Control Systems

Matthew Leitch,

About this book

Many people in organizations resent internal control and risk management; these two processes representing unwelcome tasks to be completed for the benefit of auditors and regulators. Over the last few years this perception has been heightened by the disastrous implementation of section 404 of the Sarbanes-Oxley Act of 2002, which is generally regarded as having been too expensive for the benefits it has brought. This important book offers a way of improving this prevailing perception and increasing the value of control and risk management by bringing creativity and design skills to the fore. The value of risk and control activities is often limited by the value of the control ideas available and so Matthew Leitch provides an arsenal of 60 high performance control mechanisms. These include several alternative ways to design controls and control systems, as well as providing controls for monitoring and audit, controls for accelerated learning, and techniques for finding and recovering cash. This design material is combined with insights into the psychology of risk control, strategies for encouraging helpful behaviour and enabling change, and a surprisingly simple integration of internal control with risk management. The book is realistic, practical, original, and easier reading than most in the field. The material is not specific to any one country and has international appeal for internal auditors and all those concerned with risk management, corporate governance and security.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.

At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.

Perlego offers two plans: Essential and Complete

Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.

Both plans are available with monthly, semester, or annual billing cycles.

We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.

Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.

Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.

Yes, you can access Intelligent Internal Control and Risk Management by Matthew Leitch in PDF and/or ePUB format, as well as other popular books in Business & Business General. We have over one million books available in our catalogue for you to explore.

Information

Publisher

Year

eBook ISBN

Topic

Subtopic

Index

PART I The Bigger Picture

1 How Much Improvement is Possible?

There’s a lot of scope for getting greater business value from risk control. Evidence that risk and control programmes add value is patchy. This may be because many don’t provide value but it’s also because little attention has been paid to assessing or improving the value they provide.

Here are two examples to illustrate the scope for improvement and some of the main reasons why the opportunities still exist. Both examples contrast two approaches to a similar problem to highlight the room for improvement.

Example 1: Sarbanes-Oxley versus Revenue Assurance

The driving force behind risk and control over the last few decades has not been value. More often what people want is ‘assurance’ – a feeling of comfort, some protection from losses or just from embarrassment. Most often it is external demands that cause action. Regulators demand improvements and auditors nag for them.

When an auditor, especially an external auditor, recommends an improvement to controls it is usually with little concern for the cost of implementing or operating that control. The auditor wants to feel ‘covered’ by having recommended doing something in the face of a risk that exists, at least in theory. It is then for executives to decide whether the control is worthwhile or not, or just go along with it so that they themselves are also ‘covered’ from criticism should anything go wrong. Things go wrong often in organizations large and small but failure to act on the recommendations of a respected independent expert could make those problems more damaging personally for the executives concerned.

SECTION 404 OF THE SARBANES-OXLEY ACT 2002

The way Section 404 of the Sarbanes-Oxley Act of 2002 has been implemented has made this all painfully clear. The fiasco started with a flurry of financial reporting scandals at Enron, Worldcom, and elsewhere in the USA, that gave the impetus needed for the Sarbanes-Oxley Act to be passed into law. The Act included sections on internal controls over financial reporting. Section 404 required an external audit to attest to the statement top management had to make about the effectiveness of its controls.

At the time this was thought of by politicians and officials as a small extension to existing external audits and the average cost to companies listed in the USA was estimated at $91,000.¹

The Act itself said very little in detail about controls or this new audit. The details were to be worked out by the Securities Exchange Commission (SEC) and a new body, the Public Companies Accounting Oversight Board (PCAOB).

The SEC decided that attesting to the statement on controls effectiveness made by top management could only be done if the external auditors did their own audit of internal controls in the company. Just looking at how management had gone about their assessment was not enough. They also decided that management should express their assessment of internal controls effectiveness as a black-and-white statement. Either the controls are effective or they are not. Even PricewaterhouseCoopers, the audit firm that has gained the most from Section 404, had not been promoting such an aggressive approach.

This, however, was just the first stage of interpretation to inflate the cost of compliance.

The PCAOB took their time deciding what audit standards to impose on external auditors. While they drafted their own proposals the gap was filled by guidance from the AICPA (American Institute of Certified Public Accountants) which was lobbying hard.

When the PCAOB’s key guidance, Auditing Standard No. 2, was issued it painted a picture of a highly detailed and dismally old-fashioned audit. Examples of tests made it clear that they imagined many more tests and much higher audit test sample sizes than external auditors had relied on in the past.

This crucial standard also missed great opportunities to promote cost-effective audits using some of the techniques in Chapter 7 of this book.

Next it was the turn of external audit firms to pump up the costs of compliance. The PCAOB’s guidance applied to external audit firms, not to companies. In fact there was little detail governing what companies did and this left many people asking for more ‘guidance’. The big firms were only too happy to meet this need and did so by issuing their own guidance documents, usually based on the idea that companies would do basically the same as external auditors were required to do, but more of it. PricewaterhouseCoopers issued what was probably the most comprehensive guide,² containing among other things tables of required test sample sizes and required coverage levels.

Nor was this the last stage of cost magnification because now the paranoia spread to companies. Desperate to comply and unsure about what was required to do so, many decided to give themselves a big safety margin and simply do a vast amount of work. They asked their auditors what would be enough, but auditors could not say for sure and if pressed for guidance they certainly weren’t going to suggest taking it easy. Consultants employed to help companies naturally reinforced these fears and quickly spread word of the rules laid down by the external audit firms. For internal controls specialists it was a feeding frenzy and the external audit firms roughly doubled their audit fees. Until early 2005 the dominant idea was to comply whatever the cost. Then the SEC asked companies for feedback.

Suddenly the floodgates opened and people began to feel empowered to speak out in public against what was happening. The big audit firms gave their view that things were working well, the requirements were sensible, companies and markets were seeing benefits, and things should be left as they were. They pointed to the large numbers of ‘remediation’ actions triggered by Section 404 audits as evidence that benefits were being enjoyed, though in practice many of these remediation actions were trivial or unnecessary. They pointed to benefits like improved understanding, documentation, and increased assurance.

But, with almost no exceptions, everyone else said the implementation of Section 404 had been too costly for the benefits gained.

The SEC and PCAOB reacted by blaming the external audit firms for taking an overly mechanical approach to the audits and in documents issued in May 2005 they countered various rules contained in the PricewaterhouseCoopers guide and others of its kind.

A year later and the SEC again sought feedback on the implementation of Section 404. This time respondents commented in even stronger language (e.g. ‘staggering costs’, ‘unreasonably high’, ‘extreme conservatism on the part of the auditor community’). In response the SEC repeated its messages from a year earlier and began to criticize the PCAOB as well.

The story is still running, but at this stage it is clear that the costs of Section 404 were too high. The benefits are less clear since most people have avoided serious debate about them. The usual formula for comments is to say how much you support the aims of the Act before launching into criticisms of its implementation.

It is also clear that auditors, and especially the big external audit firms, have had a huge influence on the thinking behind internal controls and business risk management. They have written most of the guidance, though rarely published it themselves.³

Thanks to the Sarbanes-Oxley Act, and Section 404 in particular, the reputation of internal control and business risk management has been damaged severely.

All this is now quite well known in the world of risk and control, but fewer people have a clear idea of just how different things could be. Once you have the contrast it is easier to see the full extent of the value opportunity.

HOW IT COULD AND SHOULD BE: REVENUE ASSURANCE

Here’s an unforgettable example of risk control that delivered measured financial benefits, among others, far in excess of its costs.

In the 1990s telecommunications was a huge growth industry with national markets being opened up to competition, with new technology, the Internet, and high expectations. Such was the pace of change that most companies in this sector, the ‘telcos’, found it difficult to keep their billing systems up to date with their products, prices, and customer requirements.

At some point people began to realize that many bills sent to customers were incomplete. Customers who were prepared to pay for the services they had used weren’t even being asked to pay. How much money was involved? Nobody knew for certain but early examples included figures of over 10 per cent of revenue. In at least one case a new mobile service was launched before any billing capability existed, so it was given away free. More typically most people thought the lost revenue was usually somewhere between 2 per cent and 5 per cent of total revenue.

Notice that we’re talking about percentages of revenue, not profit. As a percentage of typical profits it was a much larger amount and the problem quickly got a lot of attention.

Teams were formed in most telcos to tackle this problem and the euphemistic name given to their activities was ‘revenue assurance’. In theory, the goal of revenue assurance was to provide assurance to management that all services provided were billed completely and accurately. In reality, everyone knew they were not being billed completely and accurately so the real goal was to reduce the size of the losses.

Very soon there were conferences on revenue assurance and dozens of software and hardware tools on sale to help do it.

Although the big audit firms quickly joined in, the main ideas on how to do revenue assurance tended to reflect quality management and engineering more than accountancy. This is because many people doing revenue assurance, being telecommunications people, had that kind of background and this helped them deal with the complex systems issues involved.

In the UK, the industry regulator, Oftel, introduced rules requiring the big operators in the UK to measure the accuracy of their ‘metering’ (i.e. the initial measurement of call durations and other details used in billing). Many years later this was extended to measuring the accuracy of bills themselves.⁴

Measurement could be done in various ways, but the most popular was to use electronic boxes that could make telephone calls automatically according to a prespecified schedule of times and durations and then compare calls made with the call records provided for billing. Many millions of calls were made this way every month.

As so often, regulation was driving internal control but this time telcos were doing revenue assurance for their own reasons. The UK regulations did no more than push them to an even higher level of accuracy than most thought worthwhile, and revenue assurance also thrived in countries without such regulations.

The direct savings and money recovered by back-billing customers could easily be calculated, even if the total benefits of the work could not be, and typically revenue assurance projects generated several times the money they cost.

New projects were justified on crude cost-benefit grounds without even trying to consider the impact on customers or work saved internally. Consultants offered to work on a commission basis, taking a percentage of the money saved or recovered.

Most revenue assurance projects relied heavily on software tools to make detailed comparisons between databases and search huge files for anomalies that indicated lost money. This combination of technology and money proved highly effective, even though the projects were often difficult to manage due to the high levels of uncertainty involved.

Was this gold rush something that could only happen in telecoms? Perhaps few other industries will ever find such rich pickings from control improvements, and even in telecoms things are harder now, but telecoms is not unique.

True, the pace of change at telcos had been a factor, the complex technology had contributed, and it was difficult to detect incomplete billing without the opportunity to reconcile against physical stocks. On the other hand, these characteristics are not unique to telecoms billing.

Telcos found that the bills they received from other telcos contained an element of over-billing as well, so it was possible to save a lot of money by checking bills and challenging suspected errors. Internet sites turned out to have similar problems. Billing for engineering work proved unreliable.

Perhaps most frightening, or inspiring, is the fact that most of us involved in this work found many more problems with data and systems than their users imagined possible. People would think errors of a particular type were rare or even impossible, and be stunned when shown thousands of examples revealed by software interrogation.

If you are working in another industry and feel that it couldn’t happen where you work, don’t be so sure. Until you’ve looked, effectively and comprehensively, it is unsafe to be relaxed. A worthwhile number of errors may be only a tiny percentage of the total and so just checking a sample of 100 items, say, is of little use.

For example, one UK building society in the 1990s was considering changing its status to become a bank. The change required a vote by all ‘members’ of the society, which meant all account holders. Work to check this revealed that a number of accounts did not have customers associated with them. There was money, but no owner.

Detecting overpayment and double payment of invoices received is a traditional way for auditors to demonstrate their value and experts in this field say that certain types of invoice are a particular problem. It is sometimes called ‘recovery auditing’.

In 1998 the United States General Accounting Office made a report⁵ to Congress on trials of recovery auditing carried out within the Department of Defense, with the help of external specialists. Overall the report gives encouraging information about the value of recovery audits, but also reveals some of the difficulties. At the time of the report the auditors had audited 80 per cent of the $7.2 bn of payments and found $19.1 mn of recoveries. This is a rate of 0.33 per cent, which is typical.

The $19.1 mn in overpayments included $12.4 mn of cash discounts missed or taken at the wrong rate, $2.2 mn from most favoured customer terms not being received, $1.3 mn because of duplicate payments made, and $1.2 mn from credits for returned merchandise not being taken.

The auditors were required to audit invoices paid some years earlier and were handicapped b...

Cover Page
Half Title page
Title Page
Copyright Page
Contents
Tables
Figures
Introduction
The Bigger Picture
High Value Control Mechanisms
Making Good Change Happen
Index