Measuring Control – Challenges

Posted on by

The article discusses the challenge of measuring internal control effectiveness within organizations, specifically within the COSO framework. It emphasizes the need for reasonable assurance rather than absolute control, encouraging periodic checks on high-risk processes. It suggests organizations regularly review and update controls for relevance and effectiveness to ensure organizational objectives are met.

If the objective of COSO and other control frameworks is reasonable assurance of control – then how do you know whether you have reached the reasonable point? Can you spend too much time, talent and treasure on control? How do you know when you don’t have enough?

The Problem of Measurement

Here is a thought exercise, assume you manage about 10 people.  How many tasks per day are these people doing?  Maybe one per day, maybe a thousand but let’s settle on 1 task every 5 minutes, 12 an hour for 96 (rounded to 100) per day.  This means in your team of 10, every day there are about 1,000 ‘things’ being accomplished.

At the same time, how many controls does your team have?  See my second blog for ‘A List of Internal Controls‘ which are applied against a myriad of business processes.  Thus the reconciliation control is used for an accounts payable invoice, a sales order, to check raw material inventory or the delivery of the product to customer.  At the end of the day though let’s say you are responsible for 100 controls (e.g. monthly reports, yearly performance appraisals, system validation – controls add up pretty fast).

Multiplying the number of daily tasks, 1,000, against the number of controls, 100, means that there are about 100,000 control-points for which you as a manager are responsible every day – and this is just for a team of 10.  What about if you are the CEO and have 10,000 employees – that is about 10’s of MILLIONS of controls every day!

Of course it is not quantity, the complexity and quality of the tasks/decisions count as well.  For example, as a bank trader, you may only make 10 decisions a day but if they bring down the bank then the point stands which leads us to reasonable assurance.

Reasonable Assurance is a Manager’s Friend

Accountants and COSO anticipated the measurement problem which is why reasonable assurance – rather than absolute assurance – is expected of organizations.  Reasonable assurance means that the manager is perhaps checking once a week or a month on a few of the 1,000 tasks per day of the employee and the organization checks the highest priority/risk business processes/controls periodically.  The rest of the time the tens of millions things per day are done by competent staff who are aware of their own relevant controls and are enabled to do the best job possible in accomplishing organizational objectives.

And Then the Police Raid Your Office…

Of course there are some definite signs that you have too little control: the police are removing the corporate computers, the CEO is doing the perp-walk on national television, a Nigerian Prince is the new CEO or the Accounts Payable clerk just bought his second home in the Grand Cayman. Short of these obvious signs though, is there a way to measure control?

COSO and Measurement

Monitoring Activities is one of the COSO five Components and Reporting is one of the three objectives as demonstrated in the COSO cube below.

3 Dimensions of Internal Control – COSO Cube

In other words measuring and monitoring for Internal Control is central to the COSO (and other) framework.  Great, but measure what, monitor who, collect what data or  compared it to when.

COSO as an Instrument of Measurement

The front face of the COSO framework provides a construct to measure control.  Below each of the five components are seventeen individual principles and then eighty-seven Points of Focus, as demonstrated in the following table (courtesy of Deloitte):

COSO 5 Components Mapped to 17 Principles and 87 Focus Points

While 87 Points of Focus is a good start, I plan to add a few on my own.  For the moment though, for each of the Points of Focus the following drill down (and up) is possible:

  1. Point of Focus is measured by…
    1. Existence of Policy, and Standards which are implemented through…
      1. Business Processes and Process Guidance by…
        1. Competent staff, contractors, outsource partners, etc. which
          1. Contribute at an atomic level to an organizational objective
        2. Which can be measured directly or indirectly
      2. Which contribute to a process performance measurement
    2. Which can support (or change) a Policy/Standard
  2. Which yields a Point of Focus Rating for a time period and business entity

One Point of Focus Example

Here is one example for one Point of Focus:

  • COSO Principle 1, Commitment to Integrity and Ethical Values
    • Point of Focus, Establish Code of Conduct
      • Measurements:
        • Does the organization have a Code of Conduct?
        • Has the Code being reviewed in the past 2 years for any relevant changes to the environment or circumstances?
        • Is the code publicly available and displayed within the organization?
        • Are staff required to periodically review and re-affirm their adherence to the code?
        • Are contractors or out-source partners required to affirm the organization’s code or its equivalent?
        • Are Senior Managers required to publicly review and re-affirm their adherence to the code?
        • Does the board or equivalent publicly review and re-affirm their adherence to the code?

You Can Measure Some of the Points of Focus Some of the Time…

Different organizations will need to focus on different points within the COSO framework on a risk assessed basis.  Thus one organization may focus for a few years on the importance of Board Level control and behaviour because of a recent change in ownership while another may focus technology because of new entrants into the market that are causing digital disruption.

Each year the organization should perform an assessment and identify a Point of Focus to concentrate on but without abandoning prior successes and achievements.  In other words, the COSO Assessment Tool is cumulative … with a caveat.

Introducing Principle 18 – Review, Revise and Retire

Although COSO has 17 principles the Assessment Tool introduces principle 18: The Organization has established mechanisms to review, revise and retire controls.  As the organization has conducted reviews via the above COSO Assessment Tool it should be reviewing past work, updating as applicable and seek opportunities to retire no longer relevant controls.  This constant pruning of the control environment is critical to keep it healthy and relevant.

Note that this is stronger than existing principles on monitoring and evaluating the controls.  The problem with these principles is that they involve a lot of developing and checking for compliance but not asking – is the control still doing what it was intended to do in the first place?  One sure-fire way of pruning organizational deadwood is to end date everything and then require its ongoing existence based on a valid and continued business need. Which leads us to the next step, so let’s gets measuring!

Leave a comment