|
© Matti Mattila, CPFA, CISA, CIA |
Obtaining Control Information
|
|
| Purpose And Sources
|
|
|
Control information tells whether basic objectives of a process are being attained
in an acceptable way or not, and what problems or other things worth attention have emerged.
Control information can be learned by comparing what is with what should be.
The latter is typically expressed in objectives and rules.
Information about “what is” is obtained by observing a process or by measuring its performance,
outcomes, effects and attributes, or by reading descriptions and feedback about them
- to mention some examples.
Examples of control information are information about error rates; exceptions; backlogs;
delays; losses; overflows; non-appearances; and absences in a process and its inputs or outputs.
The information can be delivered e.g. in management’s reports; statistics; logs and daily interaction.
|
|
|
One of the biggest challenges of internal control is to identify and record, process, store,
and put timely available necessary control information.
As process proceeds, control information is lost unless it is captured.
There is usually not much benefit from information exceeding needs for a job.
Too little information can be even worse,
because doubts that objectives have been not attained complying with rules may not be removed at all.
Control information needs of auditors and other such persons should be seen as well,
in order to contribute to conditions where they can do their job efficiently -
and thus save expenses of the organization.
As processes interact, one should take care, too,
that there will be left no areas where control responsibility is lacking or unnecessarily overlapping.
|
|
|
Control information should be - like audit evidence - relevant, reliable and sufficient,
i.e. control information should have bearing on the matter at hand,
be suitable or fit to be relied on, and meet needs of a situation [15].
If these requirement are not noticed well,
there is a risk of building a process where those in charge of controlling a process
have to accept poorer information than what would be available cost-effectively.
However, it may be not possible to acquire or use necessary control information at reasonable costs,
and one has to use other information instead of it.
|
|
|
A manager may be expected to accept expenses on basis of documents required by regulations
rather than by his or her factual control information needs.
E.g. accepting salaries, wages and other remunerations may take place on basis of a document
containing breakdown of remunerations by departments, employees etc. -
containing no revealing information about results of various checks,
reconciliation and other controls by payroll staff.
|
|
|
|
|
Some documented control information is still the same as decades ago:
signatures verifying that checks were made.
Signatures are expressions of responsibility.
They are not a guarantee that tasks for which a person is responsible have been properly performed.
If the tasks are not documented in sufficient detail, there is no guarantee,
how the task [in theory] should be performed. And even though documented procedures would exist,
if no other control information exists,
how much a signature as a piece of control information can be relied on?
|
|
| Technology As Control Enabler
|
|
Information and communication technology (ICT) an be an important enabler of cost-effective control,
when number of things due to be taken into account is large.
Machines can gather and analyse control information accurately, extensively and timely,
and deliver and keep the information and the results of analyses easily available [through ITC devices].
The advantage is evident compared to a situation,
where control information is unanalysed and dispersed in numerous documents.
However, such a system cannot be - easily or at all - created afterwards.
The fact underlines, once again, importance of proper design of internal control.
It is crucial for effectiveness and efficiency of a process
that control information is properly identified
and information needs are taken into account so early
that a process can be made to take care of them as automatically as possible.
|
|
| Requirements Of Roles
|
|
Everybody in the organization should understand what they need to know and what not,
and what to do with matters that are important to know, but which are unknown.
|
|
|
It is a task of persons accountable for a process, mostly seniors and managers,
to monitor on continuous basis, whether process proceeds as planned.
By means of proper monitoring accountable persons obtain important control information
and convey a message that [internal control] plan of the process shall be taken seriously.
If collecting key control information is left undone by persons in charge,
nobody else does it, and nobody knows how effective and efficient the process
and its internal control are.
In absence of such information unsolved problems have negative effects on the process,
and internal control cannot provide reasonable assurance
about attainment of basic objectives of a process in an acceptable way.
|
|
[15]
Penguin Books: The New Penguin English Dictionary [1986]
|
|