|
© Matti Mattila, CPFA, CISA, CIA |
| Features Of [Control] Environment
|
|
|
Control environment are the behavioural circumstances [within an organization]
affecting the achievement of internal control objectives.
These circumstances are actually in the minds of employees, affecting their behaviour.
Behaviours of employees affect each other as well.
All actions and neglects convey messages to those who witness and hear about them.
Employees observe what their superiors, peers and subordinates do in daily life.
In particular, employees pay attention to the examples given by managers at various levels.
Do managers really respect interests of the owners, or rather those of their own,
do they basically treat all employees equally, do they demand much enough from themselves,
do they follow the practices and rules of the organizations, etc.; the list of questions is long.
|
|
| Affecting Control Environment
|
|
|
The board or other such body or person is a key player in creating a positive control environment.
It should see that management of the organization respects rights,
risk appetite and justified expectations of the owners,
and that managers recognize their accountability.
In addition, the board or equivalent should consider management compensation systems
in their true aspects before introduction,
and monitor management’s operating performance, and ethical and legal compliance.
The compensation system should not tempt [too much] to unethical behaviour.
Big organisations should have an independent qualified audit committee
responsible for the appointment, compensation and
oversight of the work of auditors, and whom the outside auditors report directly [18].
|
|
|
Qualities of a carefully selected employee, too, may alter
due to pressures from within and outside of the organization [16];
an employee can become a fraudster. In the Loebbecke, Eining and Willingham model
[P(MI) = f (C, M, A)] likelihood of management fraud [P(MI)] is predicted
using variables more or less associated with control environment:
[C] the degree to which there exist conditions favourable to management fraud;
[M] the degree to which persons of authority have the motivate to commit fraud;
[A] the degree to which persons in authority have attitude or ethical values
that facilitate fraudulent activity [17].
|
|
|
|
|
Another important player in control environment is management.
Managers affect control environment by implementing practices, policies,
and procedures and by following them.
They should set a positive ethical tone, provide guidance for proper behaviour,
remove temptations for unethical behaviour (e.g. ambiguous rules, ineffective controls),
provide discipline when appropriate,
and prepare a written code of conduct for employees [19].
They must make it clear, with words and actions,
that the organization will not tolerate behaviour and actions
that are in conflict with the organizations ethical values and rules,
that all employees, including managers, are accountable for what they do and what they leave undone,
and that each employee is expected to work and act responsibly and accomplish
what can be reasonably demanded from him or her.
|
|
|
Control environment cannot be maintained without providing discipline
when employees act against organization's values, guidance, and rules.
Discovering incidents soon and punishing the violators justly without delay
likely helps to reduce future occurrences.
|
|
| What Each Employee Should Know
|
|
|
Employees should be made aware of the organization's core values,
and what behaviours are acceptable and what not - with clear ideas and words.
The board - or other such body or person - and senior managers
should take care that all managers and other employees
|
| - |
learn and understand how they are expected to behave themselves
whatever they do within the organization and with the stakeholders of the organization.
These expectations should be documented, too, e.g. in a form of value statement
and/or a code of conduct, and be available, and employees should be reminded of them every now and then.
|
| - |
know the rules and the policies of the organization
so that they can find out in advance, what they are entitled to (e.g. training, and promotion),
what are their responsibilities, and whether their ideas, intentions and plans are acceptable.
|
| - |
know the vision, goals and objectives of the organization,
their accountability as regards attainment of goals and objectives, and how they have succeeded in their job.
|
| - |
recognize their responsibility to report unethical behaviour, and know reporting procedures and tools.
Reporting should be made as easy as possible.
|
|
|
| Other Things Affecting Control Environment
|
|
|
There is no doubt that among other things competence and inherent capabilities of employees,
development and organization of people, and assignment of authority and responsibility
affect control environment as well.
However, decisions concerning these things are made thinking more of attainment of objectives
than strengthening internal control.
Doing the opposite would include a risk of creating inefficient bureaucracy.
The internal control aspect in the aforesaid examples can be managed under subject
“removal of temptations for unethical behaviour”.
|
|
[16]
International Organization of Supreme Audit Institutions: Guidelines for Internal Control Standards, page 13
[17]
Mohay George M., Collie Byron, Olivier de Vel: Computer and intrusion forensics, page 179
[18]
The Conference Board Commission on Public Trust and Private Enterprise:
Findings and Recommendations, pages 20, 36
[19]
International Organization of Supreme Audit Institutions (INTOSAI):
Internal Control: Providing a Foundation for Accountability in Government, page 2
|
|