|
© Matti Mattila, CPFA, CISA, CIA |
| Concept Of Control
|
|
|
A control is a procedure, a condition or other arrangement, designed
to keep performance or state of affairs within what is expected, allowed or accepted.
Controls protect process from deviating from the course towards objectives.
No goal-oriented process works without controls,
because they keep the process proceeding as planned.
Without controls there would be no guarantee that what is due to be done, would be done,
done in an acceptable way - and objectives were achieved.
|
|
|
Controls work in two basic modes: action and condition.
Examples of action based controls are verifications, reconciliations, reviews, re-calculations
and computerized data validation edits and checks
- e.g. range, reasonableness, limit, sequence and existence checks.
Examples of condition based controls are passwords; locks and other physical safeguards;
fire alarms; and segregation of duties.
The last mentioned is a control for such accumulation of authority to a single employee
that takes him or her beyond regular control by others
- e.g. a bookkeeper being responsible for a petty cash and an accounts ledger.
|
|
|
Training staff, policies and other guidance, timetables etc. are not regarded here as controls.
They cannot be [permanently] built within a process,
and they lack the [action or condition] mode characteristic to a control.
|
| |
|
For many people the concept of internal control is strongly associated with only controls.
Controls are often mixed with risk responses.
Difference between controls and risk responses is discussed more
later in the text.
|
|
|
|
| Categories Of Controls
|
|
|
Controls have been categorized in many ways - e.g. by their role in the organizational structure
(management, administrative, and accounting controls), by their intended purpose
(preventive, detective and corrective controls), by their nature
(operational, reporting and compliance controls), and - as in the previous paragraph
- by their mode (action based controls and condition based controls).
|
|
|
In the ECAR model controls are categorized depending thereon,
whether they are part of the standard internal control structure of the process
(permanent controls) or not (ad hoc controls).
|
| - |
A permanent control is a control built in a process,
designed for systematic mitigation of one or more foreseen identified internal risk(s) within a process,
on a continuous basis, in a pre-determined way.
An example of a permanent control is approval of expenditure.
It is applied to all expenses, with known control objectives, with certain procedures.
An authorized manager approves expenses of a transaction after becoming assured
that e.g. procurement has occurred in compliance with rules and the organization's plans and budget.
|
| - |
An ad hoc control is a reactive control in a unique situation,
performed without considering its wider application.
Need for an ad hoc control usually emerges suddenly.
E.g. if a manager is not sure whether a worker understands what to do,
as an ad hoc control he asks the worker to explain what he is due to do.
The worker's answer indicates whether he understands the task or not,
and what additional advise from the manager is needed, if any.
|
|
|
| Good Controls; Limitations Of Controls
|
|
|
Good controls fulfil the following criteria:
|
| - |
They are appropriate, that is, the right control in the right place and commensurate to the risk involved.
|
| - |
They function consistently as planned throughout the period, that is,
they are complied carefully by all employees involved and not bypassed
when key personnel are away or the workload is heavy.
|
| - |
They are cost effective, that is, the cost of implementing them
does not exceed the benefits derived [20].
|
|
|
|
One should never trust controls blindly,
because of the uncertainty inherently associated to the two first mentioned criteria above,
including lacks in risk identification.
A control can prove ineffective because of fatigue, carelessness,
or distraction of an employee responsible for implementing it.
Managers can override controls, or controls can be circumvented by means of collusion [21].
In collusion a manager or an employee colludes with parties
inside or outside of the organization to circumvent controls.
Machine-run controls can fail, too, because of such things as e.g. hardware,
software or network shortcomings and errors or wrong input data.
|
|
[20]
INTOSAI: Guidelines for Internal Control Standards], item 12
[21]
INTOSAI: Guidelines for Internal Control Standards], item 13-14
|
|