Focus on the Design & Operation of Critical Internal Controls

Key Takeaways

• Objective-Centric Success: Boards and CEOs measure success by objectives and prioritize auditing risks to those objectives.
• Critical Controls: Focus on controls whose failure would create unacceptable risk to enterprise-level objectives.
• Top-Down, Risk-Based: Apply a top-down, risk-based approach that prioritizes enterprise risks over unit-level concerns.
• Data vs. Controls: Testing data (e.g., AI on expenses) does not provide assurance on control design or operation.
• Future-Focused Assurance: Center assurance on the design and operation of controls to inform leadership decisions.

Deep Dive

In Norman Marks’ latest piece, he emphasizes why boards, CEOs, and auditors should place their attention on the controls that matter most—those tied directly to enterprise objectives. Drawing on decades of experience, Marks underscores that auditing should be future-focused and risk-based, centering on the design and operation of critical internal controls rather than just data testing.

Why Auditing Should Center on Enterprise Objectives and Critical Controls

Before I explain the mantra in the title of this blog post, I want to review some basics.

1. Boards and the CEO measure success based on the achievement of objectives. Some say those objectives are not clear, but in most cases they can be made clear—if you are prepared to do a little digging.
2. For example, look at what has been promised to “the street,” the analysts covering the company. They usually include revenue, profit, and other financial metrics such as market share. They often include other targets, such as headcount reductions or improvements in climate footprints.
3. Get a copy of the objectives set by the board (usually the Compensation Committee) for the CEO and others. These are normally the basis for their compensation, and money rules.
4. Ask the CEO, CFO, COO, and members of the board how they measure success.
5. We should be concerned with risks to those objectives—what might inhibit their achievement, and what might enable their achievement.
6. There are a lot of risks. Risks are taken every hour of every day across the extended enterprise. But the ones we should be concerned with (I suggest the only ones absent good reason) are those that affect the achievement of enterprise objectives.
7. Management relies on internal controls to ensure that those risks (the risks to enterprise objectives) are at desired levels.
8. There are a lot of controls. But the ones we should be concerned about are those that, should they fail, would lead to an unacceptable level of risk to enterprise objectives. In SOX, we call them key controls. For now, let’s call them critical controls.

This is why we need to focus on the design and operation of critical internal controls.

Not just any controls, but the ones that matter to the success of the organization as they manage the more significant risks to enterprise objectives.

I learned the value of auditing and providing an opinion on the effectiveness of internal controls in managing risk many years ago when I was with Coopers & Lybrand (now PwC). Back then it was referred to as “controls reliance.” When you can rely on the system of internal control, you can reduce the level of testing of transactions (called “bashing the balance sheet” or “ticking and tying”).

The controls we assessed were those relied upon to meet the objective of filing financial statements with the regulator that are free from material error. That is pretty much the approach now recommended by the SEC for management and mandated by the PCAOB for the external auditor when it comes to SOX.

In other words, a top-down and risk-based approach.

When I was on the Professional Issues Committee of the IIA, I authored a Practice Guide and a Practice Advisory on using that same top-down and risk-based approach for any business risk. (They disappeared into the sunset when the IIA changed its website, etc.)

But there is still IIA guidance on Risk-Based Internal Auditing, notably from the UK affiliate of the IIA.

However, as I said, there are many, many risks. The ones that should matter most and be the center of our focus are the risks to the achievement of enterprise objectives. I call that enterprise risk-based auditing.

We have limited time and resources. We can’t audit every risk, every control. We need to prioritize, and I put risks to enterprise objectives first and risks to business unit or functional objectives way down the list.

Audit what matters to leadership, not what matters only to middle management. We don’t have time for that! Audit with a laser focus on top risks.

I bet that if you are auditing (controls over) risks to a process or business unit that are not critical to the enterprise as a whole, you are failing to audit (controls over) risks that are.

If by some miracle you are auditing 100% of what matters—including not only traditional sources of risk but also the ability to hire the people you need where and when you need them, maintain and enhance employee morale, anticipate European supply chain disruption, develop products at low cost that will excite customers at an attractive price, optimize the use of technology, manufacture with consistent quality, maintain advanced manufacturing equipment, optimize equipment utilization, optimize inventory levels, market your products and services effectively at desired costs, etc.—please let us all know your secret.

So let’s focus on the design and operation of the internal controls relied upon to achieve enterprise objectives. We do this by ensuring that risks to the achievement of those objectives are at desired levels.

I need to contrast that with auditing data.

For example, I saw a LinkedIn post about using AI to audit expense reports. Let’s say for a moment—even though it’s highly unlikely—that expense reporting fraud could be material to the achievement of objectives. Using AI to test actual expenses against supporting documentation does not provide any assurance that management has the necessary controls in place. The fact that the data is correct and there was no fraud doesn’t prove that management has any controls in place. You are not looking at the design of management’s controls, and you are not testing the operation of those controls. So you have no basis for an opinion on the effectiveness of controls.

It’s too easy to fall in love with a tool to audit the data and fail to assess and provide an opinion on management’s controls.

That opinion should be our focus. It enables us to provide the assurance, advice, and insight that management and the board need as they direct and manage the organization for success. It’s future-focused. An opinion on data is past-focused.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.