Controls are simply policies, procedures and supporting activities to mitigate risks to accomplish operating, reporting and compliance objectives. Continuous improvement and quality control initiatives are tantamount with controls.
No one wants to be controlled yet controls are an integral part to any business. Unfortunately, many people equate the word to a costly compliance exercise largely thanks to the US Sarbanes-Oxley Act of 2002. Controls should be viewed as your friend not your enemy. Don’t be intimidated by the semantics of the word. Instead, realize that business controls should be leveraged to maximize shareholder value across all three areas of objectives – operations, reporting and compliance. Perhaps it is time to revisit your controls effort to ensure that the return on investment is positive.
The depth and rigor of any controls effort will vary greatly between companies as it is dependent on a host of variables. The larger and more complex the business, the more risks in terms of shareholders, regulators, creditors and other stakeholder groups. Thus, more resources are warranted towards ensuring that strong controls are present and functioning is for larger, more complex organizations.
Dealing with change is a big one. Operating, marketplace, regulatory and competitive landscapes are frequently changing. Objectives and risks should not be viewed as static, but rather as constantly evolving. Thus, controls must also change to keep pace. Yet, this is a common mistake as organizations often opt to review their controls on an annual basis. Controls need to move in tandem with both internal and external changes. For example, cyber crooks are constantly becoming more sophisticated in their attacks thus changing the cybersecurity landscape on a daily basis. The changing profiles of potential high-impact and probability risk areas must be understood and addressed.
The key to success is to understand the objectives and relating risks, and then focus on controls to mitigate those risks to best meet objectives. Don’t start with controls. Use a robust control framework, such as the Internal Control – Integrated Framework, by The Committee of Sponsoring Organizations of the Treadway Commission (COSO) and evaluate controls as an ongoing process.
