The Control Environment
Reviewing Organizational Infrastructure and Reporting Lines By Catherine Finamore Henry, MBA, CIA, CRMA, CCEP, CIPP/US
G
overnance is the combination of processes and structures implemented by the board to inform, direct, manage and monitor the activities of the organization toward the achievement of objectives.1 An organization’s governance or control environment infrastructure is comprised of various functions such as risk management, internal audit, compliance and ethics, legal and quality. In some organizations, these functions operate as separate departments. In other organizations, these functions operate under a variety of possible permutations resulting from chance, strategic design, budget cuts, politics, and/or power struggles. Below are four key factors to consider in providing assurance over management’s efforts to establish the control environment infrastructure and reporting lines. 1. Understand the Distinctions and Avoid Conflicts of Interest Although interconnected, each function is a distinct discipline requiring specialized education, training, licenses and/or certifications. An infrastructure of interconnected yet distinct disciplines strengthens the control environment by providing checks and A consolidated or hierarchical balances that prevent corruption, minimize conflicts of interest, and prevent any individual or group from becoming too powerful. relationship between internal audit and risk management
According to the Ethics Resource Center’s 2011 National Business Ethics Survey (NBES), http://www.ethics.org/nbes/download.html, from 2009 to 2011, the is an example of an percentage of employees who perceived pressure to compromise standards in order infrastructure-imposed conflict to do their jobs climbed from eight percent to 13 percent; and the share of companies with weak ethics cultures climbed from 35 percent to 42 percent. An of interest. NBES recommended action step is to help senior executives set the proper tone at the top – a daunting task if conflicts of interest or other control weaknesses are inherent in the control environment infrastructure and reporting lines. A consolidated or hierarchical relationship between internal audit and risk management is an example of an infrastructure-imposed conflict of interest. Such an arrangement weakens governance by impairing internal audit’s objectivity and independence. This example continues through the remainder of this article.
About the Author
Catherine Finamore Henry, MBA, CIA, CRMA, CCEP, CIPP/US President of Finamore Associates, LLC, specializes in risk management; compliance and ethics; internal audit; information privacy; training; and business processes, policies and procedures. www.FinamoreAssociates.com
2. Follow Globally Accepted Guidance The Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF) provides mandatory and strongly recommended guidance for the global internal audit profession. Notably, the IIA’s standard- and guidance-setting processes are overseen by an independent IPPF Oversight Council which includes the following: • International Federation of Accountants (IFAC), • International Organization of Supreme Audit Institutions (INTOSAI), • National Association of Corporate Directors (NACD), • Organization for Economic Co-operation and Development (OECD), • Committee of Sponsoring Organizations of the Treadway Commission (COSO), and • The World Bank. (continued on page 8)
ACUA Summer 2013, Vol. 65, No. 2
7 College & University Auditor