The Control Environment
Reviewing Organizational Infrastructure and Reporting Lines By Catherine Finamore Henry, MBA, CIA, CRMA, CCEP, CIPP/US
G
overnance is the combination of processes and structures implemented by the board to inform, direct, manage and monitor the activities of the organization toward the achievement of objectives.1 An organization’s governance or control environment infrastructure is comprised of various functions such as risk management, internal audit, compliance and ethics, legal and quality. In some organizations, these functions operate as separate departments. In other organizations, these functions operate under a variety of possible permutations resulting from chance, strategic design, budget cuts, politics, and/or power struggles. Below are four key factors to consider in providing assurance over management’s efforts to establish the control environment infrastructure and reporting lines. 1. Understand the Distinctions and Avoid Conflicts of Interest Although interconnected, each function is a distinct discipline requiring specialized education, training, licenses and/or certifications. An infrastructure of interconnected yet distinct disciplines strengthens the control environment by providing checks and A consolidated or hierarchical balances that prevent corruption, minimize conflicts of interest, and prevent any individual or group from becoming too powerful. relationship between internal audit and risk management
According to the Ethics Resource Center’s 2011 National Business Ethics Survey (NBES), http://www.ethics.org/nbes/download.html, from 2009 to 2011, the is an example of an percentage of employees who perceived pressure to compromise standards in order infrastructure-imposed conflict to do their jobs climbed from eight percent to 13 percent; and the share of companies with weak ethics cultures climbed from 35 percent to 42 percent. An of interest. NBES recommended action step is to help senior executives set the proper tone at the top – a daunting task if conflicts of interest or other control weaknesses are inherent in the control environment infrastructure and reporting lines. A consolidated or hierarchical relationship between internal audit and risk management is an example of an infrastructure-imposed conflict of interest. Such an arrangement weakens governance by impairing internal audit’s objectivity and independence. This example continues through the remainder of this article.
About the Author
Catherine Finamore Henry, MBA, CIA, CRMA, CCEP, CIPP/US President of Finamore Associates, LLC, specializes in risk management; compliance and ethics; internal audit; information privacy; training; and business processes, policies and procedures. www.FinamoreAssociates.com
2. Follow Globally Accepted Guidance The Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF) provides mandatory and strongly recommended guidance for the global internal audit profession. Notably, the IIA’s standard- and guidance-setting processes are overseen by an independent IPPF Oversight Council which includes the following: • International Federation of Accountants (IFAC), • International Organization of Supreme Audit Institutions (INTOSAI), • National Association of Corporate Directors (NACD), • Organization for Economic Co-operation and Development (OECD), • Committee of Sponsoring Organizations of the Treadway Commission (COSO), and • The World Bank. (continued on page 8)
ACUA Summer 2013, Vol. 65, No. 2
7 College & University Auditor
Guidance that conflicts with the notion of consolidated or hierarchical internal audit and risk management functions can be found in the following IPPF documents: • Code of Ethics • Standard 1100: Independence and Objectivity • Standard 1130: Impairment to Independence and Objectivity • Practice Advisory: 1130.A.2-1: Internal Audit’s Responsibility for Other (Non-audit) Functions • Position Paper: The Role of Internal Auditing in Enterprise-wide Risk Management • Position Paper: The Three Lines of Defense in Effective Risk Management and Control 3. Follow Industry Guidance United States regulatory agencies also provide guidance on infrastructure. For example, the Office of the Comptroller of the Currency guidance, http://www.occ.gov/publications/publications-by-type/ comptrollers-handbook/2003AuditHB.pdf, emphasizes the requirement for auditor independence and objectivity, and specifies that the IIA’s standards have been adopted for certified bank auditors. Similarly, the Office of Inspector General, Department of Health and Human Services guidance emphasizes the need for audit personnel to be independent.2 4. Have Courage If an examination of the control environment infrastructure and reporting lines points to needed changes, be prepared for possible resistance from the executive team. If, after examining control environment infrastructure and reporting lines, the board supports a deviation from globally accepted and/or industry specific guidance, be sure to document the rationale and management’s acceptance of related risks. Corrective action, such as the development of mitigating controls, may be required. Compromised control environment infrastructure and reporting lines will work until they don’t, i.e., until they are stressed by a risk event. At that time, investors, investigators and other stakeholders will expect If an examination of the control an explanation. Both management and the board will need the courage of their conenvironment infrastructure victions. and reporting lines points to
This article looked at one example of infrastructure/reporting line weakness in the control environment. It is an especially poignant example that may surface as the result of an internal audit department’s quality assurance review or an external audit. for possible resistance from the Other examples include, but are not limited to, consolidated or hierarchical relationships between: executive team. • internal audit and compliance and ethics, • legal and compliance and ethics, and • risk management and compliance and ethics. n needed changes, be prepared
__________________________ 1. International Standards for the Professional Practice of Internal Auditing (c) 2012 The Institute of Internal Auditors. 2. Supplemental Compliance Program Guidance for Hospitals, Federal Register/Vol. 70, No. 19/Monday, January 31, 2005/ Notices p.4875.
ACUA Summer 2013, Vol. 65, No. 2
8 College & University Auditor