Expecting the unexpected risk

Companies are investing heavily to improve their internal controls, but is it doing them any good?


Internal control has been a major bugbear for big companies lately. The Sarbanes-Oxley Act has forced anyone with a US listing to put hundreds of checks in place in an effort to guarantee that their financial statements are correct. Most have shoveled money into the problem. One argument is that much of this investment is wasted, and the compliance burden is too heavy. The implication is that regulators think internal controls are a good idea, but businesses don’t.

If that were the case, then those companies not forced to tighten up their controls by legislation or regulation wouldn’t be putting more of them in place. The fact is, they are. Three quarters of the companies are planning to invest more in internal control, according to a new survey by accountants Ernst & Young. The survey covers large businesses that do not come under the Sarbanes-Oxley rules. They are spending in this area because they see real business benefits, the accountants say.

“There is now widespread recognition that effective internal control directly impacts business performance in a number of areas,” says Adrian Godfrey, of Ernst & Young’s Risk Advisory Services. “What arises from the survey is that this is a highly dynamic area, with management exploring the ways that taking a more professional approach to internal control can contribute to driving competitive advantage.”

No surprises
One reason why companies are investing more in this area is that investors are calling for more transparency and ‘no surprises.’ They are fed up with companies restating their financial results or fouling up in an area that damages their reputation. Half the respondents in the survey said they were taking controls more seriously because it had a positive influence over investor confidence.

Other drivers for future investments were also business-benefit related, focusing mainly on enhancements to processes and the underlying control structure and on better understanding of major risk areas. These investments are most likely to be in key operational and business risk areas, and specifically in information technology controls.

One in four of the respondents said they were seeking to achieve better alignment of their internal controls to company strategy and the key risks they face. The same proportion were planning to invest in strengthening their company-level controls, such as activities conducted by senior management to set direction – such as policy and tone from the top.

Spending on controls might make investors feel more comfortable, but only if they believe those controls are actually going to make a difference. Many chief finance officers and heads of internal audit in the Ernst & Young survey admitted they still had ineffective controls. The biggest ‘blind spots’ related to over-expansion into international markets, post-acquisition integration, and real estate and construction projects. Controls over IT program change management and user access and security were also singled out as areas of concern.

Even in the area where companies say they are doing well – financial reporting controls – that confidence has to be doubted. In general, the majority of financial reporting activities were seen as areas over which most respondents felt that they had effective controls. Responses attesting that controls were either ‘very effective’ or ‘effective’ ranged from a high of 79 percent for revenue recognition, to 52 percent for contract accounting. However, in all cases, the proportion of respondents claiming that controls were ‘very effective’ was relatively small.

In areas that required a greater degree of judgment or specialist technical knowledge, such as tax and contract accounting, companies admitted to weaknesses or a lack of knowledge about the controls in those areas.

Controlling the situation
The areas where all the companies clearly felt a lot less confident in what they were doing were those relating to business and operational areas. Less than half the respondents said they had effective controls over situations such as expansion into new markets, and post-acquisition integration. These are clearly not trivial issues. Given that these activities are strategic in nature and therefore fundamental to business success, Ernst & Young say it is a worry that survey respondents query the effectiveness or, worse, are unaware of controls.

“This suggests a mismatch between risk priorities and the controls structures and accountabilities to support them,” their report says. “It is possible that capabilities and knowledge required to assess control in certain business areas may not be available to the functional area – likely to be internal audit – charged with this role and may reveal some ‘blind spots’ beyond the scope of controls professionals who are generally tasked with providing an opinion of the overall internal control environment.”

Companies were also performing badly in the information technology area. Again, a lack of relevant skills and knowledge contributed to poor levels of control. The survey found that critical issues such as user access and security – where 39 percent believed their controls to be less than effective and nine percent did not know or failed to answer the question – were a source of potentially major risk for all businesses.

“The criticality of information technology systems across the business and the considerable investments required in information technology are obvious drivers of the need to make sure that controls are effective,” the report said. “The results of the survey show that there is a pressing need to assess risk and establish greater control in these areas and to make sure that once established, control is maintained, particularly given the role that effective information technology plays in improving processes and efficiencies.”

The last big problem area was fraud. Nearly three quarters of the companies in the survey did not have a formal fraud prevention programme in place. That contrasts with the fact that over a third said such a programme was important or very important. In that case, why haven’t they got one? This is a particularly worrying finding given the growth in corporate fraud over the last few years and the reputational havoc a fraud can inflict on a company, even if the amount of money involved is small. These organisations really ought to be looking for ways to make anti-fraud measures more comprehensive and integral to their operations.

Risk and control
Though there is obviously an awareness of the need to invest further in controls in many of these areas, it is critical that senior management take as broad a ‘risk and control’ view as possible of all the business and operational functions that have an impact on bottom-line performance, say Ernst & Young.

The survey showed that executives felt there was ‘significant scope for improvement’ in just about every category of internal control. More worrying still was the high level of respondents who replied ‘don’t know’ to the questions about how well their controls were working.

“If the ‘control professionals’ are saying they don’t know what is going on, that’s a major concern for the board and other stakeholders in the business,” says Mr Godfrey. He adds that many companies acknowledged the danger of these blind spots. They were planning to invest in these areas over the next year.

There is no point having controls in place if nobody checks to see if they are working. Most respondents had a good approach to this. They monitored controls in a balanced way, making survey’s that covered strategic, compliance, operational and financial reporting areas. But a significant number are getting it wrong: one in five said they only monitored the controls that made sure their published financial statements were correct.

“This imbalance could mean that controls over some major operational risks may not be receiving any real scrutiny,” says Mr Godfrey. Some companies seem unclear about just what they are doing in this area. The survey suggests that the perception of the status of internal control varies depending on who you ask. While 36 percent of CFOs responding to the survey said that their risk assessment covers operational and business areas, only 19 percent of heads of internal audit believed that these risk areas are assessed in their companies.

That overlap needs urgent attention. “CFOs are beginning to ask questions about where to take the controls agenda wider than compliance,” says Inge Boets, global business risk services leader for Ernst & Young. “The answer is to shift the balance between financial controls and wider business and operational controls.”

Internal infrastructure
There are significant benefits for the companies that can tackle this, she says. “Establishing an internal control infrastructure that effectively covers all parts of the organisation will mitigate the risks in areas that are currently overlooked or underestimated, and this will deliver major business benefits. Businesses need to ask whether they have an agenda for internal control within their organisation, as the ultimate prize from effective controls is not simply a compliant business, it is a better business.”

Of course, it’s no surprise that a firm like Ernst & Young is banging the drum about internal control. Like its fellow Big Four accounting firms, the introduction of the Sarbanes-Oxley Act has generated a huge amount of fee income. Every time a company puts a control in place, it creates a box that has to be ticked, and a role for someone to come along afterwards and check that the box has been ticked. If some companies are struggling to make sure they have all the controls they need, or they simply don’t know what they should be doing, then Ernst & Young will, no doubt, be happy to advise. And the fact that this latest survey shows that the drive to set up internal controls to cover just about every risk has become deep-rooted in a whole range of businesses – not just those affected by Sarbanes-Oxley – will suit the firm just fine.

However, that shouldn’t cloud the issue. It is true that more and more companies are investing heavily in this area. Partly, they are doing it to keep their regulators happy; partly, they are doing it as a way of showing investors how well managed they are.

There must be a question mark about the reality that underpins that second point. People who work in this area usually say that when they try to talk to investors about control and risk management they meet a wall of silence. Nobody is interested. Perhaps they are now listening more closely, as this survey suggests. But are they questioning companies about what they are really doing to improve control, or are they just nodding politely while the finance director makes vague statements about his embedded enterprise risk architecture?

Another problem is this: You can throw as much money at this area as you like, and have a control to match every conceivable risk. But the risks that are likely to do the most damage are often the ones nobody ever thought of; there’s nothing much you can do about those.