Controls assurance is a critical component of any robust risk management framework, providing an organisation with:
Objective evidence that controls are designed and operating adequately as a basis for executive and Board signing off on the adequacy of controls over material risks.
Knowledge of control weaknesses as a basis of making improvements.
Education to control owners and operators as to the objectives, workings and importance of controls that they are responsible for.
A basis of assessing the adequacy of controls as part of a Risk and Controls Self Assessment process.
Controls assurance varies greatly between organisations. At the most basic level, some organisations rely on an annual or semi-annual attestation from business unit heads that all is in order. Usually this comes with no or little evidence and relies more on trust that the manager has adequate knowledge to make the attestation.
At the more comprehensive level, some organisations prepare “audit-like” test plans for their controls, covering the design and operating effectiveness and overall effectiveness of the controls. These test plans are performed on a periodic basis and results evaluated to come up with an overall assessment.
Read the article 'That Risk is not Mine'.
The success of these tests depends primarily on the quality of the test plan and the skill, capability and independence of the person carrying out the test plan. The main issue is that they are time consuming and relatively costly to administer.
The key objective of controls assurance should be to gain maximum assurance for minimal effort and cost. We suggest a way to achieve this is through integrated controls assurance.
Many Enterprise Risk Management (ERM) methodologies refer to an “integrated approach to ERM”. What does this mean and how can it be applied to controls assurance to provide maximum assurance for minimum effort?
Integration can be defined as “an act or instance of combining into an integral whole”. With integrated controls assurance this means taking all of the information available on controls and combining them into an overall view that gives the assurance required.
In a comprehensive ERM framework, what information should be being collected over controls? Here are some thoughts:
A history of any failure in the control from the incident management and recording process. This requires the incident management process to specifically identify any controls that failed or did no work adequately during the incident.
Evidence of the control having been carried out. This can be achieved through a simple attestation process to the control owner and operator ideally with the collection of evidence to support the attestation.
Evidence as to the controls performance using metrics. These metrics are often referred to as “Key Control Indicators” and form part of the Key Risk Indicator process but are aimed at measuring the performance of the control.
Judgement and opinion of management and staff as to the effectiveness of controls. This is usually collected as part of the Risk and Control Self Assessment process when evaluating residual risk from inherent risk.
Results of control test plans specifically designed to test all or part of a control’s design and operating effectiveness
Information on any known control weaknesses and / or outstanding improvement actions. This is usually sourced from the “Issues and Actions” part of the ERM process.
Results of any independent review of controls. This may include SOX, Internal Audit, External Audit and the like.
Ideally all or most of the above information should be collected across the business as part of the overall ERM framework. How can this be combined and integrated? This requires three key elements:
A central controls library.
The ability to link controls to other components.
The ability to produce flexible integrated dashboards to show the information in the manner required by the specific user.
Controls Library: A central controls library provides the anchor point to combine data. All information, from whatever part of the ERM process, can then be “anchored” to the specific control in the controls library.
Linking Data: The data being collected across the ERM framework must be able to be linked to the control either directly or through the risks (as all controls should be linked to risks through the risk assessment process). Within Protecht.ERM we allow linkage of both controls and risks to other components.
Dashboard Reporting: Once the relevant data, as noted above, is collected for the control, a tailored dashboard bringing together all of the information together for that control can be used to provide a consolidated view of the effectiveness of that control. At Protecht we refer to this as “Controls in Motion” which provides the most current view of the controls performance.
Example of Controls in Motion Dashboard
Once an integrated approach to controls assurance is adopted, an overall view has to be taken on how much information is required of each type to provide adequate assurance.
The data should be ranked in terms of cost and effort to collect against level of assurance provided. As a general observation, we would consider Key Control Indicators, Attestations, Audit Findings and Incident Management information as the best value while carrying out detailed controls testing as the least benefit for cost.
We would therefore suggest that before embarking on a comprehensive control testing regime, that this is left until last and only used to supplement the other information where it is considered inadequate for the level of assurance required. In this way, control testing as a process is reduced to a bare minimum which we believe will save cost and effort yet provide an adequate degree of assurance over your controls.
If you would like to know more about how you can make your controls assurance process more effective please send us an email to firstname.lastname@example.org.
David Tattam is the Chief of Research, Knowledge and Consulting and co-founder of the Protecht Group. David’s vision is the redefine the way the world thinks about risk and to develop risk management to its rightful place as being a key driver of value creation in each of Protecht’s clients. David is the driving force in driving Protecht’s risk thinking to the frontiers of what is possible in risk management and to support the uplift of people risk capability through training and content.