25 Best Practices in
Establishing
Business Controls
Table of Contents
Overview
Public Positioning Practices
Board Level Practices
Performance Management Practices
Skills Development Practices
Operations Practices
Summary
Bibliography
Overview
This paper
details BizControl Solutions’ list of best practices required for organizations to
ensure effective and continuous control of their operations. It provides a comprehensive
set of standards for maintaining and improving performance from the board to the
front-line.
Meeting these standards offers both “carrot” and “stick” benefits.
BizControl research indicates that improving business controls is the fastest way to
eliminate unnecessary costs and put money back on the bottom line.
Proper controls also help organizations minimize civil and criminal penalties, and help
avoid the negative effect on stock price from publicity over misdeeds or mistakes. And
having total commitment to a comprehensive, best practices business controls process is
the only way to provide an active defense in the case of honest error.
The recommendations are divided into five major categories: public positioning, board
level, performance management, skill development, and operational practices. While these
categories appear mutually exclusive, they are not since their individual effectiveness is
dependent on all categories and components working together in an integrated
process. Top
Public
positioning practices
This is one area where companies do not want to consider their efforts to be a
“back room” process improvement program. Moving forward on business controls
should be done openly, with the understanding that the risks in creating higher public
expectations are more than balanced by the reassurance such a program brings to critical
stakeholders.
1. Commit to Business Control
The business landscape is littered with high-value programs that were treated as fads
in many organizations… management by objectives, total quality management, open book
management, empowerment, reengineering, and so on.
The issue of business control cannot be treated as a fad for one simple reason: The
Sarbanes-Oxley Act of 2002 (Corporate Reform Act) mandates an annual “internal
control report” and establishes executive penalties for inaccurate reporting. Business
control is now a new, legally-mandated (and apparently permanent) core competency for
every organization regulated by the SEC. The Sarbanes-Oxley Act means that business
control is no longer an optional concern.
The first step in establishing a best practices controls process is for organizations
to make a complete commitment to business controls. This is not simply broad brush ethics
training or an hour-long module inserted into new manager courses. There must be a
comprehensive program to insure that effective business controls are in place throughout
the organization regardless of employee position or tenure within the organization.
2. CEO Statement
Everyone, both inside and outside the relational enterprise, must understand that
management from the board on down “really means it.” Support for the business
controls process begins at the top with a very public statement of importance, intent, and
resolve. The CEO must go on record with employees, analysts, and investors concerning the
organization’s commitment to a best practices business controls methodology.
This is an excellent topic for an organization-wide communication to employees—a
memo, a teleconferenced message, or frequent mentions during personal appear-ances. The
commitment should be expressed during meetings with analysts, stock-holders, and business
press. It should be addressed in the president’s message in the annual report and in
business articles authored by executives. There should be no doubt in anyone’s mind
that business controls are a high priority in the organization.
3. Update the Vision, Mission, and Values Statements
The “big three” positioning statements must be modified to say something
about business controls. Again, this is not a question making a statement about ethics. If
proper business controls are in place, ethics is the control of last resort that should
never come into play. Changing these statements is the signal that business control is
indeed a “core competency” for the entire extended enterprise and ranks up with
the major position messaging of the organization.
4. Publicize the Progress
There is an enormous amount of goodwill to be gained from publicizing the adoption of
these business controls best practices. Announcement of the program itself indicates a
depth of understanding of the problem. The more of the steps that are subsequently in
place, the more comfortable employees, analysts, money managers, and investors should feel
about the organization’s trustworthiness.
Positioning Summary
The handwriting is on the wall. It is inevitable that analysts will soon be requesting
an update on where organizations stand on these best practices, and the question is
certain to come up at analyst briefings or as the microphone is passed around at future
stockholder or membership meetings. For public companies, progress in these areas will
have a direct effect on stock price and on the public perception of investment potential,
because this is something that all rational organizations should want to
do—and do well. Commit publicly, follow through, and reap the rewards. Top
Board-level
practices
While the trade press has talked primarily about the new penalties the CEO and CFO face
for reporting irregularities, the Sarbanes-Oxley Act has imposed new restrictions on board
members. The mandates of the Act are steps in the right direction, but do not go far
enough to ensure proper board governance and control. The following additional actions are
required.
5. Chairman and President Different People
The chairman of the board and CEO must be a different person. While this is not popular
in the United States, it is common in Europe. Keeping these two jobs separate is an
important segregation of duties. While the CEO is being rewarded for achieving business
results, sometimes the seeking of rewards can cloud management judgement on protecting
shareholder interests.
Resist the CEO’s argument that this added layer will slow down critical business
decisions and will be costly to the company. Keeping the CEO separate from the chairman
removes the conflict of interest control issue. Someone has to be solely concerned with
the company’s long-term health, versus simply focusing on short-term results that
generate an immediate and large personal payoff.
6. Audit Committee of Qualified Outside Directors
The Sarbanes-Oxley Act creates new rules for audit committee members. It takes care of
the outside director issue by specifying that board members on the audit committee must be
independent, i.e., not receiving any other remuneration from the company either as an
employee or a consultant.
The key phrase here for many organizations will be “qualified directors.” The
SEC is issuing rules requiring organizations to disclose whether at least one member of
the audit committee is a “financial expert.” This is a major concern, because
many board members are ill-equipped to make knowledgeable financial decisions.
For example, at a 2002 “Director’s
Consortium” (conducted by the Wharton School at the University of Pennsylvania,
Stanford Law School, and University of Chicago Graduate School of Business and attended by
about 80 board members from large and prominent firms), the average score on its
accounting exam was 32 percent. The teacher was particularly dismayed that many students
had missed a simple multiple-choice question on the definition of retained earnings.
All audit committee members, not just one, need to be qualified, i.e., financial
audit and/or operational assessment experts. For the audit committee’s review of the
annual report, there should be an active exchange among board members and the CEO and CFO.
The external auditor and the head of internal audit should be present. Support material
for the meeting should be made available to board and audit committee members at least one
week in advance of the meeting. The audit committee’s meeting notes should be made
available to the entire board at the conclusion of the audit committee meeting. This
ensures that all board members are involved in the financial review.
7. Compensation Packages Discourage or Penalize Gamesmanship
A worst-case scenario is that the board chairman and the CEO are the same person, and
that the CEO has a hefty bonus on quarterly performance, stock price, and/or
profitability. This puts the executive into an unavoidable conflict-of-interest situation
that is ripe for manipulation and gamesmanship.
Make sure that compensation packages for all employees have controls built in to them
that discourage or penalize managing only for the short-term. For example, an executive
bonus on revenue attainment might be segregated properly by tying in corresponding
measures on credit levels. Building controls in, versus building them on after the fact,
avoids problems and embarrassment for senior management.
Compensation plans must be structured so that executives are rewarded as the
organization achieves true success, not just a temporary positive bump in a few highly
visible indicators. This is the primary duty of a skilled, independent board compensation
committee.
8. Monitor “Six Out-of-Control Incubators”
Be alert to potential control exposures and make plans for prevention. BizControl
Solutions research has identified six “out-of-control incubators” that supply
the equivalent of a warm place, light, moisture, and nutrients for small control issues to
grow into big problems. The incubators are:
- Traditional tree-structure reporting that creates “silos”
- New IT systems implementation/integration
- Restructuring/reorganization
- Downsizing
- Outsourcing
- Merger/acquisition/divestiture
The first two incubators are internal conditions
ever-present in most organizations. The remaining four are external trigger events. When
any of these incubators exist, there are changes in the control environment that must be
addressed. Recognizing these incubators allows organizations to prevent control problems
before they occur, rather than to react to them after the Wall Street Journal has
received a tip about the problems.
9. Change Auditors Periodically
How long external auditors should be allowed to work for an organization is a very
controversial subject. The argument for frequent change is that, over time, an
audit firm becomes part of its client’s system and loses objectivity, not wanting to
put an enormous audit revenue stream at risk by exposing abuses. In addition, the external
auditor’s long-term tenure means that uncovering past abuses requires it to expose
its own audit shortcomings—a clear conflict of interest.
The standard argument against changing external auditors is that it is too
costly. Absorbing the additional fees of a first-year audit every few years puts a
tremendous burden on both small and enterprise-level organizations.
Consider that the Enron, Global Crossings, WorldCom debacles were certainly far more
costly than changing auditors. The longer an auditor is with a client, the less
“external” it becomes. A long-time external auditor cannot be expected to
self-tattle on previous years’ engagements and consequently impair the client
relationship. There’s too much audit income at stake. This is why some analysts
recommend changing an organization’s external auditor every two years, even if
government regulators or legislators don’t ultimately mandate it.
10. Maintain Direct Access to Internal Audit Reviews
Board members must have unrestricted, direct access to internal audit department
reviews without filtering by senior management. Board independence requires not
being impeded by politics. Candid discussions with internal auditing during the early
stages of any of the six incubators can either effectively minimize or prevent an issue.
11. Increase Involvement During the Year
Board members must increase their involvement by asking the right, salient, probing,
and detailed business control questions both during the year, and during the audit
committee’s review of the annual report’s Management’s Discussion and
Financial Results. This should be done prior to the annual report’s issuance.
For board members not on the audit committee, questions are still appropriate and can
be asked of the audit committee members. All board members have a stake in the
financial portrayal, not just the audit committee.
12. Maintain a Confidential 800-Number Tips Hotline
Provide for employee risk-free notification of any control or reporting problems.
Create a formal business controls hot line monitored by an independent third party, with
details fed unabridged (but anonymously) directly to the board, CEO, CFO, and the legal
department. Mandate detailed quarterly reviews by a designated board member or the audit
committee, and the CEO and CFO. This communications channel is particularly important if
any of the six out-of-control incubators are present.
Board Summary
Delivering shareholder value in a socially responsible manner through effective
governance is challenging to both the board and the senior management team. Successful
organizations always run the risk of complacency. One of the first symptoms of complacency
is a breakdown in the traditional controls that have helped the company become successful.
Assuming that existing controls will continue to be effective in a changed environment
creates a false sense of security.
The key requirement is to follow-up on control issues from the boardroom. Leaders often
hear the remark, “We waste sooooo much money around here!” Lots of organizations
recognize problems. Some of them even do something about them. The business controls
process is not just another fad to be devoured by the internal political shark pool.
Assessments are completed, controls are designed, and solutions implemented.
In addition, controls must be reevaluated as required. Control is not an
implement-and-forget process. The control environment is continuously shifting as
processes and people change. Also, tightening up one control often exposes another risk.
So business controls is often a process of attacking the next weakest link in the controls
structure—similar to continuous quality improvement. Top
Performance
management practices
Once management has publicly taken a stand on business controls and the board has begun
modifying its approach to control, the next step is to implement a controls process
throughout the entire organization. This requires a comprehensive program to add control
to the fundamental documentation, processes, systems, and rewards in the organization.
13. Policy Manual
Just as control is now an important topic to be addressed in the CEO’s statement
in the annual report, business control is a new “core competency” that
must be addressed in the organizational policy manual.
The policy manual statement should not simply address business ethics. It must take a
position on employee requirements for accurate financial reporting, application of control
principles to all process designs, and proactive notification in case of inadvertent
business control exposure or of intentional deception.
The annual process of employees’ reviewing the policy manual and signing their
agreement to abide by its guidelines provides the first level of formal business controls
certification. The organization can then establish that any control misdeeds were the
result of personal action and not from organizational policy.
14. Competency Models
Front-line, supervisory, managerial, and executive competency models must be updated to
include business controls. This includes detailing knowledge, skills, and attitudes
required for designing, implementing, operating, and adapting effective controls. These
competency models are the foundation for developing organizational structure and job
descriptions, and provide standards for hiring, developing, and promoting employees.
15. Job Descriptions
Job descriptions (and coaching forms) must similarly be updated to include relevant
business control activities. There should be standard business controls language in every
description, and specific controls responsibilities and tasks detailed in individual job
descriptions.
16. Performance Plans
This is where employees begin to understand that business controls are important and
permanent. When they see that they are going to be measured on business controls, and that
career advancement and income is affected by their performance in this area, then
organizations have their full attention.
Individual start-of-year performance plans or personal job goals must have elements
addressing business controls. In the beginning, this is likely to include completing
training (#19 below) as well as integrating controls principles into daily activities. The
performance plan may also include passing a test (#20 below) and maintaining some sort of
annual recertification.
17. Appraisals
This closes the loop between business controls expectations and measurement for
employees, and provides the link between business controls expertise and career potential.
Standardized appraisal forms must address business controls as a key element. This
might take the form of a yes/no judgement of whether job activities were properly under
control, and might also contain an option for qualitative evaluation in terms of control
exposures identified, problems solved, or effectiveness improved.
18. Compensation
Full employee attention is gained when personal business controls performance has
an immediate effect on take-home pay—to the extent that the controls evaluation
portion links to the overall appraisal which links to this year’s raise. It may be
useful to weight business controls more heavily in the first several years of the
transition, then adjust as required for permanent consideration over the long-term.
Bonuses or awards based on savings generated are also useful.
Performance Summary
Business controls requirements must be thoroughly embedded into an organization’s
performance management processes. No amount of management good intentions can make up for
not supporting the effort in employee-related systems.
Omit any of the performance management steps in this section and employees will begin
to doubt whether management “really means it.” Any step skipped also breaks the
link between expectations, measurement, and rewards. The result is a broken
“behavior-consequence chain” that undermines effective controls performance.
Top
Skills
development practices
The Sarbanes-Oxley Act focuses on reporting requirements and punishment for misdeeds,
but not on prevention methodology. The government’s approach currently is, "Who
cares how they do it? They either figure out how to get it done right or get
punished."
Integrating business controls into the performance management system alone is not
enough to ensure employee commitment and success. Managers must ask themselves two key
questions:
What do employees need to know to be an effective contributor to the
organization’s control structure?
Do employees know how to assess control status, design and implement controls, prevent
control problems and costs, and report accurately on a timely basis?
In most organizations, executives, management, supervisors, front-line workers, and IT
programmers have never received so much as one minute’s training on business
controls. There are no courses on controls in university business schools, and nothing on
the subject in continuing business education classes. Therefore, organizations have a big
skills development task ahead of them.
19. Education
Education must address various levels of employees. A blended learning approach is
suitable, because there are both information and techniques to be mastered. A classroom
component is particularly useful, since resolving business control issues is best
accomplished as a team activity. In addition, live problems can be resolved in class as
part of the learning process.
Differentiated leader learning should be focused at board members, executives, middle
management, and supervisors. Other resources should be given to team facilitators and
front-line employees. Specialized training should be mandated for business process
management software developers and to all systems designers. IT professionals must
embed effective business controls functions into their software, because of the potential
to make a great impact on controls effectiveness.
20. Testing
With the current CEO and CFO penalties for inaccurate reporting in place, it is
critical to be able to document employee skills in business controls. This is one topic
where organizations need to test for understanding and competency, and keep formal records
of the results.
This is also a subject where organizations may want to create refresh learning
resources and currency tests to document continuing employee competency in business
controls.
21. Employee Certification of Compliance
In addition to maintaining training and testing records, have managers sign that they
have been trained in business controls practices, and will accurately report their
activities and business results. This can be done by making business controls a part of
the company policy manual that is reviewed and signed annually (#13 above), or can consist
of a special controls certification form that is placed in employees’ personnel
files.
Skills Summary
Control or reporting errors are difficult to completely eliminate. It is essential for
organizations to be able to establish an "active defense" that any reporting or
control misdeeds were from individual action and were not the result of company-condoned
activities. This can be done through proper training, testing, and a formal certification
process. Top
Operations
practices
The last step in establishing effective business controls is integrating their
application into everyday employee activities. As a new core competency, business controls
require a permanent, dedicated function within the organization.
22. Establish a Dedicated Function
Effective business controls are not just the responsibility of finance, accounting,
internal audit, external audit, or consultants. Thinking that effective business controls
will come from these groups creates a false sense of security. Every organization
generating lurid business headlines today had these functions in place and working.
With the CEO and CFO now personally at risk, and with the above board reporting
recommendations, a dedicated business controls function is required. This should be an
executive vice president position reporting directly to the CEO and board.
Primary assignments for this function are to lead a business controls cross-functional
team, provide expert assistance to line departments, drive learning activities, and to
disseminate controls information throughout the organization.
23. Establish a Cross Functional Team
Business control is a organization-wide task that works across functional departments
and individual processes. Some organizational function has to be looking at the whole
picture.
This team’s mission is to perform control assessments and to deal with issues
created by the six incubators. The primary goal is prevention rather than remediation. A
secondary goal is to resolve pain point problems.
This is not the “controls police,” but is instead a small group focusing on
the overall controls status of the organization, and positioned to address specific pain
point issues or general assessments from a global viewpoint. This team must have direct
access to the CEO and CFO, and should provide quarterly updates to the board.
The team should be made up of very strong, high-potential, fast-track managers from the
major groups within the company. While membership on this team is not a full-time job, it
could be half-time or more in times of major change. This is a highly visible team with
great impact on the company’s success. Future top leaders and global thinkers may
well come out of this team.
24. Integrate into Processes
Add business controls considerations to capital acquisition analysis forms, decision
worksheets, and systems design guidelines. This includes expanding analysis or decision
forms or evaluation models to include a controls section, and adding business control
development steps to project management templates. Checklists based on the business
controls training can be used to help all decision teams assess risk and develop effective
controls structures.
Pay careful attention to marketing and sales processes, because these areas are fertile
ground for control problems—both from poor control judgment and from incomplete
control execution.
25. Formally Communicate Successes and Failures
Formally communicate control problems and resolutions. In-control organizations
don’t bury their mistakes, they learn from them. They reinforce a “don’t
fix blame, fix the process” culture that is required for continuous controls
improvement.
This means formally sharing control successes, errors, and problems across the entire
organization to all stakeholders who can affect controls—employees and
partners alike. It’s similar to the FAA sending accident analysis data to all
licensed pilot instructors. The goal is to fully understand what happened and prevent a
reoccurrence.
Operations Summary
These recommendations require an extraordinary capability to be candid about
operations, and must be supported by a "learn vs. punish" culture. This is
another reason why there needs to be an independent business controls function that can
sit outside traditional departments and vendor relationships and analyze controls
performance. Top
Summary
BizControl Solutions has found that the recommendations in the paper are an "all
or nothing" process. Since the passage of the Sarbanes-Oxley Act of 2002,
"nothing" is no longer an option.
Every one of the above 25 steps accomplishes a specific purpose in getting an
organization back under control. Any step omitted creates a significant gap in control
effectiveness. The totality of the list establishes a best practices benchmark for
organizations to use in creating their own program for ensuring compliance, lowering
unnecessary costs of being out-of-control, and providing an active defense in the case of
honest error. Top
Bibliography
Brown, Paul L., Managing Behavior on the Job, (New York: John Wiley & Sons,
1982).
Cooper, Kenneth Carlton, Effective Competency Modeling and Reporting: A Step-by-Step
Guide for Improving Individual & Organizational Performance, (New York: AMACOM,
2000).
Cooper, Kenneth Carlton, The Relational Enterprise: Going Beyond CRM to Maximize ALL
Your Relationships, (New York: AMACOM, 2002).
Sorkin, Andrew Ross, “Back to School, but This One is for Top Corporate
Officials,” New York Times, http://www.nytimes.com, September 3, 2002.
Stuckey, Robert J. and Kenneth Carlton Cooper, “Taking Control of Your
Business,” The Corporate Board, November/December 2002, pgs. 14-18.
Stuckey, Robert J. and Kenneth Carlton Cooper, “Getting Control of Your Business:
A new managerial core competency to identify risks, reduce costs, and increase bottom-line
profits,” BizControl Solutions Briefings, August 2002.
“Summary of the Sarbanes-Oxley Act of 2002,” AICPA,
http://www.aicpa.org, November 11, 2002.
About the Authors …
Robert J. Stuckey is the managing partner of BizControls Solutions. He has lectured and
consulted worldwide on business controls, and has over 25 years experience as a finance
executive.
Kenneth Carlton Cooper is a partner in BizControls Solutions. He has consulted on
organizational development and process improvement since 1976, and is the author of The Relational Enterprise
(AMACOM 2002) and Effective
Competency Modeling and Reporting (AMACOM 2000).
BizControls Solutions is a St. Louis, Missouri USA based consulting firm
specializing in business controls assessment, consulting, implementation, and training.
All companies, brands, products, and services
mentioned in this Briefing are the trade names or registered trademarks of their
respective owners.
Information in this report was obtained from sources BizControl Solutions believes to
be reliable.
BizControl Solutions disclaims any and all warranties as to the reliability, accuracy
and adequacy of such information, and BizControl Solutions shall have no liability for the
inclusion or exclusion of information. BizControl Solutions may, without notice, change
expressed opinions. Use of this report to achieve desired results is the sole
responsibility of the reader.
Top |
