"Minimum" controls: how much is enough? | Deloitte UK has been saved
Limited functionality available
Financial controls are increasingly in the spotlight. Regulator and investor interest is shifting from historic financial metrics to looking for the signs of a well-run business, a strong management team and a positive future outlook. This is becoming more evident with the Government consulting on a strengthened framework around internal controls, on a similar basis to Sarbanes-Oxley in the US, in light of recent audit failures and auditors contemplating publicaly calling out control failures.
It is more important than ever for companies to be forward thinking in the value they place on controls and to be proactive in how they explain that investment to their stakeholders.
A well run business, underpinned by an effective control environment, that maximises the use of technology, is more likely to win in a challenging and disrupted market, adding more value to its investments and managing its costs.
A modern approach to financial control, that focuses on “what could go wrong?” and leverages technology whilst understanding the incremental risks it brings, is an asset to any business that will save cost year on year and support a strong business culture of getting it “right first time”.
What’s the business case ?
It can be difficult to attribute the benefits of financial controls to a return on investment, at least until it’s too late and losses have occurred. The gap that failed will be plugged, but where the culture is not about getting it right, there will always be another costly surprise ahead.
Focusing on the right controls at the right level of depth will:
In the same way a company invests in an insurance policy to safeguard its business, protecting cash and assets from future losses is a component of sustainable success.
Using a net present value model can calculate the benefit or cost, however given the difficulty of reliably estimating the probability, timing and quantum of future losses, the value of such decision making tools, in all but the most mature control environments, is limited.
One only need look at recent news headlines and ask “had controls had been in place, would the company have issued a profit warning?”, “would a fraud have been prevented?” or “could the company have survived?”. There were 89 profit warnings, across all FTSE indices, in Q1 2019 with 44% of these making warnings in the previous 12 months. Whilst these might not be directly attributed to weak control environments, the precedent in the US for fraud and failures being addressed through a strong control environment is well understood.
Controls are essential to any strong company and there is no robust argument that appropriate controls are not cost effective and an essential component of value.
How much is enough?
If “minimum controls” means “de-prioritised”, “ad hoc” or “not evidenced” then that’s not enough. If “minimum” means “enough to prevent or detect errors” that’s good. Clearly “minimum” is a subjective term and we prefer “Key” or “Critical”, but the real answer lies in defining and communicating what is right for your business.
Starting with a thoughtful financial risk assessment is hugely important. In our experience, financial risk assessment is regularly performed at too high a level, often as part of a wider business risk assessment, to enable the Board to properly understand the financial risks or to identify the essential financial controls.
There truly is no ‘one size fits all’ approach although it is widely accepted that there are a number of good practices that can be applied across many organisations. However technology change is bringing new risks and opportunities. Good practice is shifting towards automated preventive controls away from manual detective controls and control data analytics regularly provide more insight than a traditional review. Not all companies are quick to eliminate traditional, but now redundant, controls.
Key features of a modern controls framework are transparency evidencing ongoing effective operation, focus on culture, standardisation, consistency, automation, removal of redundant controls and sustainability. Controls should reflect the way the business is run, not be a separate compliance exercise.
Documentation is about sustainability and reducing key man risk, consistency, transparency and rigorous thinking in terms of how the control addresses the risk which we’d argue has value to any business. Knowing your team is doing a really good job and being able to demonstrate that, is more valuable than believing nothing has gone wrong so far.
Ultimately, ‘enough’ is determined by each organisation through a high quality financial risk assessment and the identification and tailoring of automated vs manual controls. We believe that ‘minimum controls’ should include ‘enough’ to protect from reputation damaging fraud, significant error and ultimately failure. This requires a level of built in contingency to be strong enough to withstand unexpected events and issues and a regular reassessment of risks. Company stakeholders in the current climate want to be reassured by language such as strong, not minimum.
By implementing a strong financial controls framework a business will be in a confident position to drive the business forward to success supported by their stakeholders who are assured of the sustainable future performance of the business.
Dan is a Director in our Controls Advisory practice in London. Dan has significant experience in delivering finance transformation, focusing on developing and enhancing internal control environments. He has worked with clients to facilitate their risk identification processes, helped them implement control frameworks and supported them to streamline and standardised their financial processes. Dan uses his experience and expertise in finance optimisation and controls to advise clients across a variety of sectors.
Sonya is a controls specialist, Audit partner and the leader of our Accounting Operations team. Accounting Operations is a team of audit trained accountants who support our non-audit clients in modernising their finance functions, embedding controls and being ready for audit. She works with UK and US, private and listed companies. Her project experience includes US and UK IPOs, SOX and JSOX implementations, controls and finance transformation and close optimisation.
Sophie is a Senior Manager in Deloitte Private in London with over 10 years of experience in the Consumer Business industry, spanning across Audit and Assurance. She has extensive experience providing Audit & Assurance services to a range of businesses, from multinational FTSE 100 clients to smaller private entities. She also has secondment experience to a high profile FTSE 30 business.