The management function consists ofplanning, organizing, implementing and controlling writing procedures toencourage compliance with assigned responsibilities. Locking your office todiscourage theft, and reviewing your monthly account statement are commonmanagement controls employed to achieve specific objectives.
Management control is broadly definedas a process put in place by an entity's board of directors, management andother personnel, designed to provide reasonable assurance regarding theachievement of objectives in the following categories:
- Effectiveness and efficiency ofoperations.
- Reliability of financial reporting.
- Compliance with applicable laws andregulations.
Standards for management control
An organization must establish a systemof management control that is appropriate for its needs. A system of managementcontrols is an arrangement, set, or collection of concepts, parts, activities,and/or people that are connected or interrelated to achieve objectives andgoals. The system of management controls encompasses all actions taken bymanagement to enhance the likelihood that established objectives and goals areachieved.
Management discharges its managementcontrol responsibilities by planning, organizing and directing the performanceof sufficient actions to provide reasonable assurance that objectives and goalswill be achieved.
The primary objectives of managementcontrol are to ensure:
The reliability and integrity ofinformation.
Compliance with policies, plans,procedures, laws, and regulations.
The safeguarding of assets.
The economical and efficient use ofresources.
The accomplishment of establishedobjectives and goals for operations or programs.
Each organization should design itsown system of management control to meet the needs and environment of theorganization.
Significant control weaknesses
A significant control weakness, is thelevel of importance or magnitude assigned to an item, event, information, orproblem by management auditors or other company personnel.
Significant audit findings are thoseconditions that, in the judgment of the director of managementauditing/management control, could adversely affect the organization.Significant audit findings (as well as weaknesses cited from other sources) mayinclude conditions dealing with irregularities, illegal acts, errors,inefficiency, and ineffectiveness, conflicts of interest and control weaknesses.
Management control, no matter how welldesigned and operated, can provide only reasonable assurance to management andthe board of directors regarding the achievement of an entity's objectives. Thelikelihood of achievement is affected by limitations inherent in all managementcontrol systems.
These limitations may include faultydecision-making with respect to the establishment or design of controls; theneed to consider costs as well as benefits, management override; the defeat ofcontrols through collusion, and simple errors and mistakes. Additionally,controls can be circumvented by collusion of two or more people.
Finally, management has the ability tooverride the management control system. Reasonable assurance is provided whencost-effective actions are taken to restrict deviations to a tolerable level.
This implies, for example, thatmaterial errors and improper or illegal acts will be prevented or detected andcorrected within a timely period by employees in the normal course of performingtheir assigned duties. Management considers the cost-benefit relationship duringthe design of systems. The potential loss associated with any risk is weighedagainst the cost to control it.
The board of directors establishes anorganization's governance process through written policy statements that definethe roles to the board, senior management, management audit and others. The roleof the board is to oversee senior management's activities and, with theassistance of the management and external auditors, to secure assuranceconcerning the state of the organization's system of management control. Seniormanagement is responsible for overseeing the establishment, administration andevaluation of management controls.
Management auditors examine andevaluate the planning, organizing and directing processes to determine whetherreasonable assurance exists that objectives and goals will be achieved. Suchevaluations, in the aggregate, provide information to appraise the overallsystem of management control.
All systems, processes, operations,functions and activities within the organization are subject to the managementauditors' evaluations.
Such evaluations should encompasswhether reasonable assurance exists that:
Objectives and goals have beenestablished.
Authorizing, monitoring and periodiccomparison activities have been planned, performed and documented as necessaryto attain objectives and goals.
Planned results have been achieved(objectives and goals have been accomplished).
Management auditors performevaluations at specific points in time but should be alert to actual orpotential changes in conditions that affect the ability to provide assurancefrom a forward-looking perspective. In those cases, management auditors shouldaddress the risk that performance may deteriorate.
Typical practices forming the basis todetermine the system of management control's adequacy of design andeffectiveness of operation are listed below.
Managers assess the system ofmanagement control in their areas, and both the performance and results of suchevaluations are normally documented. The internal auditing department shouldobtain assessments prepared by management and compare the consistency of suchself-assessments with the results of the internal auditing program. To theextent the management auditor wishes to rely on such self-assessments, testsshould be made of the completeness and accuracy of the self-assessment process.
Management controls checklist
Management controls cannot ensuresuccess - bad decisions, poor managers, competition, collusion and override ofcontrols can still present problems. Good controls do, however, helporganizations get where they want to go while minimizing pitfalls and surprises.The control environment sets the tone of an organization and provides thefoundation for an effective system of management controls.
An effective control system enablesmanagement to be apprised of and manage significant risks, as well as monitorthe reliability and integrity of financial and operating information; andensures that the audit committee be a powerful and proactive agent for corporateself-regulation.
The following checklist will help youin assessing the management controls of your organization.
Do board members and seniorexecutives set a day-in, day-out example of high integrity and ethical behavior?
Is there a written code of conductfor employees, and is it reinforced by training, top down communications, andrequirements for periodic written statements of compliance from key employees?
Are performance and incentivecompensation targets reasonable and realistic, or do they create undue pressureon achievement of short-term results?
Is it clear that fraudulentfinancial reporting at any level and in any form will not be tolerated?
Are ethics woven into criteria thatare used to evaluate individual and business unit performance?
Does management react appropriatelywhen receiving bad news from subordinates and business units?
Does a process exist to resolveclose ethical calls?
Are business risks identified andcandidly discussed with the board of directors?
Risk identification management
Is relevant and reliable managementand external information timely identified, compiled, and communicated to thosewho are positioned to act?
Are risks identified, analyzed, andactions taken to mitigate them?
Are controls in place to assure thatmanagement decisions are properly carried out?
Management controls effectiveness
Do senior and line managementexecutives demonstrate that they accept control responsibility, not justdelegate that responsibility to financial and audit staff?
Does management routinely monitorcontrols in process of running the organization's operations?
Does management clearly assignresponsibilities for training and monitoring of management controls?
Are periodic, systematic evaluationsof control systems conducted and documented?
Do personnel with appropriateresponsibilities; business experience and knowledge of the organization'saffairs conduct such evaluations?
Are appropriate criteria establishedto evaluate controls?
Are control deficiencies reported tohigher levels of management and corrected on a timely basis?
Are appropriate controls built-in asnew systems are designed and brought on stream?
Audit committee effectiveness
Has the board recently reviewed theadequacy of the audit committee's written charter?
Are audit committee membersfunctioning and, in fact, independent of management?
Do audit committee members possessan appropriate mix of operating and financial control expertise?
Does the audit committee understandand monitor the broad organizational control environment?
Does the audit committee overseeappropriateness, relevance, and reliability of operational and financialreporting to the board, as well as to investors and other external users?
Does the audit committee overseeexistence of and compliance with ethical standards?
Does the audit committee or fullboard have a meaningful but challenging relationship with independent auditors,management auditors, senior financial control executives, and key corporate andbusiness unit operating executives?
Management auditing functioneffectiveness
Does management auditing have thesupport of top management, the audit committee, and the board of directors as awhole?
Has the written scope of managementauditing responsibilities been reviewed by the audit committee for adequacy?
Is the organizational relationshipbetween management auditing and senior executives appropriate?
Does management auditing have anduse open lines of communication and private access to all senior officers andthe audit committee?
Are audit reports covering the rightsubjects distributed to the right people and acted upon in a timely manner?
Do key audit executives possess anappropriate level of expertise?