In Black & White

Insurance Risk Management vs. Enterprise Risk Management

Ed McCaulley
In Control
minute(s)Comparing and Contrasting Two Approaches The goal of risk management, in its myriad forms, is to help organizations achieve their objectives by minimizing threats and maximizing opportunities. Prominent approaches include Insurance Risk Management and Enterprise Risk Management (ERM). In this blog, we will highlight the similarities and differences between these two strategies. Historical Perspective As a formalized discipline, the insurance industry started in the late 1600s in a popular London gathering place for shipping magnates named Lloyd’s Coffee House. Ships returning from long voyages, laden with trade goods, represented an enormous financial windfall to their owners. However, the risks were significant, and many ships never returned, becoming lost at sea due to weather, pirates, or simply poor decisions. Initially, groups of owners got together and started sharing risks, taking a stake in each other’s ships and cargo so that a successful voyage benefitted all owners, and a lost ship did not become a financial catastrophe to a single owner. Over time, these risk-sharing arrangements evolved into risk transfers. Individual investors would promise to repay the ship owner in the event of a loss, and in exchange, they would receive a premium. To formalize these arrangements, investors (insurers) would literally write their names under the text describing the possession or event for which they were assuming some risk. This gave rise to the term “written under” or underwriting. In comparison, Enterprise Risk Management does not have a storied background; in fact, the discipline is still being developed. In the mid-1990s, several high-profile company failures prompted the creation of the COSO Internal Control – Integrated Framework. Published in 1992, this initial COSO model quickly become the de facto standard to guide an organization’s internal control activities. However, in the years following its release, organizations began to realize there were gaps. In 2004, COSO came out with the Enterprise Risk Management – Integrated Framework, which broadened the scope of the model from financial reporting and fraud risks to include all risks impacting an organization’s objectives. In 2009, the International Organization for Standardization came out with ISO 31000, a family of standards related to risk management. ISO 31000 provided thought leadership on the practical side of risk management, including guidelines and practical advice for implementation. The COSO Internal Control and ERM frameworks were updated in 2013 and 2017, respectively. Insurance Risk Management At its core, Insurance Risk Management involves the treatment of risk through risk transfer. This approach leverages insurance products to shield against financial losses stemming from unforeseen events. Here are some of its defining characteristics: Risk Transfer Principle: Insurance Risk Management principally focuses on transferring risk from the insured party to the insurance provider through the payment of premiums. However, the risk must be an “insurable risk,” which requires that the loss be accidental and unintentional, determinable and measurable; the chance of loss must be calculable; and the premium must be economically feasible. Tailored Risk Coverage: This coverage is focused on specific risks, like property damage from fire or flood; personal injury to customers, consumers, or employees for failing to meet some fiduciary standard; or business losses from natural disasters. These risks are covered by various insurance policies—including property, liability, and business interruption insurance, for example. Insurers analyze specific risks and tailor coverage to address those risks explicitly, as defined in the insurance contract. Financial Safeguarding: The primary objective here is to provide financial protection in the event of unexpected occurrences, ensuring organizations can rebound from losses without severe financial repercussions. Claims Management: Whether an organization is self-insured or purchases insurance, it has a role in managing its own claims—specifically, looking at the root cause leading to a loss and determining whether policy or process changes are necessary. For self-insured organizations, additional tasks include determining the legitimacy of the claim (aka claims adjudication), settling claims, paying claims, and establishing claims reserves. Premium Reduction: An organization’s secondary objective is to reduce its premium payments by implementing other mitigants to reduce risks. For example, a policy stating that all firefighters employed by a municipality must wear protective clothing when responding to a call helps to reduce accidents and potential injury, thereby reducing claim frequency and severity, reducing an insurer’s claims costs, and (hopefully) leading to reduced insurance premiums for the municipality. Enterprise Risk Management (ERM) In contrast to Insurance Risk Management, Enterprise Risk Management (ERM) involves a holistic approach, encompassing a systematic methodology to identify, assess, prioritize, and manage risks across an entire organization. Key aspects include: Holistic Perspective: ERM casts a wide net, considering risks across all organizational facets—spanning financial, operational, strategic, information technology, and compliance realms. It involves evaluating how these risks interconnect and influence an organization's overarching objectives. Strategic Integration: ERM seamlessly integrates risk management into an organization's strategic planning, aligning risk considerations with decision-making processes and value creation. ERM is a method for aligning risk with acceptable tolerance, starting with the organization’s strategy, which requires thinking through and identifying risks they are willing to accept, those they wish to avoid, and those for which they have an appetite. Risk Culture and Governance: ERM emphasizes nurturing a risk-aware culture within the organization and establishing robust governance structures for effective risk oversight at all levels. Contrasting Features While both Insurance Risk Management and ERM aim to mitigate risks, they differ in scope, application, and the treatment of risks. Scope: Insurance Risk Management is more confined and specific, concentrating on particular risks covered by insurance policies. ERM takes a comprehensive view, considering risks holistically across an entire organization. Purpose: Insurance Risk Management primarily seeks to transfer risk and provide financial protection, while ERM aims to integrate risk management into strategic decision-making and bolster overall organizational resilience. Approach: Insurance Risk Management operates within the boundaries of insurance contracts, claims, and premiums, while ERM adopts a strategic approach, embedding risk considerations into daily operations and decision-making. While both Insurance Risk Management and ERM play pivotal roles in mitigating risks within organizations, they operate on different scales and serve distinct purposes. Recognizing the nuances and intricacies of both approaches is crucial for organizations to effectively navigate the complex landscape of risk they encounter. It is important to note that while transferring risk through insurance is a vital aspect of risk treatment, ERM offers a more comprehensive toolkit, encompassing various strategies beyond mere risk transfer, thus enhancing an organization's capacity to handle risks proactively. A robust risk management strategy often incorporates elements from both Insurance Risk Management and ERM to create a comprehensive framework that addresses a wide array of potential threats while aligning with an organization's strategic goals. Read how to develop risk appetite/tolerance statements

Learn the similarities and differences between Insurance Risk Management and Enterprise Risk Management.

ERM Toolbox – How to Develop Risk Appetite/Tolerance Statements

Ed McCaulley
In Control
minute(s)Risk Appetite and Risk Tolerance Statements One of the key steps in developing an organization’s enterprise-wide risk management (ERM) framework is establishing written statements regarding its risk appetite and tolerance. These statements serve as guideposts to help employees make both strategic and tactical decisions; thresholds for risk metrics; and benchmarks for assessing whether the organization is comfortable with its own risk profile. They are vastly important. So, who should be involved in developing them and what does that process look like? As discussed in the first blog in our ERM Toolbox series, "Why Do I Need Risk Appetite and Tolerance Statements?, establishing an organization’s risk appetite and risk tolerance statements is a vital step. Once an organization has seen the light and made the business case for setting these guidelines, the follow-up question is, “How are these statements developed?” For an organization that has not yet defined its risk appetite and risk tolerance statements, this question can seem intimidating. So, I’ll break it down into three smaller questions: 1. Who should be involved in developing the statements? 2. What is the best way to elicit information from participants? 3. Who should be involved in approving them? STEP 1: DECIDING WHO SHOULD BE INVOLVED Invitees to the party usually include the organization’s top level of management—AKA its executive team, senior leadership, or C-suite. This core group of individuals is going to be most familiar with and responsible for achieving the organization’s mission and strategic objectives. Add to this group any subject matter experts that provide necessary insight into certain risks that the organization faces. If an individual’s voice must be heard, either because they are instrumental in achieving strategic objectives or they manage the mitigation of a key risk, invite them. Lastly, include members of the risk management group—whether they’re assigned to a formal, independent risk management function or given ad hoc responsibility. As a pragmatic concern, the group should not be too large as it is harder to develop consensus with larger groups. Up to 12 members should suffice. STEP 2: DRAFTING THE STATEMENTS Theoretically, risk appetite and risk tolerance statements could be drafted and agreed upon through an iterative series of questionnaires or through software that allows for deep collaboration. However, in my experience, a workshop is the most efficient way. Methods may be dictated by what you are hoping to achieve, namely a consensus on which risks are acceptable and which are not. Running a Risk Appetite & Risk Tolerance Workshop Workshops do present their own challenges. However, participant training, competent workshop facilitation, and clear workshop objectives will help address those challenges. Many of the following steps might seem self-evident, but my advice for holding a successful workshop is as follows: 1. Schedule it so that everyone can participate. This is easier said than done, as these people are BUSY! 2. Ensure all participants know what is expected of them during the workshop—as workshop participants and as a group. This can be handled simply by providing a meeting invitation that includes an agenda and location, and establishes workshop “rules” (e.g., no phone calls, texting, or email during the session). 3. Establish a base level of ERM concept knowledge for participants. Understanding of the terms risk appetite; risk tolerance; risk mitigation; and inherent and residual risk; as well as risk types, is important. This training can be provided separately but can be very effective if provided on the same day, ahead of the actual workshop. The goal is full participation from all workshop attendees, not just those who are “in the know.” 4. Request that all participants bring copies of the corporate policies for which they are responsible. For example, the treasurer might bring the banking policy and the CIO might bring the acceptable use policy. These policies often serve as a starting point for risk tolerance statements. 5. Consider hiring a professional facilitator. The facilitator’s job is complex; they must be mindful of assessment bias, prevent or negotiate conflict among attendees, dissuade individuals from dominating the conversation, and encourage participation by those inclined to be wallflowers. Knowing when to table a discussion and move on is also a valuable skill. Rabbit holes explored by just a few individuals can cause the larger group to lose focus. 6. If the number of workshop participants is large or is having trouble reaching consensus, consider using break-out sessions based on topic (e.g., risk type), then bringing recommendations back to the full group. 7. At the conclusion of the workshop, summarize outstanding items (there will be some), assign ownership, discuss next steps, and communicate a timeline. Follow up in a timely manner with an email to the participants, providing this same information. Ensure that each individual understands their required deliverables and timeline. 8. About a week after the session, reach out to participants to gauge their impressions of the workshop. Ask if they think the workshop was effective in building consensus around the risks the organization is willing to accept, those that it will not accept, and a delineation between the two. 9. Don’t seek perfection. There is no need for endless debate over each metric—like whether a 3, 4, or 5 percent ROI is ideal. It is natural that, like a new pair of shoes, these initial metrics may need to be adjusted. STEP 3: OBTAINING APPROVAL Obtaining approval of the risk appetite and risk tolerance statements is the “blessing” that puts them into practice. They then become the rulebook, the guidebook, the playbook for risk taking. However, the task of gaining approval may reveal additional risk threshold questions that must be answered by management. Organizations usually have some form of supervisory body on which approval of risk appetite and tolerance statements will fall. In a corporation, this is their board of directors. In a public sector organization, it may be their council. To prepare the board/council for this responsibility and to ensure everyone is in alignment with expectations, they should be given the same baseline ERM training as management. And management should be prepared to respond and adapt to the board/council’s oversight. CONCLUSION For an organization looking to define and publish their initial risk appetite and risk tolerance statements, the process can seem intimidating. However, involving the right individuals, holding an effective workshop, and seeking the right approvals, can make this process achievable. The key is to effectively channel senior management’s time to discuss, debate, and come to a consensus on enterprise-wide risk constraints. The clarity gained will equip employees to manage their individual risks and empower the organization as a whole to respond to risk more confidently and consistently. Read the first blog in our ERM Toolbox series.

Learn how to develop risk appetite and tolerance statements, who should be involved in drafting them, and tips for holding an effective workshop.

ERM Toolbox – Why Do I Need Risk Appetite and Tolerance Statements?

Ed McCaulley
In Control
minute(s)Risk Appetite and Tolerance Statements: Identifying the Risk You’re Prepared to Accept Have you ever been skydiving? I have not. To quote Clint Eastwood, “Jumping out of a perfectly good airplane is not a natural act.” Yet the US Parachute Association reported that in 2021, around 39,412 of its members made 3.57 million jumps. Do you have an adjustable-rate (ARM) or fixed-rate mortgage? When I was younger and poorer, I considered an ARM before choosing a fixed rate. Back then, ARMs were trendy. They became less popular in the low-interest rate environment of our recent past. Perhaps they’ll gain popularity once again. Do you drive faster than the speed limit? As a young man, I was clocked at 65 mph in a 35-mph zone. My defense? I was driving a straight-away on a clear, country road. The officer didn’t buy it, and I ended up spending two hours in remedial driving school for “aggressive drivers.” Why all the questions? To make a point. Both the ways in which each of us measures risk and the amount of risk we’re willing to assume can vary widely. We are individual and unique humans, with awareness and risk tolerance built into our DNA. Brain chemicals like dopamine impact our perception of risk—as do age, gender, race, stress, upbringing, etc. RISK APPETITE & TOLERANCE FOR ORGANIZATIONS In 1987, Nick Leeson, a currency trader with Barings Bank, made failed bets on Nikkei futures totaling approximately $1.3 billion. His bets exceeded the total value of his employer’s capital and reserves. As a result, the 233-year-old bank was forced into bankruptcy. One audacious individual brought down a sophisticated and mature organization that most certainly did not share his appetite for risk. To align risk, it’s important to develop risk appetite and risk tolerance statements—written documentation of the risks an organization is and is not willing to accept. Risk appetite statements serve as guidelines for developing strategic plans, operational processes, and business continuity plans. An excellent example is TD Bank’s statement, which reads as follows: TD takes risks required to build its business, but only if those risks: Fit its business strategy, and can be understood and managed. Do not expose the enterprise to any significant single-loss events. Do not risk harming the TD brand. Here’s another example from the Office of the Comptroller of the Currency (OCC): The OCC has no appetite for unauthorized access to systems and confidential data, and will maintain strong controls to mitigate external threats against its technology infrastructure. The OCC has a low appetite for losing continuity of business operations stemming from unreliable telecommunications or system availability. Business resiliency planning and execution must be aligned with strategic objectives. The OCC has a moderate appetite for innovative technology solutions to meet user demands in a rapidly changing environment. The agency will exercise appropriate governance and discipline when considering and adopting new technology. Risk tolerance statements further refine and “operationalize” broader appetite statements to provide specific context. They serve as tangible risk limits, setting clear boundaries within which a business must operate.  Risk tolerance statements must be measurable, realistic, and capable of being monitored. For example: At all times, the [organization] will maintain a rating of [xx] from [rating agency] Annual employee turnover will not exceed [xx%] Operational losses will not exceed [xx%] of [transaction type] Minimum investment grade of no less than “A” for investment securities For many risks, there is a range of acceptable levels. Let’s take information security risk as an example. We want to avoid this risk, right? What is the easiest way to do so? Disconnect all your computers from the internet. But taking this extraordinary step has consequences—no (external) email, no cloud computing, and no working from home. In other words, requiring zero risk can hamper or even prevent us from accomplishing our objectives. Recognizing the benefits of being interconnected, most organizations have chosen to accept some level of information security risk. Some level of risk is fine, but too much risk is not. Over time, navigation of these risks starts to resemble a road, with edge lines and guard rails; the acceptable place to drive is in the middle. WHAT DO I DO WITH RISK APPETITE AND RISK TOLERANCE STATEMENTS? Use them. Ensure that individuals who make decisions affecting the organization’s risk profile understand these statements. Decision makers should consider how their choices affect an organization’s risk level—specifically, whether their decisions leave the organization within its established risk appetite and tolerance parameters or push the organization outside those limits. Report on them. Senior executives and risk committees should require regular updates on their organization’s status related to risk appetite and risk tolerance statements. Discussions might include: Is the organization within its risk tolerance for 15 of its 16 metrics? If so, what does the organization feel about the final metric? If the organization is uncomfortable accepting this level of risk, then the metric effectively identifies an area that needs attention. Risks in this area need to be reduced. In contrast, if the organization does not feel that current risks are unacceptable, then risk metrics might need adjustment. This is common. Initial risk metrics are like a new pair of shoes; you need to experience them for a while to see if they pinch. Don’t let them get stale. The last thing you want to do is create these statements, then put them on the shelf to forget. Just as organizations change over time, so does risk appetite. Periodically revisit your organization’s risk appetite and risk tolerance statements to determine whether they are still appropriate and relevant or need to be adjusted. Also consider whether the statements are understood by everyone or require additional context. We recommend conducting this evaluation while developing a strategic plan. After all, where we want our organization to go and where we don’t want it to go are interrelated considerations. CONCLUSION Risk appetite and risk tolerance statements provide important guidance to employees about which risks are acceptable and which are not. They help align individual employee tolerances to organization-wide tolerances, for more consistent risk response across the board.

Risk appetite and tolerance statements help align individual and organizational tolerance for consistent risk response.

Essential considerations when employing Balance Sheet Account ...

Ed McCaulley
In Control
minute(s)Given the nature of the public sector industry, with its vast constituent base, any process and control failures can become highly visible, highly contentious, and highly damaging to an organization’s reputation. Yet, with budget constraints and the hiring challenges from the “Great Resignation”, how are we to keep our organizations’ safe and out from under this magnifying glass? The challenges are significant and demand rational approaches as well as application of one of the oldest — yet most effective — accounting control processes: balance sheet account reconciliations. Reconciliations have long been an important control for ensuring the accuracy of financial statements. Validating balances in general ledger accounts through the reconciliation process provides management with assurances that controls are in place and are working effectively. Performing accurate and timely reconciliations receives considerable attention under various government regulations focused upon public sector reporting. For example, in the United States, the Office of Management and Budget’s (OMB) Circular No. A-123 (A-123), the Federal Managers’ Financial Integrity Act (FMFIA), and the Government Accountability Office’s (GAO) Standards for Internal Control in the Federal Government (known as the “Green Book”) have been at the center of Federal requirements to improve accountability in Federal programs and operations. Within the Green Book, “reconciliations” are specifically called out both as “transaction control activities” and “ongoing monitoring”. Yet even without the regulatory emphasis, it is because of their summary and comprehensive nature that reconciliations often become key, rather than secondary, controls. As accountants and auditors, we should understand best practices related to account reconciliations and have a clear plan for reviewing reconciliations. RECONCILIATION TYPES There are various types of reconciliation, and each has nuances that will indicate the nature, timing, and extent of audit tests. Some of the more common types include: Basic account reconciliations. Often far from basic or simple, these account reconciliations may be reconciled to an accounts receivable aging schedule, fixed asset ledger report, or an accounts payable report. There should be account reconciliations for all asset, liability, and equity accounts. Bank account reconciliations. This type of reconciliation is between a bank statement and a general ledger account. Zero balance accounts (ZBAs) add a twist to the generic bank account reconciliation, because the bank account is swept or funded daily, leaving the end-of-day balance at zero. Suspense account reconciliations. Suspense accounts are used as a “holding” account until the appropriate disposition or classification of the transaction can be made (e.g., a lockbox used for all deposits). Once the cash deposit is recorded on the organization’s books, the organization will then determine why it was received and book the corresponding entry to clear suspense (e.g., to post it against a notes receivable or to book revenue). Thus, testing procedures should be added or modified to address the specific nature or characteristics of the account being reconciled. BENEFITS There are many benefits that come from performing high-quality account reconciliations, but here are the key benefits: Identify necessary adjusting entries before financial or other regulatory reports are issued, thus reducing restatement risk Identify operational issues earlier, when the problem is smaller, resolution is more manageable, and before the “fog of time” starts to obscure events Improved confidence in the financial statements from investors, managers, constituents, and external auditors Emphasizes to all employees the need for accuracy in transaction processing when the feedback is closer to the error BEST PRACTICES Both accountants and auditors should understand the best practices being utilized around account reconciliations. The following are practical ideas for improving the effectiveness of an organization’s account reconciliation efforts: Formalize a policy for reconciling and reviewing all balance sheet accounts. Complete a risk assessment of all balance sheet and off-balance sheet accounts and determine their risk level. Designate a regular cycle for the process (e.g., monthly reconciliations for high- and medium-based risks and quarterly for low-based risks). Complete account reconciliations by a specific calendar day of the subsequent month. Use a standard format for preparing reconciliations across the organization, and ensure each reconciliation contains standard information. Assign different individuals to both preparer and reviewer roles for each reconciliation to be performed. Confirm that the preparer and the reviewer possess the adequate skill sets to perform their functions, understand the nature of the account being reconciled, and understand the documentation and analysis required to support and substantiate the account balance. Consider automating the reconciliation process. There are various tools available to help with reconciliations. For example, many tools will automatically match up transactions from the G/L to the bank records, which frees reconcilers to focus on the more value-added task of researching unmatched records. Other tools help track the status of all reconciliations. Consider use of continuous monitoring tools and testing to immediately alert staff to potential issues (e.g., search for duplicate payments based upon payee, amount, and payment date) when they can take preventative action, instead of waiting to detect the issue when the reconciliation is performed. There are no guarantees but employing these practices can help reduce the risks… of fraud, financial loss, or misstatements, while identifying operational issues early before they become too large. INTERNAL AUDIT’S ROLE Internal audit should be responsible for independently assessing compliance with stated procedures. When performing audits of reconciliations, it is essential that auditors consider various attributes. Including the following testing procedures can help auditors perform a complete and adequate review. Does the “balance per the general ledger” on the reconciliation agree to the amount reported on the general ledger? One common problem is not reconciling to the full general ledger balance (e.g., to a subaccount, to only the cash or accrual or tax subledgers, or to only a subsidiary account). Does the “balance per bank” or “balance per system” agree with the bank or system report? A recurring issue is reconciling the general ledger activity to the general ledger balance rather than to an outside, confirming source. Reconciling one general ledger source to another, such as a trial balance to an online balance report, will accomplish nothing — unless the intent is to test the general ledger system’s reports. Are there any unreconciled differences? Unreconciled or unknown differences should set off alarm bells. These differences mean the reconciliation work has not successfully identified all reconciling items. This typically indicates that the individual preparing the reconciliation does not have the appropriate skills, did not devote the time necessary to complete the reconciliation, or simply does not have access to all the appropriate data required. Be careful about de minimis limits that some groups have established. The theory behind a de minimis limit is that the difference is too small to warrant the time and effort to track down the difference and that it is more efficient to simply write off the unreconciled amount. However, the use of de minimis limits have dropped out of favor because the unreconciled balance may be hiding more than one error if the transaction amounts offset each other. In other words, a $10 unreconciled balance might be two or more transactions… a million-dollar credit, largely offset by a $999,990 debit. Are reconciling items being cleared timely? Unless the reconciling items identified are purely timing issues, they should result in some action (e.g., a journal entry or an entry to correct a subledger). These actions should clear the item before the next reconciliation is performed. If they are not cleared, it is an indication that the work is not being performed. As many organizations are operating with lean accounting departments, completing account reconciliations both correctly and timely can be a difficult task. However, staff shortages do not justify rolling reconciling items forward from period to period. Although this approach is quicker and may seem to be an acceptable solution to the overworked individual performing the reconciliation, it is often the cause of a restatement. Was the reconciliation signed by the preparer and reviewer, and are the preparer and reviewer different individuals? Having both roles is important for three reasons. First of all, it introduces a measure of segregation of duties, especially useful in smaller organizations where everyone wears multiple (and sometimes incompatible) hats. Secondly, the reviewer may offer a broader understanding of the transactions flowing through the account. Finally, the reviewer also should help ensure that reconciliations are being performed with consistent diligence between accounts. Was the reconciliation completed on time? Reconciliations should be completed before the data or report for the next reconciliation becomes available. Thus, a bank account reconciliation would be considered late if it was not completed before the next month’s bank statement was received. Has the organization established a monitoring control over reconciliations? Reconciliations are such an important control that many organizations have implemented an organization-wide policy or centralized monitoring to ensure their timely completion. All balance sheet accounts should be reconciled. SUMMARY Performing appropriate and timely reconciliations is a critical control function that should be in place in all organizations. Although account reconciliations may seem mundane and repetitive, a strong account reconciliation process is an important component of a solid system of internal controls. Implementing account reconciliation best practices — such as accountability, risk-based prioritization, and reconciliation automation — provides management with insight into the substance of transactions and account balance content. A robust reconciliation process can identify necessary adjusting entries before financial or other regulatory reports are issued, while also reducing restatement risk, improving investor confidence, and eliminating write-offs.

Accurate and timely reconciliations are a critical control function that should be in place in all organizations. Understand best practices related to account reconciliations and develop a clear plan for reviewing reconciliations.

Improve your Internal Controls to Lower Audit Fees

Jamie Black
In Control
minute(s)If you're a typical finance department, discussions about Internal Controls are probably not part of your daily work day. In our experience, accounting teams start thinking and discussing Internal Control when they have: found an alarming incidence of error in their business processes are subjected to a performance audit (if they are a local government) heard of another organization falling victim to fraud Outside of these scenarios, the strength of internal controls systems doesn't often get a lot of finance's attention while they take care of payroll, budgeting, management reporting, financial reporting and so much more. There is a large, but often overlooked reason to focus on your internal controls system, an opportunity to reduce audit fees. Audit Fees Increase with Poor Internal Controls Poor internal controls and/or poor documentation of existing controls directly lead to increased audit fees. Why? Auditors must increase the amount of testing performed (sample size) when they determine that internal controls can not be relied upon (International Standard on Auditing - 530 Audit Sampling) to reduce audit risk to an acceptable level (International Standard on Auditing - 330 Auditor Responses to Assessed Risk). Specifically: "Deficiencies in the control environment, however, have the opposite effect; for example, the auditor may respond to an ineffective control environment by: • Conducting more audit procedures as of the period end rather than at an interim date. • Obtaining more extensive audit evidence from substantive procedures. • Increasing the number of locations to be included in the audit scope. The evidence of this direct relationship between audit fees and internal controls abounds. In December 2016, the Financial Executives Research Foundation (FERF) survey of more than 6,000 organizations found that reviews of internal controls continue to be one of the three major driving factors behind rising audit fees: More than 20% of the respondents that had audit fee increases cited a “review of manual controls from [Public Company Accounting Oversight Board] inspections.” Companies that cited ineffective internal controls as adding to audit fees experienced a 5.1% median increase, almost two percentage points higher than the median increase for all other filers. 3 Recommendations to Reduce Audit Fees In their follow up article "Mitigating Increases in Audit Fees" the FERF interviewed preparers and auditors to understand causes and develop recommendations. Several recommendations focused specifically on Internal Controls improvements that drive lower audit fees including: Align key controls with key risks: Ensuring the organization has strong controls to address the most significant risks will give management and auditors increased confidence. Document internal controls: If an organization has very light or poorly organized documentation, or hasn’t thought through all the branches in a process, attestation becomes difficult for the auditor — and more costly for you. Evaluate the latest technology: External and internal auditors are both using data analytics and continuous controls monitoring technology to increase audit quality, work smarter and potentially reduce costs. There are many great reasons to focus on improving your organizations' internal controls. Lower Audit fees is another good one.

Finance professionals know the importance of strong internal controls for managing but overlook the opportunity to reduce audit fees.

In Control: Why Monitor When We Know it is Broken?

Holly Ueland
In Control
minute(s)In part 1 of this series, we discussed how continuous controls monitoring is incredibly valuable for management. In this installment of the series, we address a recurring question we hear. When chatting with clients we hear "Listen, I know our processes is broken. Why waste time monitoring it when we could spend that time fixing it? Aren't we checking the pulse of a dead patient?" This statement does seem to have some logic to it. But it over-simplifies the situation. The reality is that monitoring your control activities is an integral part of the effort to fix them. When we say "broken" we typically mean that the process is failing to achieve its objective. Translating this into Internal Control terminology we mean the control activities are failing to mitigate risk. Business processes are often very complex with many steps, risks, controls, stakeholders and participants. When we say "the process" is broken we mean one or more risks are not being controlled. But which controls? Why? That information is going to be critical in determining how we fix "it". Monitoring controls that we suspect are not functioning can tell us which controls are failing and why. This information is critical to making good decisions about how to resolve the issue: Further, once we resolve the issue (Repair, Implement, or Remove) we will want to monitor to ensure new problems don't crop up or old ones reocur. If you go in for heart surgery, Doctors want to keep a close eye on you for some time thereafter! How does your organization determine what expected controls are for various processes and determine which ones to monitor? Through best practices, which we discuss in part III of this series.

The importance of Monitoring is often overlooked in internal control systems. Even when processes are"broken", it turns out monitoring is essential.

6 Key Fraud Findings for Government Finance Officers

Holly Ueland
In Control
minute(s)The Association of Certified Fraud Examiners (ACFE) 2016 Report to the Nations on Occupational Fraud and Abuse had several findings that will be very interesting to finance managers in local government. The 2016 report is based on the results of the 2015 survey. As part of the survey, respondents were asked to provide a detailed narrative of the single largest fraud case they had investigated since January 2014. Respondents were then presented with 81 questions to answer regarding the particular details of the case, including information about the perpetrator, the victim organization, and the methods employed, as well as fraud trends in general. While the report is very interesting from many respects, there are 6 points we want to highlight. 6 Findings relevant for Government Finance Officers The most prominent organizational weakness that contributed to the frauds in the study was a lack of internal controls, which was cited in 29.3% of cases, followed by an override of existing internal controls, which contributed to just over 20% of cases. Government and public administration experienced the third highest incidence of losses due to error and fraud, with a median loss of $109,000/ incident. Small organizations had a significantly lower implementation rate of anti-fraud controls compared to large organizations. Small government organizations are more susceptible to fraud. Out of all the government bodies included in the report, from federal to local, small organizations (those with fewer than 100 employees) accounted for the greatest number of fraud occurrences overall. In addition, of the fraud occurrences in small organizations, those involving cash occurred over twice as frequently. The presence of anti-fraud controls was correlated with lower fraud losses. ACFE compared organizations that had specific anti-fraud controls in place against organizations lacking those controls and found that where controls were present, fraud losses were 14.3%–54% lower Anti-fraud controls also correlated with much faster detection. Frauds were detected 33.3%–50% more quickly if the organization used such controls. The report also notes that total losses represented in the study were actually significantly higher. However, to conservatively report loss amounts, the top and bottom 1% of results were excluded from the total loss figure. Even viewing the losses reported through a conservative lens, a typical loss of $108,000 per fraud can be devastating to many organizations, especially when combined with the indirect fallout that often accompanies a fraud scheme. Join us for a free webinar and see how CaseWare's Continuous Controls Monitoring will improve your organization's internal control. We’ll examine the ever-evolving risk profile that governments experience and also demonstrate the significant benefits available (timeliness, accuracy, and cost-effectiveness) of automating monitoring and enforcement of internal control (Continuous Monitoring) using CaseWare solutions.

2016 ACFE Report outlines several key points for government finance officers interested in internal control and eliminating fraud.

Continuous Controls Monitoring is Management's Best Friend

Holly Ueland
In Control
minute(s)Being audited is hard work! Managers spend a lot of time getting prepared, answering questions and generally feel like they are under a microscope. Despite this, most acknowledge that audits are valuable. How can you get the benefits that audits provide without the pain? Continuous Controls Monitoring (sometimes referred to by the acronym CCM or just shortened to continuous monitoring)! To understand why this is true, we need to understand a bit about the similarities and differences between audits and CCM. Both include the performance of assessments. One difference is ownership of the assessment process – the auditor is responsible for auditing, while monitoring is owned by management. You could say monitoring is auditing performed by management. CCM also provides several benefits. Easier (and Cheaper) Audits Continuous controls monitoring and external audit often directly impact each other. If you have an undocumented, unmonitored set of internal control activities, you should expect your external auditor to perform extensive sampling and testing. That leads to increased time and effort for the auditor, increased professional fees and increased support work for you. Contrast that with an organization who has very strong monitoring of their internal controls, excellent documentation of the exceptions found and their remediation. Your auditor can review this evidence of your strong internal control system and conclude that there is minimal risk. That means less testing and time on their part, reduced professional fees and less work for you. With continuous monitoring, your audit reports can change from a laundry list of errors made throughout the prior year to a discussion of improvements in your management and control processes to better prevent, detect and remediate errors in the future. Timely and Efficient Management In addition to reducing the number of tests being performed (which should yield less expensive audits), continuous monitoring provides another significant benefit - timeliness. CCM occurs alongside business processes, so identified issues can be addressed proactively before it becomes a major (public) problem. Consider the difference between: finding and putting a hold on a suspected duplicate invoice payment before it is paid vs. detecting the payment months after it has occurred during an audit and then trying to recover funds from the vendor. By monitoring your internal control activities continuously, you have the opportunity to manage your processes as they are happening, rather than retrospectively. Check out the second part of this blog series to find out why continuous monitoring is even more important when we know controls are broken.

Continuous Controls Monitoring (CCM or sometimes Continuous Monitoring) provides a massive benefit to management AND simplifies the annual audit process.

In Control: Internal Control - More than Just Segregation of Duties

Holly Ueland
In Control
minute(s)We strike up conversations about all manner of topics with finance professionals across North America, but discussions about Continuous Controls Monitoring (CCM) can be difficult. In part it is challenging because not many of us have extensive experience with Internal Control. For example, on numerous occasions we've heard comments like “Yes, our internal controls are great; we have segregation of duties!” With this in mind, and in consideration of the problems that a weak system of Internal Control causes, we thought we would explore some of the basics in this post. Perhaps the simplest way is to use an analogy: Imagine you are driving in your vehicle. Your objective? To safely get to the grocery store and back, taking the most efficient route possible. On your route, there are risks - other vehicles, pedestrians, traffic lights - which threaten to slow you down or even derail you completely on your journey. But you're not powerless. Your car has a number of features that allow you to navigate these dangers - the mirrors, the steering wheel. the turn signals, etc. The skillful use of these features can greatly increase the likelihood of you getting to the grocery store. More than just Segregation of Duties Imagine you climbed into your vehicle and all you found was a brake pedal - no steering wheel, no turn signals, no headlights.... Would you start off on your trip? Most likely not - a single safety feature is not enough! You need a wide array of components working as an integrated system in order to have a safe and efficient trip. Your organization's internal control system is the same. Segregation of duties is an important component (see Control Activities below) of the system. But it alone is not enough to protect your organization and ensure the attainment of your goals. What is needed is an entire framework of internal control. There are a number of different frameworks but the most popular and the one recommended by the GFOA is COSO. Below, the COSO pyramid illustrates the components of a their framework: Control environment This is often referred to as “tone at the top” and represents the many elements of the internal environment that define how the entity will conduct its activities overall. These include “soft controls” such as shared values, high ethical standards and expectations, and openness. However, it also includes “hard controls” such as formal job descriptions and performance reviews, and enforced disciplinary practices for violations from expected behavior. It is hard to over-estimate the importance of this component. In fact, in January of this year the GFOA published a best practice regarding the control environment we strongly encourage you to read. Risk assessment Risk is defined as an event that will impact the achievement of one or more objectives. Risk assessment involves the identification and assessment of likelihood and impact of relevant risks. Control activities Control activities are those actions carried out to mitigate risk in order to increase the likelihood that objectives will be achieved. Generally they break down into two categories: Preventative & Detective. Preventative: Authorization and approval: These activities provide the go-ahead to act on the entity’s behalf. A common example is purchase approval limits, whereby individuals can commit up to a specific amount of the organization’s funds to obtain goods and services. Physical controls: This includes activities that ensure the physical security of assets, such as pass cards to restrict building access to only authorized personnel. Detective: Verification: Verification assists in determining if a transaction is legitimate and based on valid information. For example, ensuring that purchases are made only from approved vendors. Reconciliations: The most common type of this control is bank account reconciliations. However, any activity that ensures two or more types of information agree can be defined as a reconciliation, such as a 3-way match between a purchase order, receiving documents and the invoice received from the vendor. Here we see the role of segregation of duties. It is an example of one type of control activity (preventative). It involves separation of the responsibility for the various aspects of a transaction – initiation, custody, recording and reconciling. For example, separating the approval of a purchase (initiating), the ability to create a purchase order (custody), actually creating the purchase order (recording), and performing the 3-way match mentioned above (reconciling). Information and communication Communication is the glue that holds this system together. Information is obtained both from internal activities, such as transaction data, and external sources, such as regulatory requirements. Appropriately and effectively communicating information across and outside the entity is essential for the achievement of objectives. Monitoring How do you know the control activities you are counting on are present and functioning? This is the role of monitoring. Unfortunately it is all-too-frequently overlooked. Your control monitoring system can either be based on manual effort from staff, or automatic checking from one of your computer systems. The other important aspect of your monitoring system is its frequency: periodic or continuous. Manual monitoring very rarely approaches continuous unless you have the resources for MANY dedicated internal auditors. It's much more likely that it will be periodic. Your automated monitoring protocols are more likely to be continuous, although the way you implement them will determine their frequency. Monitoring tends to be one of the weakest elements in most organization's internal control structure for two reasons: Time-intensive: Let's say your organization processes 12,000 A/P disbursements per quarter and you are worried about duplicate payments. To ensure your control activities are working (monitoring), you need to find over 600 randomly sampled disbursements. Once you have this random sample, you now must find and review all the supporting documentation to ensure that there are no duplicates. For most organizations this is several weeks of work. Ongoing: You need to monitor all the time. The more infrequent the monitoring, the less confidence you have that your control activities can be relied on to mitigate risk. If you spend weeks of time looking for duplicate payments, how likely are you to tackle monitoring of duplicate payments every quarter? For most of us, we don't have the time available to dedicate to this rigorous of a protocol, despite how high-risk this area is. Improve Your Framework of Internal Control It should be clear now that breaking some high-risk tasks into a pieces and segregating them among different staff is just one small (but important) piece of an effective internal control system. But it's not nearly enough. Developing a proper framework involves much more, and relies on a robust, continuous monitoring program in order to safely "drive" your organization to your objective. Click the image below to learn more about how to ensure a more efficient, effective and organization.

Understanding internal control components is essential for finance officers & is the first step in understanding the benefits Continuous Controls Monitoring CCM

Internal Control is Key to the Success of Government Programs

Jamie Black
In Control
minute(s)For most finance professionals, “internal control” is synonymous with activities designed to prevent or detect fraud. One example activity: segregating the tasks of recording deposits and making deposits. But internal control is a much broader topic than most of us appreciate. Internal Control is an entire process for assuring achievement of an organization's objectives in: operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. Segregation of duties related to making and recording deposits is a single control activity designed to deal with a single risk. The pyramid illustrating the internal control process illustrates the many elements that must fit together to provide a complete an effective internal control system. It would be better if we thought of a skeletal system when we hear the phrase “internal control”. Like a skeleton, internal control is the structure that supports the correct functioning of your organization. Without understanding internal control as a comprehensive system, it is much more difficult to maintain strong internal controls and thereby assure achievement of your government’s objectives. Need convincing? Consider the 2014 Fall Report of the Auditor General of Canada (AG). Chapter 6 of the report, focuses on Nutrition North Canada (NNC). NNC is a subsidy program provided by Aboriginal Affairs and Northern Development Canada (AANDC), designed to provide Northerners in isolated communities with improved access to perishable, nutritious food. The program pays a subsidy to retailers in eligible communities, intended to reduce the cost of nutritious foods. In a CBC radio interview, the AG states the program “wasn’t living up to what it’s intended to do” and “Senior Management at AANDC focused on what was easy to measure instead of what was critical to measure.” In other words, the AANDC is failing to achieve its objective. Why? To recast the AG’s comments from an internal control perspective, AANDC failed to mitigate risks with appropriate control activities. Consider the following table, comparing the original control activity compared with a better-designed control activity tailored to help in achieving the AANDC's objectives: Control Objective Provide funding for residents of those  communities most at need Risk #1 The wrong communities receive the subsidy Current Control Activity Assess each community’s need based on historical use AG Proposed Control Activity Assess each community based on current need Risk #2 Subsidy not being passed along to consumers (kept by retailer) Current Control Activity Measure quantity of food being shipped to retailer and measure the average cost of estimated food consumption AG Proposed Control Activity Measure the actual cost paid by residents for the perishable nutritious food they purchased Table 1 - AANDC Control Activities Still need convincing of the benefit of the systemic view? Consider a personal example based on our skeletal system metaphor: if you went to the doctor with leg pain and numbness, what result would you prefer? The doctor prescribes pain pills, or; The doctor investigates, finds the cause is a compressed vertebrae and prescribes a back brace to allow the vertebrae to heal naturally. Clearly, the best choice is to find the cause and fix it. Similarly, armed with a proper systemic understanding of internal controls and how the various elements need to function together, finance officers are likely to identify the AG’s concerns as symptoms of a deeper issue. That should lead to an evaluation of the overall system of internal control. As a finance officer, you have the opportunity to have a profound impact on all aspects of your government’s operations, including program delivery. When you see symptoms of poor execution, look for the cause. A failure of internal control is often at the root of it.

Finance officers should leverage strong internal control to enable the success of their government's programs.

Freeing Finance, Budget & Audit Departments from Drudgery One Article at a Time