skip to navigation
skip to content

Financial Outsourcing Solutions

Resources Image

FOS Blog

20 Jul
2017

Control Environment’s Hidden Risks

Control Environment’s Hidden Risks

The control environment can either strengthen or extenuate weaknesses regarding the overall culture and ethics of a company.  Control environment discussions focus on three main areas: tone at the top, management philosophy/operating style, and segregation of duties.  The control environment has been discussed much more since the Sarbanes-Oxley Act of 2002.  However, the three main areas of the control environment are subjective in their nature and may cause hidden risks if not managed appropriately.  Breaking down each of the three areas regarding the control environment can aid in appropriate, company strengthening knowledge to management and the board of directors regarding the ‘hidden’ risks and offer potential mitigating factors regarding the control environment. Here are the three main areas:

1. Tone at the Top

Risk:  Gaps in the control environment that have not yielded a control failure and deemed as acceptable risk by management instead of analyzed and investigated.

Mitigation Techniques:

  • Understanding the difference between a control gap and a control failure. A gap is an area that can cause a failure, where a failure is actual event that fell through the control environment.  It is important that the “tone” regarding a gap has potential very damaging effects, and if brought to attention can be mitigated.
  • Having open discussions regarding gaps in the control environment. The open discussions should include the board of directors, auditors, and senior management.

2. Management Philosophy/Operating Style

Risk:   Processes by management that have become a solely something that needs to be signed off on as opposed to reviewed and analyzed.

Mitigation Techniques:

  • Understanding of the processes and reasoning for the review or sign off required, and especially the understanding of the risks involved. This includes training.  Management and Director’s change, and training needs to be up to date and in touch with your company.  SOX Section 302 has clear terms for the responsibilities and potential liabilities regarding management and directly references improper attestations by management.  Management is responsible for the financial statements of the company.
  • Understanding that not everything should be viewed as a ‘step.’ There typically is an underlying reason for the process, and taking items in a process and using professional judgment will yield the intended results as opposed to a simple ‘step.’

Segregation of Duties

Risk:      The size of the organization makes segregation of duties ‘impossible.’

Mitigation Techniques:

  • Actual discussion and assessment regarding all the potential risks associated within that control environment. The open discussion again needs to include the board of directors, auditors, and senior management.
  • Look for alternative methods for monitoring, providing additional checks/balances such as automation, and utilizing the strengths of the company’s employees.

Compiled by Adam Ketch

Related posts:

  1. Risk ID Framework Practices
  2. Corporate Governance: Sensitive Topic of the Board of Directors and Diversity
  3. An Introduction to the Fraud Triangle
  4. Third-party Risk: Managing Your Vendor Relationships