How Judge Hand’s statement might be applied to the responsibilities of management in establishing an internal control system
Judge Learned Hand, in discussing “degree of care” in connection with the standard by which a prudent person is to be held, said this: “The degree of care demanded of a person by an occasion is the result of three factors: the likelihood that his conduct will injure others, taken with the seriousness of the injury if it happens, and balanced against the interest which he must sacrifice to avoid the risk.” Discuss how Judge Hand’s statement might be applied to the responsibilities of management in establishing an internal control system and to the role of a performance auditor in assessing the control system. Please answer this question in own words. See paragraphs below to answer the question and get an idea. (If some of the paragraphs below do not relate to the question, then you can skip them.) Kindly please help me. I understand that this is a lot of paragraphs, but I really need help.
The Control Environment:
Standards for Internal Control in the Federal Government
Integrity and Ethical Values of Managers:
Operating Style and Attitude of Managers:
Organizational Structure and Methods of Assigning Authority and Responsibility:
The Way in Which Managers Exercise Control:
Competence and Reliability of the People in the Organization:
Hiring and Promoting
Salary and Benefits Structure.
Supervision and Training.
The Risk Assessment Process:
Qualitative Approach to Assessing Risk:
Significance of Judgment in Assessing Risk:
Managing Risk During Change:
Control Activities: Consistent with the scope of modern performance auditing, this book defines an entity’s control activities to encompass a broad range of both operating-type or safeguarding-type of activities. As noted in the GAO’s internal control standards, control activities are the “policies, procedures, techniques, and mechanisms that enforce management’s directives.” They are also the actions taken to detect and prevent identified risks. To encompass the concepts established in Canada’s Criteria of Control, we consider control activities also to cover the process by which goals and objectives are established, the strategies, action plans and criteria by which progress is measured,
and the way in which human capital is managed.
-Operating strategies and controls cover a broad spectrum of managerial activities, such as developing: program goals and objectives; reporting systems to measure achievement of objectives; policies, procedures and strategies to give reasonable assurance that objectives are accomplished efficiently and effectively; qualitative and quantitative standards of employee performance; and supervision to ensure that employees meet those standards.
-Safeguarding controls help management either prevent or detect in a timely manner the unauthorized acquisition, use or disposition of the entity’s resources. They cover such techniques as: requiring authorizations and approvals; documenting transactions, events, and decisions; securing assets from loss due to pilferage and other factors; and separating related functions.
Control activities are essential to efficient and effective operations and to accountability for resources entrusted to managers. Control activities vary from agency to agency. Variances in mission, goals and objectives, as well as differences in risk that each agency faces, will affect the nature and extent of the controls they put in place. Weak operating controls can result in a lack of direction and a failure to achieve the agency’s missions. Weak safeguarding controls can lead to a failure to prevent or to detect fraud and other improper activities in a timely manner. Some safeguarding controls, such as requiring documentation in support of certain events and requiring supervisory approval, help to prevent losses through inefficiency. As you read this discussion of controls, remember that the cost of each type of control needs to be measured against its anticipated benefit in determining the extent of its application to a particular set of circumstances. Also, care needs to be taken that the controls are not so intrusive that they stifle employee initiative. For example, for some activities, it may be more effective to tell staff what needs to be accomplished rather than how it should be done.
Establishing Program Goals and Objectives:
Developing Reporting Systems to Measure Achievement of Objectives: Establishing goals and objectives in line with an entity’s missions lies at one end of the management control process. At the other end is measuring entity performance to see the extent to which the
Establishing Policies, Procedures and Strategies to Achieve Objectives:
Managing Human Capital – General: The GAO’s internal control standards point out that effective management of an entity’s workforce is essential to achieving results and is an important part of internal control. Therefore, management needs to view human capital as an asset, rather than as a cost. Major elements of managing human capital include: obtaining and retaining a workforce that has the skills needed to achieve the organization’s goals, developing appropriate performance standards; having training programs aimed at developing the skills needed to meet changing needs, providing staff with incentives that foster effective performance, obtaining employee feedback, and ensuring effective and qualified supervision. Some of these elements are discussed in the ensuing paragraphs.
Developing Quantitative and Qualitative Standards of Employee Performance:
-Qualitative work standards generally refer to the nature of the work that employees are required to do. Qualitative standards often take the form of work programs or inspection
protocols, expressed in procedures manuals and in checklists. More complex qualitative standards might take the form of anticipated client performance such as the level of student achievement.
Quantitative and qualitative standards need to set with care. They should not be set in a manner that stifles initiative, nor can they be so loose as to be meaningless. They cannot remain static. Managers need to be alert to the potential for greater efficiency and effectiveness as a result of changing technology and better methods based on experience within the jurisdiction and in other jurisdictions. For example, the use of personal and hand-held computers has had a major impact on the efficiency of numerous operations. For another example, a large city reduced garbage collection costs significantly by using two-person, rather than three-person, sanitation trucks.
As a performance auditor, you need to determine the nature of the quantitative and qualitative work standards established by management. You also need to find out how the standards were established, and whether they are revised to take advantage of changing technology and experience.
You also need to be aware of the literature pertaining to the program you are auditing and the standards adopted by other jurisdictions. Contact with state, national or international professional associations (for example, the International Association of Chiefs of Police) applicable to the program you are auditing is often helpful. Your goal is to become as knowledgeable as you can about the activity being audited.
Supervising to Ensure that Employees Meet Performance Standards: Procedures manuals and checklists are just one element of a control system. Without supervision,
there is no assurance that employees are adhering to the established qualitative and quantitative work standards. Although supervision is needed for all activities, it is particularly important for activities such as inspection and maintenance, which take place away from the agency’s offices. Effective supervision gives top management reasonable assurance that staff employees are not “cutting corners” regarding work quality, allowing them to “goof off” or be absent without authorization. Lack of effective supervision increases the risk that poor quality work will come to management’s attention the hard way – as a result of accidents, reports of bribery, client complaint, or other incidents that reflect poorly on the entire government.
There are quantitative and qualitative aspects to supervisory performance, just as there are in staff performance. For some programs, laws or higher-level oversight agencies may establish ratios of numbers of supervisors to staff. Generally, however, agency managers are responsible for establishing the span of supervisory control. The extent of top management’s commitment to an effective control environment, discussed earlier in this chapter, contributes to the quality of an agency’s supervision. In performance auditing, you will often find a close relationship between the quality of the first line of supervision and efficient staff performance.
Control Activities for Computerized Information Systems: We referred earlier to the importance of controls regarding computer systems. Computerized information systems are the primary means by which most organizations control operations.Control activities are just as important for computerized systems as they are for manual systems. There are two generally accepted groups of controls – general controls and application controls.
General controls include security planning and management, access security, application software development and change control, system software control, segregation of duties, and contingency planning for service interruption. Application control helps ensure that all transactions processed by a software application are complete, accurate, authorized and valid.
Access security controls are intended to protect the network from inappropriate access by hackers and others. Security control activities include changes of dial-up numbers; restrictions on users allowing access only to information they need; frequent changes of passwords and deactivation of passwords used by former employees; and software and hardware “firewalls” that restrict access.
The Information Systems Audit and Control Association has issued extensive guidance on the control activities that management needs to protect the integrity of its information systems. You can get more information on this critical function at its web site: http:// and Communication:
The fourth component of internal control, information and communication, is the lifeblood of most organizations. This component fills many needs:
● Managers needs to convey the organization’s goals, objectives, policies and procedures to staff, and staff needs to convey operating problems and successes to managers.
● Managers need operating information to see if they meeting their goals and objectives, and they need financial information to see if actual performance is within budget.
● Operating units need to coordinate activities with each other.
● Management must constantly assess client needs and demonstrate accountability both to the legislature and the citizenry.
Communication must flow up, down, across and in and out of an organization. Information must be useful, timely, accurate and complete. The information and communication systems in an organization must work together to be successful in today’s environment.
Information:information, at the right time, to the right people. Networked computer systems enable people to share an incredible amount of information today. The challenge is to assure:
-Content is relevant
-Information is communicated in a timely manner
-Information is accurate and current
-Information is readily accessible
Today, managing information is a discipline receiving increasing management attention. In view of the amount of documents and other objects being sent and received for different business processes, the need for efficient administration is important. Naturally, this also applies to the environment of the users themselves, who should be able to find their way around the electronic office quickly and effortlessly. This also applies, however, to groups of users who must have joint access to certain information within the context of a specific project.
Software packages today feature multilevel folder management systems that support both the requirements of individual users and user groups:
-Private folders can be used to store information that is accessible only to the relevant user or selected persons.
-Public folders can be used to communicate important information, as well as to collect information, ideas, and expertise within an organization. Information of general interest, for example, can be posted in the form of “notice boards” to communicate information from management and other departments. Public folders can also be used to administer project-specific documentation, minutes of meetings, or planning documentation. Information in these folders is only accessible to certain departments, project groups, or
-Access rights can be defined based on the individual person or distribution lists, which can include project groups or departments.
Electronic information systems and the use of information technology have risks that must be effectively controlled in order to avoid disruptions to business and potential losses. Controls over information systems and technology should include both general and application controls. General controls are controls over the computer system (i.e., mainframe and end-user terminals) and ensure its continued, proper operation. For example, general controls include back-up and recovery procedures, software development and acquisition policies, maintenance procedures, and access security controls.
Communication: Effective communication is needed to convey numerous matters, such as management’s goals and objectives, policies and procedures, specific performance targets, ethical values and expectations regarding dealings with the citizenry. Without effective communication, information is useless. Managers need to establish effective paths of communication in order to ensure that necessary information is reaching the appropriate people. This information relates to both the operational policies and procedures of the organization as well as information regarding the actual operational performance of the organization. Management must help the flow of information – upward, downward, across the organization and in and out of the organization. When information flows upward, management is aware of the risks and the operating performance of the organization. Information flowing down through an organization helps ensure that the mission, goals and objectives and expectations, as well as established policies and procedures, are communicated to lower level management and operations personnel. This communication is essential to achieve a unified effort by all members of the organization. Communication across the organization is necessary to ensure that information available to one unit is shared with other affected units to coordinate activities.
Auditors ask a number of questions when assessing communication systems. They include:
-Are employee duties and control responsibilities communicated effectively?
-Are there established channels for people to communicate suspected improprieties?
-Is management receptive to employee suggestions on ways to enhance productivity, quality or other improvements?
-Is there adequate communication across the organization? Is the information
communicated completely, timely and sufficiently to enable people to discharge their responsibilities effectively?
-Are there open and effective channels of communication with customers, suppliers and other external sources? Are changing customer needs communicated?
-Are employees and outside parties made aware of the entity’s ethical standards?
-Is there timely and appropriate follow-up action by management resulting from communications with others?
Separate Evaluations of the Control System: Separate evaluations of the control system are needed because the ongoing agency-level managerial and supervisory activities are not sufficient to provide assurances to all those who are concerned with a governmental agency’s activities. The stream of accountability runs upward from unit managers to agency chiefs, to the chief executive officer, to the legislature, to higher level government resource providers, and ultimately to the citizenry. All individuals and groups in this accountability chain need assurances that control systems are in place and working. An agency chief may be satisfied with the internal control system, but that does not
necessarily mean that the mayor will be made aware of matters known to or overlooked by the agency head. The mayor may be satisfied with an agency’s control system, but state and federal resource providers may want to make sure the mayor’s staff is interpreting higher-level agency directives accurately and reporting honestly. Finally, as discussed in Chapter 1, legislatures may establish legislative auditors; and citizens, expressing their views through constitutional conventions, may prefer separately elected auditors. The views we express are consistent with the private sector notion that corporate boards of directors need strong audit committees exercising close supervision of corporate internal audit staffs.
Separate evaluations of control systems might occur at any point in the accountability chain. They may be made by agency internal auditors, external financial auditors, auditors appointed by the legislature or elected by the citizenry, or auditors from a higher-level government. Many larger agencies have in-house internal audit staffs or obtain separate internal control evaluations under contract with an outside entity. Because this textbook covers the techniques used in performance auditing, there is no need to discuss this aspect of the monitoring process in this chapter. We would point out, however, that a major role of the internal auditor is to evaluate the effectiveness of the monitoring accomplished through routine managerial and supervisory activities. We also note that monitoring through separate evaluations requires procedures for ensuring that the findings resulting from the separate evaluations are promptly resolved.
Routine, Ongoing Managerial and Supervisory Activities: There is no clear distinction between control activities, discussed earlier in this chapter, and monitoring done through routine managerial and supervisory functions. Control activities are the policies and procedures adopted by management to ensure that its directives are carried out. However, some types of control activities, particularly those involving review and approval by supervisors or managers, are also monitoring activities. Here is an example of how routine, ongoing managerial and supervisory monitoring activities might work in an inspection activity. Description of situation: Assume a governmental agency is responsible for inspecting nursing homes or day care centers for cleanliness and for conformance to safety and dietary standards. The inspections are made by a group of inspectors, using checklists, who must visit all facilities once a year. Deficiencies found on inspection are set forth in a complaint report. Facility owners have 30 days to correct deficiencies, and a re-inspection is made if deficiencies are considered to be serious. The checklists serve as a control to ensure nothing is overlooked. The decisions to visit all facilities once a year and to re-inspect non-compliant facilities are control or operating strategies, based on a risk assessment related to inspection frequencies needed to give agency managers reasonable assurance that facility owners conform to health and safety standards. Control through supervision: After completing an inspection, the inspectors prepare reports on deficiencies and leave the report and the completed checklist with the unit supervisor. The unit supervisors review the check lists for completeness; issue complaint reports, if necessary, to the facility owner; and sign off on the checklists to signify approval of the inspection. The unit supervisors also make spot checks of the quality of the work performed by the staff by visiting a sample of the sites inspected by each staff inspector, shortly after the inspection. The supervisors make a note on the checklist whenever they visit a site.
Monitoring activity accomplished by supervision: What are the supervisors doing in this illustration? When they review the checklists for completeness and make spot checks of the inspection quality, the supervisors are performing control activities intended to ensure the quality of the inspections. Supervisory sign-off provides evidence of the approval. These control activities are also part of the ongoing monitoring of the quality of the inspection activity. Effective supervision may lead to the conclusion that one of the other controls – employee training – needs to be upgraded or increased in frequency.
Related monitoring activities: But what if there were an insufficient number of inspectors or an insufficient number of supervisors? In that event, other types of routine managerial controls might call management’s attention to the problems. Reports on numbers of inspections performed compared with the budgeted number of inspections provides another monitoring type of activity. Complaints made by relatives of those in nursing homes or day care centers also aid in the monitoring process.
Role of the performance auditor: Where does the separate evaluation – the performance audit – fit into this picture? The performance auditor will assess such matters as: (a) whether the unit supervisors are doing what they are supposed to do (that is, reviewing the completed check lists, making spot visits, and sending out complaint reports in a timely manner); (b) whether managers get periodic reports showing numbers of completed inspections relative to plan and whether they act promptly in the event of lagging inspection performance; and (c) whether there are a sufficient number of supervisors to do the job.
Examples of Routine, Ongoing Managerial Monitoring Techniques: There are many ways in which managers and supervisors accomplish routine, ongoing monitoring of the performance of the control systems. (Remember that we defined a control as any activity intended to ensure achievement of managerial objectives.) It is important to note that several monitoring activities described in the previous paragraphs required management to establish performance standards against which the monitoring would be accomplished. Here are some of the ways in which managers and supervisors do routine, ongoing monitoring:
-Review and approval of staff actions on transactions over a certain dollar amount, to ensure that established procedures were followed in making decisions.
-Visits to a sample of work sites, to ensure quality of staff performance relative to standards, or adherence of employees to work rules.
-Review of monthly or quarterly reports showing quantity of work done compared with a budget standard, or cost of work done compared with a budget standard. This enables
prompt detection and correction of shortfalls from targeted performance.
-Review of routine or special reports showing deviations from established norms, such as supply outages, facility breakdowns, or overtime and sick leave reports. Such deviations may be indicators of problems in supervision and other controls.
-Review of accident reports and client complaints. Incidents such as these may result from weak operating practices or from insufficient consideration of risks underlying the
strategies adopted to prevent such problems.
-Follow-up on deviations uncovered during routine reconciliation processes. For example, analysis of differences between physical inventories and amounts shown in perpetual
inventory records might provide evidence of breakdowns in the accounting system, in security, or in other aspects of the control system. An inability to reconcile cash balances
with amounts shown in bank statements might lead to discovery of fraud.
-Review of asset write-offs. For example, write-offs of loans receivable might be evidence of weak processes in granting governmental loans. Write-offs of inventory might be
evidence of poor purchasing or poor storage practices. Write-downs of investment values might have been caused by a failure to adhere to investment guidelines.
-Managerial review of reports comparing performance of one facility with another, or one branch office with another.
Need for Prompt Communication of Serious Internal Control Shortcomings: Performance auditors also have a responsibility to report major problems promptly to the appropriate levels of management. As discussed in Chapter 5, performance auditors need to establish a line of continuous communication with top management at the opening audit conference. Formal procedures should also be established for reporting on actions taken by management to resolve the conditions noted in performance audit reports.
Finding the Right Controls: Auditors sometimes tend to over-emphasize the wrong control components under the premise that control activities (i.e., policies and procedures) are the most critical elements of an organization’s success. Policies and procedures are certainly important. An effective performance auditor, however, ensures not only that they exist, but also that they exist within the appropriate control environment and that they are followed by staff and not over-ridden by management. In conclusion, if auditors are to be successful in finding the real cause of the problems uncovered in an organization, it’s imperative to address all of the control components identified in COSO’s Internal Control — Integrated Framework. Auditors must understand the entity’s control environment and the information and communication systems. These components are harder to assess than the others, but are just as critical in determining the entity’s success or failure.