The Paradox of Control

One of the failures of the auditing profession is its inability many times to not assess properly the internal control system within an organization being audited. 

Much of the focus is on control activities. Unfortunately, auditors and regulators often place too much emphasis on the wrong control components under the misguided premise that control activities (i.e., policies and procedures) are the most critical elements of an organization's success. This misplaced focus can cause managers to respond with strong — but wrong — preventive controls over day-to-day activities, which ultimately frustrates efforts to correct an organization's real problems. It's important for students of the auditing profession to identify and implement the right controls to prevent the past practices, which have harmed major organizations involved in fraud and scandals over the years, from reoccurring.

Control activities are much more objective to assess than control environment issues. It is easy to read existing policies and procedures and to spot situations where duties should be segregated. It also is easy to review documents to determine whether policies and procedures were followed (e.g., Was an approval obtained when needed? Were bids sought when required?). However, it is much more difficult to assess management's philosophy and operating style. It is also difficult to review and estimate the integrity, ethical values, and competence of employees.

It's important to be clear on this issue because control activities — and the corresponding policies and procedures — are essential components of a good control system. Unfortunately, the focus on control activities is often for the wrong reason. Auditors routinely recommend that management segregate duties with the explanation that it is necessary to provide a check and balance on employees' duties, but the message this sends to employees is that they are not trusted.

Conversely, when an organization segregates duties, shouldn't it be to help assure efficiencies in the process and allow employees to monitor their own work as a team, correcting any errors before the transactions are complete? Employees can accept this reason much more easily than a message that says, "We don't trust you." You also accomplish several objectives, increase efficiency of operations, monitor operations, and help prevent improper activities, all while creating the right control environment.

TOO LITTLE FOCUS ON THE CONTROL ENVIRONMENT

NASA (a government agency) and WorldCom (a private sector agency) are examples of the many organizations that have confronted disasters and scandals throughout the years. By examining NASA's Columbia disaster and the WorldCom scandal, it's easy to see the drastic effect a lack of focus on the control environment can have on an organization.

Seven astronauts died when NASA's space shuttle Columbia disintegrated on its descent to Earth in February 2003. In assessing the cause of the accident, the Columbia Accident Investigation Board concluded: "Cultural traits and organizational practices detrimental to safety were allowed to develop, including:

• Reliance on past success as a substitute for sound engineering practices, such as testing, to understand why systems were not performing in accordance with requirements.
• Organizational barriers that prevented effective communication of critical safety information and stifled professional differences of opinion.
• Lack of integrated management across program elements.
• The evolution of an informal chain of command and decision-making processes that operated outside the organization's rules."

This analysis focused on the real cause of the Columbia failure — issues that are not typical of the areas on which auditors focus when conducting internal control reviews in an organization. The Columbia Accident Investigation Board concluded that regarding the space shuttle disaster, the control environment at NASA was flawed.

At WorldCom, the accounting problems that occurred resulted in the largest bankruptcy proceeding in United States history. In any large organization, senior management must work through others to get things done. In WorldCom's case, senior management had to work with the accountants in the accounting department to make the fictitious entries that would result in the appearance of improved financial performance. Toward that end, accounting records were adjusted by making general journal entries that moved line cost expenses to capital accounts. If an item is to be capitalized, it has to have a useful life beyond a year, the organization must have ownership, and someone should be able to verify its existence. The accountants knew line costs at WorldCom did not have a useful life beyond a year because they really represented lease costs for lines owned by other telecommunication companies. These were simply day-to-day operating expenses.

Several accountants expressed concern to their boss about this transfer, and WorldCom even had an internal accounting policy that prohibited it. The accountants in the accounting department at WorldCom were not the only ones who knew something was wrong. After the general journal was adjusted, it became necessary for the Property Accounting and Capital Reporting Group to adjust its records to reflect the increase in capital assets. Many people in this group knew there was no supporting documentation for these entries and expressed concern but did not go outside their group with questions.

Although the nature of NASA's Columbia disaster and the WorldCom scandal were quite different, the root cause of each — the control environment — was remarkably similar. These events weren't entirely caused by the lack of policies, procedures, or segregation of duties. The failures resulted from a flawed control environment where management chose a certain course of action, including overriding otherwise effective policies and procedures.