2. All Controls are Built on Assumptions about People and Systems
• The degree of trusttrust the controller places in the
organization or persons with authority and
responsibility, and
• The assumptions about ethicalethical behaviourbehaviour in
the culture and legal framework of the
organization.
3. Just Who is the Controller????
The Controller and the ControlledThe Controller and the Controlled
CONTROLLERCONTROLLER CONTROL SUBJECTCONTROL SUBJECT
Operational ManagerOperational Manager Subordinate UnitsSubordinate Units
Divisional or SeniorDivisional or Senior
ManagerManager
Operational ManagerOperational Manager
Corporate ManagerCorporate Manager Divisional or SeniorDivisional or Senior
ManagerManager
Internal AuditorInternal Auditor Operational ManagerOperational Manager
External AuditorExternal Auditor Internal AuditorInternal Auditor
External AuditorExternal Auditor Corporate ManagerCorporate Manager
Corporate ManagerCorporate Manager Minister and/or LegislatureMinister and/or Legislature
Corporate ManagerCorporate Manager Board of DirectorsBoard of Directors
LegislatureLegislature External AuditorExternal Auditor
Board of DirectorsBoard of Directors External AuditorExternal Auditor
4. The Key is to “In Control” not “Under Control” – who is
in control here and who is under control?
5. Just What is Control……….
• Control is the task of ensuring that activities are
providing the desired results.
• Controlling means setting a target, measuring
performance, and taking corrective action as
required.
• As control expert Kenneth Merchant notes: “The
goal [of the control system] is to have no unpleasant
surprises in the future.”
6. Just What is Control……….
• If managers could be sure that every
plan they made and every task they
assigned would be perfectly executed,
they really would not need to “control.”
• Most plans are executed by people,
however, and people vary widely in
abilities, motivation, and even honesty.
7. Just What is Control……….
• In today’s fast-paced environment,
who can be sure even the best
plans might not become outdated?
• So, the people who execute the
plans, the plans themselves, and
the results originally desired must
be monitored and controlled.
8. Just What is Control……….
• Control and accountability go
hand in hand
• Part of accountability is not just
to produce results, but to
exercise due diligence in terms
of process, respect for rules,
monitoring (not just what you
know, but how do you know)
9. Just What is Control……….
Management control systems consist of all
organization structures, processes and
subsystems designed to elicit behavior that
achieves the strategic objectives of an
organization at the highest level of
performance with the least amount of
unintended consequences and risk to the
organization.
10. Just What is Control……….
•All actions taken to make an organization run
effectively and accomplish its goals
•Include management’s attitude, operating style
and integrity and ethical values
•How managers communicate
•How managers check on staff
•Assigning responsibility for decision-making and
execution
•Establishing measurement tools
12. The Architecture of Control
• Control cannot occur unless the organization knows
what it has to do, have organized that work and can
link it to achieving its strategic objectives.
• Control extends beyond control over transactions
and financial reporting, without excluding them.
• The objectives must be achieved at a highest level of
performance possible, i.e. they must seek to be as
efficient as possible
13. The Architecture of Control
• Risk must be minimized to avoid any chance
of unintended consequences either in terms
of outcomes or deviations from the rules
governing the work.
• Structure refers to the formal task, authority
and responsibility assignments in an
organization.
14. The Architecture of Control
• Processes are the activities through which
control is accomplished.
• Subsystems support the structures and
processes by providing the right incentives to
guide behavior.
15. Management Control Systems
• Beware the danger of terminology:
different terms, same meanings
• MCS is defined a ‘set of policies and
procedures designed to keep
operations going according to plan”
• Useful and simple perspective
16. Management Control Systems
• MCS exists either formally but more often informally and empirically
• When you ask “What is our Management Control System” you may
get an information technology response. When you ask “What is our
control framework” you may often get a blank stare – they are the
same thing
• Usually the responsibility of the administrative or financial staff:
more focused in such areas
• Generally, the creation of an MCS takes some well known
steps……..
17. The TraditionalThe Traditional
ManagementManagement
Control ProcessControl Process
Identify Goals, RolesIdentify Goals, Roles
And ResponsibilitiesAnd Responsibilities
Measure PerformanceMeasure Performance
Compare to StandardsCompare to Standards
Take Corrective ActionTake Corrective Action
Establish StandardsEstablish Standards
18. Traditional Control Process
• The first step in the traditional control
process is to identify the areas the be
controlled, based on a clear
understanding of the tasks that are being
performed.
Here is where the notion of Responsibility Accounting
comes into play: “assignment of the responsibility for
keeping to the plan and carrying out the elements of the
management control system.” (Finkler)
19. Traditional Control Process
• The next step is to choose a yardstick and to
establish standards expressed in terms of
money, time, quality, or quantity.
20. Traditional Control Process
• The following steps are to measure actual
performance and compare to standards
• The simplest way to compare actual
performance standards is personal
observation
• This method is time consuming; so, formal,
impersonal reports are used also--budgets,
quality control reports, and inventory control
reports
21. Traditional Control Process
• If a discrepancy exists between standards and
actual performance, then the variance has to be
identified and verified
• It may be necessary to take corrective action
• A deviation from the standard merely flags the
problem; corrective action may or may not be
required.
23. Diagnostic ControlsDiagnostic Controls
Management Control SystemManagement Control System
Capital
Budget
Capital
Budget
Operating
Budget
Operating
Budget
Income
Statement
Income
Statement
Balance
Sheet
Balance
Sheet
Cash
Budget
Cash
Budget
27. Tools of Control: Managing and Reporting
Variance
• Management Control Systems -
maximize compliance with the
organization's plans.
• Internal Control Systems - protect and
use resources efficiently and effectively.
28. Tools of Control: Managing and Reporting Variance
Management Control Systems:
•Sets of policies and procedures designed to keep
operations going according to plan - detect variations
and allow for corrective action.
•Focus on responsibility accounting
•Combine monitoring, motivation, and incentives.
•Require that performance be measured.
•Need to focus on both viability (internal perspective)
and effectiveness (external and internal perspective).
29. Tools of Control: Managing and Reporting Variance
Internal Control Systems:
focus on efficient and effective use of resources and
on the protection of the organization's resources
contain before-the-fact Accounting Controls and
after-the-fact Administrative Controls,
the controls are coordinated to minimize avoidable
losses, and are designed in a cost effective way.
30. Tools of Control: Managing and Reporting
Variance
●Audit Trail: ability to trace each transaction
back to its source – protects against misuse
of funds, also ensures accountability for how
funds spent
●Reliable Personnel: hiring the right people,
professional qualifications, training and
supervision
31. Tools of Control: Managing and Reporting
Variance
● Separation of Functions: person who authorizes
the expenditure should not be the person to
process payment – notion of counter signatures –
ensures checks and balances in the system –
notion that a person should not be left to control
themselves – introduces elements of a challenge
function as well
32. Tools of Control: Managing and Reporting Variance
Proper Authorization
levels of authority and matrices of delegation
distribute authority for spending and decision
making in the organization
if these are unknown or operate in parallel
with informal systems, audit is impossible, so
to is control of expenditures
33. Tools of Control: Managing and Reporting Variance
Adequate Documentation
both in terms of legal requirements
(legislative compliance and potential for
fraud) and
reporting needs (accurate data)
documentation is becoming more
challenging because of computerization but,
both theoretically and practically, easier
34. Tools of Control: Managing and Reporting Variance
Regular Reporting
• frequency and distribution of financial reports should
be part of the control framework of the organization
• danger in too much information and reporting, equal
problem with too little
• Monthly versus quarterly financial reports: driven by
risk, intensity of management process, e.g. watching
costs during downsizing, high risk times of peak
expenditures may call for more reporting
35. Tools of Control: Managing and Reporting Variance
Regular Managerial Review
• Different from reporting – calls for an
active review and decision
• Regular review during
management/executive committee
meetings
• Need to demonstrate stewardship by
non-financial managers
36. Tools of Control: Managing and Reporting Variance
Proper Procedures
• “By the book” procedures create compliance
requirements
• Make sure you know that
1) there is actually a book and not just
someone making rules up and
2) consequence of non-compliance and
3) wiggle room when you need it
37. Tools of Control: Managing and Reporting Variance
– Adequate Determination of Risk and Risk Management
Strategies
– Physical Safeguards: should be part of the control
framework
– Bonding and Rotation of Duties: all of these procedures
are designed to ensure against theft and having only one
person with their hand on key financial processes
– Independent Check: role and use of internal or external
auditors
38. Example of a Performance ReportExample of a Performance Report
for Machinery Departmentfor Machinery Department
Direct labour
Supplies
Repairs
Overhead
Total
Budget
$2,107
$3,826
$ 402
$ 500
$6,835
Actual
$2,480
$4,200
$ 150
$ 500
$7,330
Variance
$373 over
$374 over
$252 under
$ 0
$495 over
Explanation
Overtime work
Wasted material
39. Risk Management and Control
• All organizations face and manage risks
• Various types of risk
– Performance failures: not meeting goals
– Financial risks: funding, fraud, loss potential
– Unforeseen risks
• In order to establish adequate control, you have to
establish risk tolerances
• Highly contentious in the public sector – why?
40. Risk and Risk ManagementRisk and Risk Management
• Risks are perceived as any thing or event that could
stand in the way of the organization achieving its
objectives.
• Risk management is not about being ‘risk averse’.
Risk management is not aimed at avoiding risks. Its
focus is on identifying, evaluating, controlling and
“mastering” risks.
• Risk management also means taking advantage of
opportunities and taking risks based on an informed
decision and analysis of the outcomes.
41. Assessing Risk
IMPACT POTENTIAL RISK MANAGEMENT ACTIONS
Significant
Considerable
management
required
Must manage and
monitor risks
Extensive
management
essential
Moderate
Risks may be worth
accepting with
monitoring
Management effort
worthwhile
Management effort
required
Minor Accept risks Accept, but monitor
risks
Manage and
monitor risks
LOW MEDIUM HIGH
LIKELIHOOD
42. Risk Response MatrixRisk Response Matrix
Legend
C Critical risk: CAO involvement essential, inform committee of Council
H High risk: Senior management involvement essential, inform CAO
M Moderate risk: Management mitigation & monitoring required, inform senior manageme
L Low risk: Manage by routine procedures
Impact
Likelihood Insignificant
1
Minor
2
Moderate
3
Major
4
Extreme
5
Almost certain
5
M M H C C
Likely
4
M M H C C
Possible
3
L M M H H
Unlikely
2
L L M H H
Rare
1
L L M M M
44. Risk Analysis and Management Toolkit
Risk Tolerances
5
Worst
Case
4
Severe
3
Major
2
Moderate
1
Minor
Risk Tolerances
• Setting tolerances involves a mix of
qualitative and quantitative measures
•Not always straightforward
•It takes experimentation and time
•Issue of how public they are is important
•Equally important is how politically sensitive
they are: is there a tolerable murder rate?
Wrong tolerance!
TYPCIAL RISK
TOLERANCE
GRID
45. Risk Analysis and Management Toolkit
Risk Tolerances
Processing
Compliance
– welfare
applications
Rate of
inaccuracy
exceeds 2% in
two quarters
Rate of
inaccuracy
exceeds 2%,
found in post-
audit in one
quarter only
Rate of
inaccuracy
less than 2% -
only found in
post-audits
Rate of
inaccuracy
less than 2%
of total
transactions
– 75% found
in pre-
audits.
Inaccuracy
less than 2%
based on pre
and post
audit
SEVERITY RISES
WHEN DO YOU ACT
AND HOW?
46. What to Avoid when Using Risk Management Tools toWhat to Avoid when Using Risk Management Tools to
ManageManage
• The Chick Little Syndrome – “The sky is falling!
The sky is falling” – a major problem in many
organizations
• Excessive formality – much of risk
management is intuitive and cultural
• Giving the media headlines – chronic
misunderstanding of risk in the media – too
much paper
• Assuming that this kind of work can be kept
“secret” – be prepared to explain and
communicate
47. Focus on risk identification with ad hoc
risk management activities based on
individuals, not the organization
Risk management processes are
established for certain key areas;
processes are reliable for risk management
activities to be repeated over time
Risk management policies, processes
and standards are defined and
formalized across the organization
Risks are measured and managed
proactively; risks are aggregated
on an organization -wide basis
The organization is focused
on the continuous improvement
of risk management
Stage
Description
Initial Repeatable Defined Managed Optimizing
Organizational culture to systematically build and improve riskmanagement capabilities
Risk Management Integrated Risk Management
Risk Management Maturity Continuum
Risk
Management =
survival !
IRM = an
intelligence led
business process
(Deloitte’s Risk Management Maturity Continuum.)
48. What to Avoid when Using Risk Management Tools to
Manage
DenialDenial
“…in all my experience, I have never been in an accident of any
sort worth speaking about. I have seen but one vessel in
distress in all my years at sea. I never saw a wreck and have
never been wrecked, nor was I ever in any predicament that
threatened to end in disaster of any sort.”
Captain Edward Smith, New York times, 1907 some years
before he perished as master of the Titanic
49. What and Who to Control
Individual OROR Organizatio
n
After Action
Ex Post
ORORBefore
Action
Ex Ante
50. Facilitative Controls
• Assigning responsibility for various
information gathering tasks to various parts of
the organizations, such as the financial officer,
the financial analysis group or a performance
monitoring group.
• Defining the reports that the organization
wishes to receive and analyze on a regular
basis.
51. Facilitative Controls
• Creating reports to be understood by senior
managers or Board members and management.
Overly complex or simplistic reports will result in
poor communication of financial data.
52. Facilitative Controls
• Designing systems to ensure that data such as
supplier invoices and accounts receivable are
recorded accurately and on a timely basis.
• Communicating financial performance information,
along with and clearly connected to operational
information and comparisons to plans and budgets
so that it can be used for making decisions.
53. Protective Controls
Proper authorization of transactions (prior
authorization of major expenditures)
Adequate segregation of duties
Establishment of a finance oversight committee
54. Protective Controls
Proper controls over petty cash, vouchers,
discretionary funds or highly liquid assets
Designing of appropriate forms
controls to safeguard assets
Controls to verify financial records (monthly
reviews and annual audits).
Controls to verify financial records (monthly
reviews and annual audits)
56. Variance Analysis
• Variance analysis investigates differences (variances)
between planned and actual results to help managers:
– - prepare budgets for the coming year,
– - control results in the current year, and
– - evaluate the performance of operating units.
• Variance analysis focuses on material differences to help
managers correct problems and capitalize on opportunities
57. Variance AnalysisVariance Analysis
The budgeted and actual costs and the resulting month and
Y-T-D variances for the Hospital for Ordinary Surgery illustrate
an unfavorable cost variance.
This Month
Actual Budget Variance
$9,200,000 $8,800,000 $400,000 U
This Year
Actual Budget Variance
$25,476,000 $25,150,000 $326,000 U
58. Department and Line Item VariancesDepartment and Line Item Variances
Variances at most levels of an organization represent aggregations
of variances from other levels. For example: total organizational
expense variances represent the sum of departmental variances,
while departmental variances are made up of line item variances.
Suppose the supply variance was $50,000 F and the salary
variance was $50,000 U. What would the total variance be?
Should it be investigated?
Radiology
Department Actual Budget Variance
Salary $400,000 $395,000 $ 5,000 U
Supplies 400,000 205,000 195,000 U
Total $800,000 $600,000 $200,000 U
59. Flexible Budget Variance AnalysisFlexible Budget Variance Analysis
Flexible Variance Analysis allows managers to identify what portion
of a total variance is due to:
- differences between the budgeted and actual volume of
some output (Volume Variance),
- differences between the budgeted and actual price (or rate)
of each unit of input or output (Price or Rate Variance), and
- differences between the budgeted and actual quantities of the
resources used per unit of output (Quantity or Use
Variance).
60. Volume, Price, and Quantity ExamplesVolume, Price, and Quantity Examples
School Cost Example
Total Cost of
Textbooks
Hospital Revenue Example
Total Oncology Patient
Revenue
Volume Number of third grade
students
Number of oncology
patients
Quantity Number of textbooks
per third grade
student
Days of stay per
oncology
patient
Price Cost per textbook per
third grade student
Price per day of stay per
oncology patient
61. Variance Analysis CautionsVariance Analysis Cautions
Aggregation can hide meaningful variances and lead
managers to misinterpret the condition of the
organization.
Exception Reports should be prepared for all material
variances that warrant management's attention.
Fixed costs should not result in volume variances, since
they are not expected to change with volume.
62. Variance Analysis Cautions
Expense and Revenue variances often have to be
analyzed together.
For example, an unfavorable expense-volume
variance may be good for the organization if it is
accompanied by an even larger favorable revenue
volume variance.
64. The Costs of Control
• Controls not costless
• Control costs can also be transferred
• Limits to managerial responsiveness
65. The Costs of Control
• Amount of preoccupation with process over
service or results
• Excessive paper burden
• Poor assessment of risk and excessive caution
66. New Challenges in Control
• Extended governance
• Third party delivery
67. New Challenges in Control
• Cross control systems within government and
across governments
• Lack of agreement on adequate controls
• Poor understanding of risk and risk
management