Assessing the Control Environment

To determine whether management has created a culture in which ethical behavior is encouraged, internal auditors must survey the people who work in it.

Susan S. Lightle, PHD, CIA, CPA
Professor of Accountancy, Wright State University

Joseph F. Castellano, PHD
Professor of Accounting, University of Dayton

Benjamin T. Cutting, CIA, CPA
Director, Internal Audit Workflow Management Inc.

T he Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Internal Control-Integrated Framework provides a definition of internal control that includes five elements: control environment, risk assessment, control activities, information and communication, and monitoring. Of the five, the control environment may be the most critical, as well as the most difficult to manage and evaluate effectively.

The COSO framework describes the control environment as setting the tone of an organization and influencing the control consciousness of its people. An effective control environment supports and strengthens the other control elements, whereas a weak control environment undermines the other elements, rendering them useless. In an effective control environment, employees know that doing the right thing is expected and will be supported by upper level management, even if it hurts the bottom line. In a weak environment, control procedures are frequently overridden or ignored, providing an opportunity for fraud.

To evaluate management integrity and ethical values, COSO suggests that the auditor consider several factors (see COSO Factors in "Business Ethics Survey Development"). COSO recommends that the auditor address each point and describe how it is handled within the organization. Traditionally, auditors' assessments of the control environment have included issuing a questionnaire to senior management to determine whether management policies and procedures, such as a code of ethics, have been implemented. The problem with this approach is that it measures management's efforts to create a sound environment, not its effectiveness in doing so. A more direct method of evaluating whether management has created an environment in which ethical behavior is encouraged is for internal auditors to survey the people who work in that environment. The focus of the assessment should not be on the message management thinks it is sending, but on the message employees are actually receiving.

A CONTROL ENVIRONMENT CASE STUDY

ABC Co. (not the organization's actual name), a large, privately held North American manufacturing and distribution company, recently conducted a control environment survey as part of an aggressive campaign to strengthen corporate governance. The initiative began with the chief executive officer (CEO) and board of directors setting core values and key corporate behaviors for the company, which has more than 45 warehouses and manufacturing facilities, 3,000 employees, and revenues approaching US $750 million.

Among the set core values were ethics and integrity at the highest level and financial transparency. The board established an audit committee, which charged the internal audit director with developing tactical strategies for achieving these values. The audit director spearheaded the effort with the involvement of the Legal and Human Resources departments as well as the executive management team. The strategies implemented included:

  • Revision, distribution, and promotion of a corporate code of conduct.
  • Implementation and promotion of an ethics hotline.
  • Annual financial control self-assessments.
  • Business ethics discussion sessions with employees at all levels.
  • Increased efforts to document policies and procedures.
  • Quarterly certification of the financial reports by finance management.
  • Chief financial officer (CFO) roundtable discussions with finance employees—without management.

ABC has a closed-loop management philosophy that stresses the importance of monitoring the results of action items to measure their effectiveness and determine areas for future improvement. The internal audit director determined that an employee survey would be the most effective way to measure the impact of the strategies implemented.

Creating and Distributing a Survey
The audit director was frustrated in his efforts to obtain a suitable survey, however, as most surveys were either too long or they focused on top management's perspective. He wanted a survey that would focus on employee perceptions rather than management intentions. Thus, he worked with local accounting professors to develop an employee survey that would assess the employee's view of the tone at the top. (See "Business Ethics Survey Development.") For each of the COSO factors for assessing management integrity and ethical values, the authors formulated two or three statements, in nontechnical language, to which participants were asked to express agreement or disagreement on a five-point scale. In addition, participants were asked if they had observed or participated in unethical behavior. The survey was distributed to all members of the Finance Division — 180 people located at ABC's U.S. headquarters — with a cover letter signed by the CFO and emphasizing the anonymity and confidentiality of the responses. Return envelopes addressed to an independent party — one of the co-authors of the survey — were provided.

Ninety-three people (approximately 52 percent) responded to the survey. "Business Ethics Survey Results" provides the percentage of respondents who strongly agree, agree, disagree, strongly disagree, or don't know whether they agree with each of 15 statements about the organization's ethical climate.

Key Findings
Survey results indicated that employees believe that management places emphasis on doing the right thing and behaving ethically. Almost 96 percent of the participants said they have adequate guidance to determine appropriate behavior in their job performance. All respondents are aware of the company's code of ethics, and 92 percent said it provides meaningful guidance.

While 97 percent of the participants agreed that they are expected to strictly adhere to company policies and procedures, 15 percent disagreed with the statement, "Exceptions to financial policies and procedures are rarely made." Almost 8 percent disagreed with the statement, "I have never been asked by company personnel to make an exception to financial policies or procedures to meet earnings targets." Approximately 97 percent claimed that they had never participated in unethical behavior in the company, but 25 percent said they have observed unethical behavior within the organization, 11 percent had felt pressure to participate in unethical behavior, and 13 percent said they did not feel that they could report unethical behavior without fear of reprisal. Only about 66 percent of those responding to the survey said they believe that unethical behavior in the company would be detected and punished.

Interpreting Results
The audit director reviewed the survey results in detail with the CEO and CFO and provided an executive summary to the audit committee, which was pleased with the quantification of the efforts to increase awareness of integrity and ethics. The survey confirmed that most employees are aware of the Code of Conduct and Ethics and believe that they have adequate guidance to determine appropriate behavior. Employees also expressed a high degree of confidence in management's ethics.

Specific opportunities for improvement were also identified as a result of the survey. For example, controls over sales transactions were strengthened by clarifying specific policies and procedures related to sales and posting them to a special intranet for the sales organization on a tab called "How We Do Business." The company believes that clearly defined policies and procedures and the underlying processes they support reduce the perceived opportunity for (and hence the likelihood of) fraud in addition to increasing transaction processing efficiency. Another improvement made as a result of the survey data was the strengthening of controls over sales commission calculations (e.g., charging sales representatives for noncollection of receivables).

Senior management in finance and accounting now conduct regular meetings with all employees to ensure open lines of communication. Management uses this forum to discuss, in broad terms, survey results and to provide an update on specific steps underway to address issues raised in the survey. It is important that employees see that management actively evaluates the results of the survey and incorporates findings into action items.

There have been some challenges in interpreting survey results. How employees define unethical behavior — a long lunch break versus theft — likely played a significant role in their response to the questions. In addition, general economic conditions and recent company actions can also influence the results. Employees might believe it is unethical for ABC to close facilities or conduct lay-offs or make other difficult decisions that are a reality of managing a business. Another factor that may influence responses is employees' prevailing skepticism of management at all levels, fueled by media coverage of the misdeeds and subsequent trials of certain high-profile CEOs. This can be particularly prevalent among employees who have never met or interacted with executive-level management.

It is difficult to draw sweeping conclusions, because this was the first time ABC conducted a survey of this type, and there is no baseline for comparison. The company plans to repeat the survey in the future and to develop trend lines to measure the impact of ongoing efforts.

LIMITATIONS OF SURVEY TOOLS

Surveys can be a useful tool in management's efforts to assess the internal control environment. However, caution must be exercised in evaluating responses. Focusing strictly on numerical responses may be misleading. Some participants may use the survey to air complaints or attack co-workers for reasons unrelated to determining the ethical climate of the organization. Including room for comments can provide some clarification.

It is important that survey participants are assured of confidentiality and anonymity to elicit truthful and complete responses. A survey cover letter assuring that no attempt will be made to identify respondents as well as having the surveys returned to an independent party helps provide such assurance. The trade-off for providing anonymity is that it is impossible to follow up on concerns that need clarification and remediation. This problem can be addressed to some extent by indicating in the cover letter that specific instances of unethical behavior should be reported through the organization's whistleblowing mechanism, assuming one has been established and that employees are confident that they are protected in that process.

Finally, a concern with using a survey, or any methodology that provides a true measure of the control environment, is what to do if problems are noted. For publicly traded companies, the identification of problems in the control environment may require disclosure of material weaknesses in the internal control report.

Assuring shareholders and other interested parties that such weaknesses have been addressed can be difficult. Unlike a weakness in a control activity, which can be addressed fairly quickly with the implementation of a change in the design of the control, changing the control environment may require fundamental changes in the culture of the organization.

MONITORING ORGANIZATIONAL CULTURE

Despite the limitations noted, an employee survey can be a useful part of the monitoring process for entity-level controls, including the organizational culture. This methodology can assist management in measuring the effectiveness of its efforts to improve the control environment and identifying where additional resources should be deployed. These types of surveys can also help management identify those policies and procedures that, while appearing benign on the surface, create an atmosphere of fear and internal competition that undermines internal control effectiveness.

Unlike traditional methods of monitoring the control environment, employee surveys measure the achieved effectiveness of management efforts to set the appropriate tone at the top. As such, these surveys are an important part of the internal auditor's toolbox.

To comment on this article, e-mail the authors at susan.lightle@theiia.org.

 


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

April 2012 IA Online Cover

CCH 2012-2

UCMC 2012 

 International Conference Boston 2012

 

GRC August 2012 

 

 Twitter 
 

facebook IAO 

IA APP