To become trusted advisors to management it would help if we spoke the same language they do. While auditors and compliance professionals often talk in terms of controls, and increasingly in terms of risk, managers and business leaders often talk in terms of costs, benefits, revenue, reputation, and market share. We narrow the language gap when we refer to controls as essential activities to increase the likelihood of achieving organizational objectives. Another important step is to examine the cost/benefit of the controls applied to the organization’s programs and processes so we recommend what is most appropriate, useful and valuable to our clients.
The cost of a control should not exceed the benefits gained from it. But how can we calculate, or at least, estimate, the economic costs involved in the design and operation of controls? Then, after the controls are in operation, how can we calculate the impact these controls are having on the organization? We should ask ourselves because management is already wondering if the controls are going to help matters by lowering the likelihood and impact of risks or are they just going to require additional paperwork and slow things down to the point where the costs exceed the benefits?
The following are key considerations when you want to calculate the cost of internal controls to make sure that there is a balance between the costs and the expected benefits.
Cost of Design
Everything has a cost. Someone must spend time thinking, drafting, brainstorming, consulting with others, and in general, designing a mechanism to address a risk and to meet the requirements of the organization’s stakeholders who want to protect and enhance organizational value (such as investors, lenders and management), and ensure consistency in practice (such as regulators and management).
The purpose of controls is to help the program or process achieve operational effectiveness and efficiency, produce accurate and timely financial and operational reports, comply with laws, regulations, and policies, and protect assets from loss or damage.
So, the cost to design a control depends on the:
- Nature, variability and complexity of the process: The higher the variability and complexity of a process, the more sophisticated the control must be to address the nuances involved.
- Existence of regulatory and other compliance requirements: A higher number of regulations often results in a higher number of controls to ensure adherence with those requirements, but that should not be the typical conclusion made by auditors. Some controls are better than others and some controls can mitigate multiple risks.
- Volume expected to be transacted: As the volume of transactions flowing through a process increases, the related controls, and the potential fallout if these fail must be thought of in more detail because a breakdown can become very costly, very quickly.
- Liquidity of the assets at risk: The reliability of internal controls must increase commensurate with the liquidity of the underlying, and exposed assets, because these can be stolen, diverted and converted to cash more readily.
- Extent of management competence: As management know-how decreases, more thought must go into the design of the controls because management is unable to fully meet the expectation of oversight that is inherent to their role.
Cost of Operation
The cost to operate internal controls depends on how it was designed and where it is intended to work. With that in mind, the cost of operation depends on the:
- Type of control: Manual controls cost more to operate than automated controls. Also, detective controls are costlier to the program or process than preventive controls because they trigger the need for rework.
- Competence of operators: Lack of knowledge results in inconsistent practices and errors, even those related to the performance of controls.
- Motivation of operators: Operators who don’t care are unlikely to research discrepancies, search for the reason variances exist, enquire of others what they don’t know, or notify their managers when problems surface, which are all typical and expected actions when internal controls flag issues.
- Frequency of the performance of the control: The more frequently controls are performed, especially if they are manual controls, the higher their cost.
- Standardization of the control activity: The more standardized the control is, the lower the per-transaction cost, especially if it is an automated control. For example, if reconciliation is produced from the relatively simple comparison of system-generated reports that are reliable and delivered based on a schedule when needed, then this control would be standardized and relatively inexpensive. On the other hand, if the operator must remember to request reports from others (e.g. IT), verify the accuracy of the information received, then make various adjustments and comparisons until satisfied about the report’s reliability before performing the actual reconciliation, this becomes a very burdensome and costly control to perform.
The Benefits of Controls
In terms of the impact or benefit, if the control prevents value erosion, we should consider the types of events that cause this erosion and assign a value as best we can.
So, the impact, benefit or value of controls can be calculated based on:
- The cost of each incident. If the control is designed to prevent theft, errors or accidents, what is the typical cost of each one of these events? Are there historical precedents, industry standards or insurance loss figures that we can use?
- The exposure factor. This is often a subjective, potential percentage of loss to a specific asset if the risk were to occur. Risk assessors typically assign this impact of value or asset loss. For example, if an asset’s value is reduced in half due to fire (not totally because there are a sprinkler and alarm system in place), then the exposure factor is 0.50. If the asset is completely lost, as in the case where someone steals the maximum of US $2,500 single-signer authorization on checks every business day for a month before detected by the monthly reconciliation, then the factor would be 1.0. However, carefully consider the likelihood of this multi-transaction scenario as many auditors get this wrong and overstate exposures.
- The rate of occurrence: This is the probability that a risk will occur. The likelihood of a fire is often measured in years or even decades, but the rate of theft in a store or warehouse could be based on the number of work days before a reconciliation or inventory count identifies the abuse.
- The number of potential incidents averted. This requires an understanding of the volume of transactions or assets exposed to potential loss. Also consider industry precedent or insurance loss figures, which can also help estimate this figure.
- If possible, relate the current losses in terms of the pre and post-control-implementation. Compare the before and after figures to show how an implemented control has reduced or eliminated a loss. If possible, also project into the future by looking at the losses that are now no longer going to occur. What happened and what won’t happen because the control stopped it?
- Customer retention, goodwill, and reputation value. Sometimes accidents, theft, poor quality and other types of errors result in customer abandonment. What is the average value of a customer to your organization? Excessive customer turnover or lower desire to purchase means lower revenues.
Having more controls does not necessarily translate into better risk management. Controls are not free, in fact, they can be costly. But they provide substantial benefits if we take the time to calculate, and show management, how much benefit they provide in return. By speaking the language of management, and linking controls to their costs and benefits, we get closer to becoming their trusted advisors and making our presentations and recommendations more impactful.