Professional Documents
Culture Documents
SUPPLEMENT FIVE
MANAGEMENT CONTROLS
1 Managerial Control Mechanisms
The concept of managerial controls
Auditing is based on comparing the “what should be” to the “what is in practice”. Suitable control
models must be devised as a basis for this comparison and herein lies the need to have an army of
suggested controls that may be used to this end. On one level control can mean many things relating
to the act of being in charge. These have synonyms including “command, conduct, direct, dominate,
govern, have charge of, lead, manage, manipulate, oversee, pilot, reign over, rule, steer, superintend,
and supervise.” On the other hand it can denote a process of holding back with synonyms such as
“bridle, check, constrain, contain, curb, hold back, limit, master, rein in, repress, restrain and
subdue.” This brings out the dual nature of the forces of control in that it involves both doing the right
things as well as stopping the wrong things from occurring, so as to seek an acceptable equilibrium.
Faced with this dilemma the starting place is to restate the official definition of a control which is the
means by which management ensures that its objectives will be achieved. The first point that may be
gleaned from this definition is that this means all the arrangements that management relies on, are
potential controls, making this an extremely wide concept. If this line is pursued then we may have to
suggest that all activities are controls and we need therefore to cover all possible management action.
This is obviously an unacceptable stance to defend as well as being impossible to carry out in practice.
Accordingly we will break down our references to systems of control in a number of ways that will
then be used to structure this part of the material on control in the handbook. One argument is to
suggest that controls can be addressed and documented on a number of levels:
1 The managerial system control attributes. Auditing that is performed at a corporate or managerial
level will look for controls over the management process. The systems school of management may be
used as a basis for defining the fundamental management processes that must be present. Each
management process should exhibit certain features and we refer to these as “control attributes” that
can be applied to the audit of any business unit.
1 Information systems controls. The growing importance of management information systems (MIS)
makes this a topic in its own right. While MIS is one of the fundamental managerial control processes
it may also be viewed as a whole system in its own right. It is poor practice to audit an MIS without
reference to operational aspects related to business objectives. Nevertheless, having a whole range of
computer controls will assist the evaluation stage of an audit. Which is why we would expect
comprehensive notes on computer audit and related controls to be held in the audit library.
1 Subject-related trigger points. Controls are in part viewed as fundamental concepts that may be
applied in any situation. At the same time each operational area has its own special features, and these
affect the way that underlying control systems are applied. Available control mechanisms have been
described in many textbooks and papers relating to internal audit and external audit, and these are
therefore not reproduced here. However the various relevant textbooks and ICQs should also be held
in the audit library.
The above comprises a whole package of control attributes/mechanisms that should be used by the
auditor in performing the control evaluation stage of a systems audit. Most operational areas may in
this way, be reviewed by the auditor.
Sufficient control mechanisms should be designed, installed and reviewed to ensure that these control
objectives are achieved. These controls form a system to cover control at a corporate, managerial and
operational level.
2. MAIN RISKS
The main risk that attaches to inadequate objectives is that substandard performance may easily be
masked even though the operation itself may be well controlled with staff working efficiently. The
problems arise when, because of poor role definition, the impact of the resulting services is not able to
fully contribute to the overall welfare of the organisation. It could be a case of vague role definition or
that the manager is not working to the terms of reference originally agreed when the activity was first
resourced. Control mechanisms promote the achievement of the control objectives that must be in
2
SUPPLEMENT FIVE MANAGEMENT CONTROLS
place for systems’ objectives to be achieved. If business objectives are unclear, then it follows that
systems objectives will likewise suffer with the resulting adverse consequences. This flow of objectives
forms the basis on which the available resources are applied, and in this respect is totally dependent
on the formal terms of reference for the particular operation. A top-down approach to auditing is
much more efficient than starting with fine detail, which is why a review of objectives is the first
fundamental component of the managerial control system.
3. PRINCIPAL CONTROLS
OBJECTIVES - CONTROL ATTRIBUTES
• Formal document setting out terms of reference.
• Charter: documented, agreed by the organisation (signed), kept up-to-date, short, precise, reflects
current position, components and sub-components, authority and responsibilities shown.
• Objectives publicised.
• Set out in job descriptions.
• Set out in strategic documents.
• Understood by all operational staff.
• Communicated throughout the organisation.
• Performance targets based on achieving objectives.
• Objectives contribute to the overall welfare of the organisation.
• MBO techniques where objectives are broken down into tasks and goals.
• Objectives regularly reviewed and re-assessed.
• All activities linked in some way into these objectives.
• Objectives based on overall organisational objectives.
• Training and developmental programmes linked into objectives.
• Approved budgets linked into objectives.
2. MAIN RISKS
The failure to define a formal strategy leaves a gap between the objectives and the way these objectives
will be met. This gap may be seen as the process of directing the available resources in such a way as
to maximise their impact so as to achieve value for money from these resources. A lack of strategic
analysis means a lack of direction and no clear method through which to seek continual improvements
in the way services are provided. In this situation there will be no formal process for ensuring that the
operation is successful in terms of service delivery, and operational weaknesses may not be addressed
by management. A constant state of crisis management is usually symptomatic of a lack of strategy.
3. PRINCIPAL CONTROLS
STRATEGIC ANALYSIS - CONTROL ATTRIBUTES
1. Goal formation:
• Based on objectives.
• In line with organisational values and policies.
• Consistent with social responsibilities.
5. Evaluate alternatives:
• Process for stimulating the production of alternatives and weighing each one up based on a formal
MIS.
6. Select strategy:
• Process for discussing and authorising the best strategy based on a formal MIS.
7. Implement strategy:
• Comprehensive and formally documented strategy circulated to all staff and agreed by senior
management.
• Meetings with staff to discuss the strategy and any training implications.
• Clear change management procedures aimed at systems, structures, culture and the staff.
• Milestones and tasks assigned to staff with deadlines and budgets that are built into the
performance appraisal process.
2. MAIN RISKS
Examples of some of the control risks from a poorly planned organisation structure may be listed:
• Poor role definition leading to duplication of effort and overall confusion.
• Inappropriate spans of control leading to over/under employed managers.
• Vague reporting lines making it difficult to establish accountability.
• Activities that have no defined officer who is formally responsible for their success or otherwise.
4
SUPPLEMENT FIVE MANAGEMENT CONTROLS
In the main, the risks will relate to inefficiencies in the way staff are employed. It will also be very
difficult to implement strategy if the underlying structure has not been adjusted to reflect the new
strategy. The main problems result from structures that have not been regularly updated.
3. PRINCIPAL CONTROLS
STRUCTURING - CONTROL ATTRIBUTES
• Defined structure flowing from the strategic analysis process.
• Ongoing restructuring to reflect changes in strategy.
• Ongoing analysis of jobs to ensure that they reflect the requirements of the defined structure.
• Constant review and updating of the job descriptions.
• Person specifications that reflect the requirements of the job with minimum qualification and
experience levels.
• Periodic job evaluations to ensure the grade equates to the work being performed.
• Staff working to the requirements of their JDs.
• Clear reporting lines that are used in practice.
• Officer accountability established.
• Use of delegation wherever possible with built-in reviewing arrangements.
• Appropriate spans of control that ensure that the managers’ skills are fully utilised.
• Correct mix of technical staff and no obvious skills gaps.
• Use of project teaming where appropriate along with adequate associated controls.
• The relationship between staff from these and other link operations clearly defined.
manpower planning
job analysis
personal specification
recruitment/selection
induction
appraisal training
development
separation promotion
review
The important point to note is that each of the above matters have to be carefully planned and
implemented by management who should not leave it up to chance.
2. MAIN RISKS
There are many risks where the HRM process has not been adequately planned, and some of them
may be listed:
• The wrong type of staff employed.
• De-motivated workforce.
• Poor performance.
• High levels of disciplinary activity.
• An inappropriate culture.
• Managerial frustration.
• Staff incompetence.
• Constant breaches of procedure.
• High levels of errors and corrections.
It does not matter how much audit work is carried out, or the level of ensuing recommendations that
the auditor makes, where the HRM system has not been properly implemented, control cannot be
achieved. This issue must be fully recognised by the auditor during the course of audit work.
3. PRINCIPAL CONTROLS
HUMAN RESOURCE MANAGEMENT - CONTROL ATTRIBUTES
1. Organisation objectives: HRM policies set within the framework of organisational objectives.
• Specific HRM policies set within the framework of overall organisational HRM policies.
• HRM policies fully documented.
This plan should be published and properly implemented. It should result in the supply of the right
staff and may cover: recruitment, training, re-deployment, development, automation and improving
staff performance. The plan should be kept under constant review.
6
SUPPLEMENT FIVE MANAGEMENT CONTROLS
3. Job analysis: Management should establish a process for providing a continuous assessment of the
working arrangements to ensure that each post properly reflects the requirements of the operational
strategy. The types and levels of skills and experiences must be re-assessed wherever strategy changes
or problems are evident. JDs may have to be amended in line with these changes.
4. Personal specification: The type of person required to discharge the duties of the various posts
(which may have been re-defined) should be codified within a person specification. This should be
linked to recruitment/selection and staff development to ensure that current and/or proposed
postholders meet this specification.
5. Recruitment: Clear recruitment procedures should be identified in line with organisational policies.
This may involve recruiting by:
• Internal staff.
• General advertisements.
• Professional journals.
• Recruitment agencies.
• Links with educational establishments.
• Job fairs.
• Formal shortlisting arrangements should include the manager who will be responsible for the new
recruit.
7. Induction: Arrangements for carrying out suitable induction training should be in place.
• This should be geared to acclimatising the newcomer as quickly as possible.
• A probationary period should be required so that either side may terminate the contract at short
notice. This should include regular performance reports and action taken where necessary.
9. Training: A suitable staff training programme should be in place based on the following:
• Performance appraisals wherein performance gaps are isolated.
• Training programmes directed at closing these gaps.
• Review of the results of training.
• General professional training for the services that are being provided.
• An approved training budget in line with overall training needs.
• Regular in-house skills based training carried out by senior staff.
• A link between training and the person specification.
• Additional training where a new procedure is being implemented.
• Comprehensive record of courses that staff have followed and results where appropriate.
• Appropriate management action where staff have dropped out of training courses or have failed
any qualifying examinations.
9. Development: In conjunction with staff training, each member of staff should be on a clear
developmental programme. This may include:
9. Separation: It is necessary to establish firm procedures for picking up on poor performance and
these may take the following pattern of events:
• Targets set on quality and quantity of work.
• Review of the achievement (or not) of these targets.
• Training directed at performance problems.
• Counselling where performance cannot be corrected.
• Disciplinary action where the failings continue for unreasonable periods.
• Generally, managers should have the ability to deal with staff who are not able to perform to the
required standards.
12. Promotion: In contrast to poor performance, managers should be able to reward good performance
as follows:
• Files that record specific achievements.
• A system for recognising outstanding performance.
• A method of linking promotions to good performance.
• A method of providing good performers with exposure to more interesting and demanding work.
• A clear link between rewards and any performance appraisal scheme.
12. Review: Management should establish clear mechanisms for reviewing the way HRM policies
impact on the efficiency and effectiveness of the operation. Organisational policies should not
provide a barrier to performance, and where this occurs then action must be taken to remedy the
situation.
2. MAIN RISKS
Some of the risks associated with a lack of good quality standards are as follows :
• Poor work performance.
• Excessive supervisory review and correction.
• Inconsistencies in the application of operational procedures.
• Conflicts between quantity and quality.
• Poor performance appraisal standards and an inability to set performance targets.
• An environment that is not able to support quality goals.
• Inability to provide a quality service/product.
8
SUPPLEMENT FIVE MANAGEMENT CONTROLS
3. PRINCIPAL CONTROLS
QUALITY STANDARDS - CONTROL ATTRIBUTES
Management must install quality systems and as already mentioned, this factor affects all the activities
that management is promoting. There are however several specific processes that will contribute to
quality assurance and examples are listed as follows:
• Managerial supervision and review of staff activities.
• Standards for operational performance.
• Checks on staff output that are not merely concerned with correcting poor products but have the
wider role of determining the underlying causes and how they may be rectified.
• Managerial concern for quality where this is promoted at every opportunity.
• Commitment to achieve British Standards Institutes 5750 quality assurance standards (now ISO
9000).
• Good documentation and efficient filing systems and working papers. High standards should be
set in this respect.
• A zero error policy built into performance targets with associated review checks.
• A zero client complaints policy built into performance targets with associated review checks.
• The principles of Quality Circles applied allowing bottom upwards communications from work
teams feeding into the managerial process.
• Comprehensive external and/or internal reviews commissioned by management to promote
improvements in operations and services.
policy statements
departmental procedures
operational procedures
management action
It is not then a matter of simply evaluating a procedures document that management has given to the
auditor. The auditor must also review the way the above system is being defined and managed.
2. MAIN RISKS
Where procedures are inadequate then problems will ensue and these will include:
• Management will not be able to define how an activity should be undertaken.
• It will not be possible to identify staff training needs.
• It will not be possible to review staff’s work.
• It will not be possible to define how particular operational services interface with link systems due
to unclear procedures.
• Staff will not have their operational roles clearly defined.
• Clients will not understand how their services are being provided.
There is a resource implication in defining and drafting clear operational procedures and keeping
them up-to-date. However the risks associated with the lack of documented procedures are great and
as such, auditors should ensure that they are able to comment on them.
3. PRINCIPAL CONTROLS
PROCEDURES - CONTROL ATTRIBUTES
1. Objectives: Each procedure should have a clear link into the systems objective that is being sought.
2. Policy statements: Procedures should work within policies that set the overall framework.
3. Departmental procedures: There should be clear procedures that apply to the whole department,
section or operation. These should promote equity across the section.
4. Operational procedures: For each main activity that is undertaken clearly documented procedures
should apply which must be:
• Comprehensive.
• Up-to-date.
• In line with the realities of the activities.
• Consistent with job descriptions.
5. Communicated: The procedures should be properly communicated to all staff even where they are
working in a different area:
• Upwards communications should arise where staff have a major input into what is officially set
out.
• The procedures should be produced in a suitable format by using colours where appropriate along
with clear print. All staff should be given up-to-date copies.
• There should be a formal avenue for getting management to respond where staff are experiencing
problems with a particular procedure.
6. Training: It is essential that in-house (or external) skills training is undertaken where:
• Technically difficult procedures are in use.
10
SUPPLEMENT FIVE MANAGEMENT CONTROLS
7. Compliance reviewed: There must be an effective method that allows managers to satisfy
themselves that procedures are being adhered to and this may include:
• Management commitment to compliance.
• Documentation that supports the application of a procedure.
• Supervisory review.
• Spot checks particularly for remote locations.
• Special control teams that undertake regular compliance tests.
• Occasional comprehensive reviews of compliance.
• Compliance built into job descriptions.
• Disciplinary action where non-compliance occurs.
8. Management action: The auditor must look for effective management action where the standards
set by the various procedures are not being achieved:
• This should be geared to setting a culture that promotes the use of good workable procedures.
• Job descriptions should include the requirement to comply with procedures. They should also
include the requirement to seek improvements to procedures.
2. MAIN RISKS
The main risks to the operational element of an organisational activity should be related to the
inability to achieve the five key control objectives that are concerned with:
• Compliance with procedure.
• Reliable information.
• Protecting assets.
• Promoting economy and efficiency.
• Achieving objectives.
At all stages of the operation, these objectives must be secured as well as the relevant systems
objectives that attach to the stage.
3. PRINCIPAL CONTROLS
OPERATIONAL ACTIVITIES - CONTROL ATTRIBUTES
Reference should be had to the various textbooks and ICQs that detail suitable operation-specific
control mechanisms relating to specific areas such as stores, personnel, debtors systems, expenditure
systems, budgeting, final accounts, banking and so on.
2. MAIN RISKS
Where marketing issues have not been adequately considered, then a number of problems may result
including the following:
• Dissatisfied clients.
• Poorly defined product.
• Competition from similar service providers.
• Isolation from the realities of the organisation.
• Complaints from clients.
• Disputes over internal re-charges.
• De-motivated staff.
• Services contracted out to competitors.
3. PRINCIPAL CONTROLS
MARKETING - CONTROL ATTRIBUTES
Some of the relevant control attributes may be listed:
• A clear marketing strategy based on good marketing information.
• Marketing research properly resourced.
• Service level agreements.
• Complaints procedure.
• Standards for responding to clients’ enquiries such as:
time taken to respond to memos
time taken to address a complaint
time taken to answer the telephone
amount of detail provided to clients on request
• Brochures that set out the services provided and how these might be secured.
• Continual re-assessment of the services/products that are provided in line with feedback from
clients.
• Continual re-appraisal of the costs of providing the services and how these might be minimised by
improved efficiencies and the application of best practice.
• Continual assessment of competitors’ services and how they compare to what is on offer.
• Regular client surveys to see if they are making full use of the services that are being provided.
• Officer code of conduct and checks to see if the requirements of this code are being satisfied.
• Regular meetings with operational staff to discuss marketing-related issues and how improvements
may be sought.
2. MAIN RISKS
12
SUPPLEMENT FIVE MANAGEMENT CONTROLS
Where the MIS is inadequately controlled, then it may not produce information that is:
• Reliable.
• Accurate.
• Timely.
• Promoting accountability.
• Promoting operational efficiency.
• Promoting operational effectiveness.
Many important controls rely on the information that is supplied to management as part of the review
process. The implications of poor MIS may reduce the overall impact of many other controls and so
lower management’s reliance on them.
3. PRINCIPAL CONTROLS
MANAGEMENT INFORMATION - CONTROL ATTRIBUTES
There should be extensive material on controlling information systems (IS) held in the audit library
and these should be used where the MIS is a major part of the terms of reference for the audit. The
following controls represent the minimum that should be considered when reviewing an operational
area:
• There should be a documented IS strategy that has been defined to support the operational strategy.
• This in turn should be supported by an IT strategy that covers:
hardware requirements software requirements
any plans for networking any plans for developing a database solution
• The strategy should define the type of systems architecture that is being developed and how this
links into the existing organisation-wide architecture. New developments should fit this
strategy.
• There should be clear policies on controlling PC based systems covering acquisition, input,
processing, file and output controls.
• There should be a defined officer who is responsible for the integrity of the information.
• There should be clear guidance on complying with the DP Act 1984 in terms of registration,
access, protection and accuracy.
• The information systems outputs should be linked to the reporting needs of the operation and all
reports should be accurate, complete, timely and useful.
• There should exist a reporting system that accounts for the operational activities on a periodic
basis to senior management. This should include relevant statistics and performance indicators.
• Activity reports in terms of the budget and spending to date should be produced periodically at
least each quarter and action should be taken on adverse variances.
• Management reports should be based on the exception principle where variance from plan is used
to highlight particular problems.
• A computer replacement policy should be in place to ensure that all equipment is up-to-date and
efficient. There should also be adequate security over the computers.
11 Conclusions
We can note that internal auditors are known by many names including computer audit, contract
audit, compliance audit, fraud investigators, probity inspectors and so on. There is a view that the
auditor should know more about the system under review than the managers and as such may tell
them how best to perform their managerial duties. This is false since it is management who must
understand its areas of responsibility and audit’s role is not to second-guess them. Above all the
auditor is an expert in control armed with a comprehensive knowledge of control concepts. The
available mechanisms and how they might be applied in practice are the main prerequisites for a
professional internal auditor. Meanwhile the auditor should use the attributes that attach to each
component of the managerial control system (MCS), whenever the audit evaluation covers a defined
service. This is particularly relevant for auditing an operation, section, department or what may be
considered akin to a business unit. An activity cannot be assessed outside of the context of the macro
system of controls that form the basis of the MCS. A top-downwards approach (following the MCS)
will always be more effective than a review of isolated low-level transactions. In summary the two
approaches that we have described in this supplement are derived from two different views of controls:
strategy
structure
controls
resources
OPERATION
achievements
Here control is seen to shadow the management process as an additional system superimposed over
and above this process to ensure that activities are carried out properly and objectives achieved.
objectives
strategy
structure
MIS resources
procedures
[*]
OPERATION
achievements
The alternative model simply argues that the management process constitutes the absolute control
process which is impossible to separate from managers’ main activities. This in turn calls for a quasi-
management consultancy type role, as they seek to tackle complicated management systems. We can
surmise that at least 80% of control is exercised via the management processes whilst the remainder
falls in line with the more traditional type of controls that are based around the actual operation
(incorporated within operational procedures [*] above).
14