Home	About Gamma	Tour our Web Site	Events	White Papers	Services	Visitors' Book	How to contact us
				IMS	Internal Control	ISMS	Smart Cards	Common Criteria

The Need for Control

Ever since organisations expanded beyond the control of the "boss" there has been a need for controls to regulate their activities.   For example the profession of accountancy/audit grew out of the need for owners to check on their factors/agents overseas in the 19th century.  As private companies expanded and brought in outside shareholders (joint stock companies) the need to regulate the behaviour of those running the companies grew and the first set of legislation governing companies was passed in the early 20th century.

Since the Second World War there has been very substantial change; the development of IT, the expansion of cheap communications (both travel and telephones) across the world etc.  These new facilities have been harnessed by commerce to create world wide organisations that can be operated from one point on the globe.  The need therefore to update the legal framework for the conduct of commerce (and governments, charities etc) was recognised and a large volume of laws and regulations now exist in most countries specifying standards of conduct and controls that must be complied with by organisations.

Many of the new laws are a result of scandals where it was perceived that the investing public (directly or through co-operative investments) were being "ripped off" by the inappropriate conduct of senior executives.  One only has to consider the South Sea Bubble, Kruger, Salad Oil company, Equity funding, Polly Peck, Maxwell Pensions, Enron, WorldCom to name but a few to realise the potential for mischief has existed over the centuries and no doubt still exists today.

Corporate Governance

In addition a perception that the public in general, and minorities in particular require protection from the large organisations has resulted in many laws and regulations governing the conduct of organisations in relation to their employees and the public.  These cover anti discrimination, privacy protection, product quality etc. 

The result is that organisations require an ever more sophisticated system to ensure compliance with the laws and regulations.

In the UK the main documents covering corporate governance are the series of reports culminating in the Turnbull report (and now Higgs) which dealt with the conduct in the board rooms of UK organisations.  These now are read in the context of the OECD recommendations on Corporate Governance. In the US in response to the recent scandals there is an act Sarbanes-Oxley that requires inter alia executives to take personal responsibility for the published material from companies.

In this paper concerning Internal Control we are concerned about the processes necessary to implement the organisation's mission, including compliance with the laws and regulations, and not with the details of those requirements in themselves nor specifically the Corporate Governance issues surrounding effective disclosure, fairness between stakeholders and executive remuneration.

Operational Risk

In particular we are concerned with the processes to limit operational risk within an organisation.  At present the financial services regulators world wide are seeking to change the processes within the regulated organisations to accord with the Bank of International Settlement's (BIS) requirements set out in BASEL 2.  National regulators and BIS are issuing guidance on the implementation to regulated organisations.

The Need for Risk Assessment

Behind the regulatory initiatives there are a number of international standards, which affect the processes within an organisation.  The three main standards today are ISO 9001 (and derivatives), ISO 14001 (and derivatives) and ISO/IEC 17799/BS 7799 Part 2 (and derivatives).  ISO 9001 addresses the controls to achieve quality in products and processes.  ISO 14001 addresses the controls to protect the environment.  ISO/IEC 17799 addresses the processes for information security within an organisation and BS7799-2 provides the mechanisms for the management system.

The Treatment of Risk

All the regulations and standards expect organisations to establish effective controls on the basis of a risk assessment.  The results of a risk assessment can be categorised as:

• Risks which require to be guarded against (i.e., the applicable risks in the Audit Practice Board Guidance)

• Risks which are either of low impact or low probability of occurrence where no specific controls are required.  In the case of the very high impact and low frequency organisations often include some preplanning for an occurrence, for example business continuity planning etc.  In other cases the risk may simply be deemed to be acceptable or avoidable.

• Risk where it is appropriate to transfer the (financial) implications to another organisation for example insurance, goods on consignment etc.  To effectively transfer the risk it is often necessary for organisations to implement associated controls, for example to ensure compliance with the requirements of an insurance policy and to address non-financial impacts, such as the availability of office space.

Types of Control

We assert, for the purpose of explaining our theory, that a risk materialises on the occurrence of an event, the consequences of the event being the damage caused by the adverse impact (and recovery from that impact).   There are three classes of controls:

• Preventive - which seek to ensure the impact never materialises.  This type of control either prevents the event from occurring or affecting the organisation, or detects the event as it happens and prevents any further activity that may lead to an impact.

• Detective - which identify when some event, or events have occurred that could lead to a materialisation of the impact, and invoke appropriate actions to arrest (or mitigate) the situation.

• Reactive - which identify the impact has occurred and invoke appropriate actions to recover (or mitigate) the situation.

Certain events will not usually be able to be detected by an organisation's Internal Control System (ICS).  For example, a terrorist alert requiring closure of the office will be notified by the authorities.  Other events will detected by the stakeholders - customers, suppliers, shareholders, employees etc who make complaint to the organisation when they perceive that things are wrong (perhaps incorrectly!).  ICSs should therefore include processes for handling complaints fully - including identification of the cause if there was error on the part of the organisation.

Our Objectives

The problem facing the senior management with regard to the controls can be expressed as the following questions:

• Do the controls work (including are they performed correctly)?

• Are they cost effective?

• Do we have sufficient (neither too many or too few)?

Organisations monitor their controls in two main ways: 

• Investigating incidents (i.e., events and impacts) and making amendments to controls as appropriate

• Conducting formal or informal audits.

Both these methods tend towards creating more controls than the minimum necessary.  Reaction to incidents may be "knee jerk" and "over the top".  Auditors often rightly identify problems in a control structure and suggest additional controls to fill the gaps, as they see them.

Our methodology seeks to create an objective set of measures to assist management to judge the cost effectiveness of the controls in this ever more regulated world.