Embed Size (px)
Citation preview
NOVEMBER 2005 REAL FINANCE 43
INTERNAL CONTROL HAS ROCKETED UPTHE BOARD AGENDA IN RECENT YEARS.AND THAT’S A GOOD THING. NO, REALLY.DESPITE ALL THE RED TAPE, THERE’S VALUEIN SMART CONTROLS, AS SIX FDS EXPLAIN.
Boring but important.” That probablysums up most FDs’ opinion of internalcontrol. The most boring part? It’s the bitof the job that makes you look like a
stereotypical “FD-as-policeman”. The red tape ispretty dull, too – though it’s anything but static.
Since the Cadbury Code highlighted the concept in 1992, a seemingly constant stream ofreviews and guidance notes has moved controlsteadily higher up the regulatory agenda. SarbOx,even though it affects a relatively small proportionof UK companies, has further driven home themessage that you overlook internal control atyour peril. And the statutory Operating &Financial Review (OFR), which came into forcethis year, has made it an auditable function.Internal control has become pretty hidebound.
BY ALICE HOHLER
COMMANDCONTROL &
“
From left to right:Seamus Keating
FD, LogicaCMGClive Kahn
CFO, TravelexDuncan Tatton-Brown
FD, KingfisherBecky Worthington
FD, Quintain
NOVEMBER 2005 REAL FINANCE 45
According to a recent survey commissioned bysoftware firm CODA, 92 per cent of UK FDs saidtheir department was spending more time on risk,control and assurance than they did three yearsago; 68 per cent reported increased finance func-tion headcount to cope with compliance. But gov-ernance regulations are not only distracting financeresources from more strategic, forward-lookingactivities – they’re also masking the value-creatingpotential of good control itself.
Jonathan Hayward is CEO of consultancyIndependent Audit. He believes regulation encour-ages an unhealthy level of box-ticking. “Over thepast 15 years, internal control and risk managementhave developed in response to regulatory pressures,”he says. “So they don’t always look well joined-upwith the business. There’s still far too much boiler-plate. The internal control report is probably theleast useful part of the annual report – and there’ssome pretty stiff competition for that title.”
It should be about making things go right a lotmore often than they go wrong, Hayward goes on.“Organisations are not machines – they’re societies,run by people,” he says. “All societies need rules toavoid chaos. But the effective ones don’t overdo it.”
Hayward is not alone in believing that the UKregulatory environment is close to saturation
point. The collective sigh of relief last monthwhen the Flint Review chose to make minimalchanges to the Turnbull Guidance, rather thanimposing a SarbOx-type regime on UK compa-nies, spoke volumes.
That sigh was loudest in Britain’s finance func-tions. Most of you are embracing internal controlas a fundamental part of your business – and havebeen doing so for some time, not just in responseto recent developments.
“A robust internal control environment meansyou pick things up more quickly,” says SeamusKeating, FD of IT services group LogicaCMG. “Itgives you more confidence to take on large andcomplex projects for customers.”
Has his day-to-day control role changed inrecent years thanks to all this regulatory atten-tion? “It hasn’t really changed my job, but internal
control has got a much higher profile,” he says. “Non-executivesand audit committees are moreinvolved now, and they regard it asmuch more important. So more ofmy time is spent making sure thateveryone understands the controlframework and has input into it.”
Keating’s not the only FD wholooks beyond the rules. “Our pro-cedures for controlling the busi-ness are the same as ourprocedures for driving the busi-ness,” says Becky Worthington,FD at Quintain Estates &Development. “Take our weeklycapex meeting on Monday morn-ing. Any spend that hasn’t beenbudgeted for is discussed in detail,and we have strict rules for gettingit signed off.” That’s not a pre-scribed activity – it’s just smart.
Worthington says that internalcontrol has become a bigger issueat Quintain in recent years. Butshe puts this down to the company’s rapid growth rather
than regulatory pressure. So although Quintainhas recently hired an internal auditor, ToryHeazell, she’s there to add value, not tick boxes.“Internal control is about bringing structure toprocedures that are there anyway,” Heazell says.
There’s certainly a trend to establish internalaudit (IA) as part of the finance family. FTSE100-listed Kingfisher has built up its IA team tomore than 50 people. “That’s mainly because thebusiness is bigger – we now operate over 600stores – and because we’re a retailer with manydifferent formats in many different countries,”says FD Duncan Tatton-Brown. “Greater externalscrutiny is probably the least important reason.”
His day-to-day role has also not changed much.“It’s an important part of every senior manager’srole,” he says. “But as FD, there is a bit more com-munication to the board on internal control now.”
“INTERNAL CONTROL IS ALL ABOUT
BRINGING STRUCTURE TO PROCESSES
THAT ARE THERE ALREADY” Becky Worthington, FD, Quintain
BRIEF HISTORY OF INTERNAL CONTROL IN THE UK
1992 The Cadbury Code, the UK’s first corporate governance code, includes Principle 4.5 on “reportingthe effectiveness of the company’s system of internal control”.1994 The Rutteman Report on Internal Control and Financial Reporting expands on Principle 4.5specifying minimum disclosures. But it admits a system of control can provide only “reasonable and notabsolute” assurance against misstatements.1998 The first Combined Code broadens the debate from internal financial control to internal control.1999 The Turnbull Report says boards should adopt a risk-based approach to establishing a soundsystem of internal control and conduct an ongoing review of its effectiveness.2002 The Sarbanes-Oxley Act is passed in the US. Section 404 requires directors to make statementson the effectiveness of internal controls. Foreign companies with US-listed debt or equity will have to be404-compliant from 2006.2003 The Smith Report advises on the roles and responsibilities of audit committees. The CombinedCode is revised to reflect both this and the Higgs Report.Jan 2005 The statutory OFR covers current and prospective performance and strategy. It must includeinformation on the principal risks and uncertainties that may affect a company’s long-term value.Oct 2005 The Turnbull Guidance is reviewed by a group led by Douglas Flint, FD of HSBC. “Theoverwhelming view was that the Turnbull Guidance continues to provide an appropriate framework forrisk management and internal control. Its relative lack of prescription is considered to have been a majorfactor contributing to the successful way it has been implemented,” says Flint. “Only limited changes havebeen made to the guidance itself, while a new preface has been added to emphasise the need [for firms] tokeep [it] under review and to provide meaningful information in their annual report,” says the FRC.
46 REAL FINANCE NOVEMBER 2005
At a prominent quoted company likeKingfisher, the FD is now more clearly in the spot-light. “The external expectations around risk arehigher and there’s far greater public scrutiny,” saysTatton-Brown. But it’s not just these FTSE 350groups that have to take internal control seriously.Unlisted and smaller companies are also grasping
the nettle. While the Flint Review found that 87per cent of companies capitalised above £500mhad implemented and fully integrated risk assess-ment and internal control, so had 65 per cent ofthose capitalised at less than £100m.
At the top end of the private scale, there arecompanies like £1.1bn-rated currency exchangegiant Travelex. It has developed internal controlsbeyond even those required in the tightly regu-lated financial services sector. “We’ve alwaysprided ourselves on running ourbusiness like a public company,”says FD Clive Kahn. True, there’sa high probability that it’ll becomeone eventually. “We don’t want towait until the last minute to getthe house in order,” he admits.
But Kahn’s belief in internalcontrol runs deeper than that.“We’re doing it because becausewe think it’s important,” he says.“We’ve got tremendous value outof our internal audit. If people aredoing it just because they have to,they’re missing the point.”
That’s endorsed at the otherend of the unlisted spectrum byCharles Ogilvie, FD of the £18m-turnover distributor ContenderEntertainment Group – a formerSunday Times Fast Track 100 firm.An internal auditor is top of hiswish list. “At the moment we haveincredibly simple, common-sensecontrols,” he says. “Because man-agement are also significant share-holders, I look after the money asif it’s my own. But I don’t like the
fact that it all depends on me. I would like some-one who could troubleshoot processes.”
But can such a small company justify the cost ofa full-time internal auditor? Ogilvie seems surprisedat the question. “I would expect whoever Iemployed to find savings and efficiencies to pay forthemselves two or three times over,” he says.
Contender is right to see more rigorous controlas a potentially cost-effective exercise. The FD of afamily-owned publishing business we approachedclaims his external audit costs halved after hetightened up internal financial control. “The audi-tors now have to do far less substantive checking,so the process is much cheaper,” he says.
So, at companies of all sizes and types, FDs aremoving beyond seeing internal control as a“grudge purchase” to keep shareholders, the audit
committee and regulators happy. It just makesgood business sense. But why stop there?
While smaller companies still tend to focus onfinancial controls, elsewhere the scope has broad-ened away from the finance department – where acontrol culture is naturally more deep-rooted – tothe operational side of the business. This is justsmart thinking: a recent PwC survey found thatfinancial risk caused only six per cent of majorshare price declines, compared with 58 per cent forstrategic risk and 31 per cent for operational risk.You can have the best controls within the financefunction. But if there’s a breakdown elsewhere inthe business, they could make things worse by convincing you that you don’t have a problem.
SARBOX: REVEALING THE VALUE OF CONTROLS?
So what happens when you do have to rely onyour controls to keep you out of jail? We Britishare inclined to look on the bright side. As ourown business environment gets more risky andlitigious, it’s easy to look at US companies (andsome of ours) and think, “At least I don’t have todeal with SarbOx.” Then we resolve to show thatour own principles-based system works, if only toavoid the Americans’ fate.
“IF YOU DO IT JUST BECAUSE YOU HAVE
TO, YOU’RE MISSING THE POINT. IT’S
MORE IMPORTANT THAN THAT” Clive Kahn, CFO, Travelex
DOES CONTROL KILL OFF ENTREPRENEURIALISM?
About a year ago, Real Finance hosted a lunch on risk management with KPMG. “My big concern isperception of controls,” said one FD. “I don’t want people in the business becoming reluctant to comeforward with good ideas because they think finance is just going prod it around and analyse it to death. If theythink it’s all process and paperwork, they won’t bother.” So how do you marry control with creativity?
In fact, fast-growing, entrepreneurial companies need internal control even more their steady-state peers.Risk-takers are from Mars and controllers are from Venus, then? It’s all about striking a balance. “The benefitshave to outweigh the costs,” says Alan Lees, head of risk assurance services at accountancy firm RSM RobsonRhodes. “An over-controlled organisation can be just as unsuccessful as a poorly controlled one if its controlsystems stop it doing business.”
Risk can never be entirely eliminated – and even if it could be, this shouldn’t be internal control’s goal.Without risk, there is no reward. “It’s not cost-effective to mitigate every risk, and being too risk-averse wouldhamper what businesses are trying to achieve,” says Tory Heazell, internal auditor at property groupQuintain. Her FD, Becky Worthington, agrees: “Having a rule book is crucial, but it should be as thin aspossible. It’s there so that people know what really matters, without getting bogged down in endless red tape.People doing deals understand what they need sign-off on. It’s a straightforward process, and that’s essential because you want your deal-makers to be making money, not worrying about which form needs tobe filled in.” That, of course, is where finance can do the heavy lifting – providing its staff communicate well.
At Travelex, another large-but-entrepreneurial company, managers can appeal on any control they don’tagree with. “We’re a global operation – we can’t write risk controls for each individual business and regionwe operate in,” says Clive Kahn, Travelex’s FD. “So while we have blanket controls, local managers can say‘this doesn’t fit our business’. We try to make sure that lines of communication are open between layers ofmanagement – and that there aren’t too many layers.”
48 REAL FINANCE NOVEMBER 2005
But is our fear of SarbOx justified?There are certainly horror stories,where process rather than good management has informed decisions.Take the FD of the subsidiary of a UScompany who found his reporting lineshifted from his European CEO... tothe finance department back in theUS – not the CFO, mind you, but twolevels down. How can that be a holis-tic approach to control?
And then there’s the cost of compliance, estimated at $10m forlarge companies and $3m to $5m forsmaller ones. Even the Big Four auditfirms, which are making huge fees outof SarbOx compliance, are often scep-tical (off the record, of course) aboutits underlying value. Refco, anyone?
But now that US companies havemade – and paid for – the transition,many are determined to extract valuefrom it. Bob Spedding, EMA Head ofInternal Audit Services at KPMG, hasjust returned from the US.“Companies have had to catalogue alltheir controls and processes inunprecedented depth,” he says. “Theyshould be able to use that information to makesure they are operating as efficiently and cheaplyas possible, and to gain competitive advantage.”
Paul Slater, partner at PwC, also believes thatthere are important lessons to be learned fromSarbOx. “I’ve spoken to FDs who believed theyhad good control frameworks and strong internalaudit functions,” he says. “After going throughSarbOx, they were surprised at how many gapswere found.” According to Slater, there were twopatterns to the gaps. First, they happened wherecontrols were thought to be in place, but were notactually operating. Second, manual controls werestill being used where automated ones could havebeen, at a significantly lower cost.
“SarbOx also forced many companies to creategreater transparency in controls at the operationallevel,” says David Bishop, partner in PwC’s RiskAssurance Service. “Companies want to learnways of removing complexity in the finance func-tion and focus on a few key controls. They wantto take the gems from the SarbOx process andleave behind the compliance burden.” And apply-ing some of the act’s principles could prepare youfor the possible introduction in 2006 of the morestringent EU 8th Directive on Company Law cover-
ing internal control.How does all this translate into practical activ-
ities for busy FDs? We asked the finance directorsand experts we spoke to for some basic rules.● Keep it simple. “Don’t overcomplicate internalcontrol. Focus on the key risks to your organisation,”says RSM Robson Rhodes’s Alan Lees.● Aim for good business practice, not layers ofprocess. “Keep your eyes on the objective – good man-agement – and apply common sense,” says Hayward.● Make it practical. “If I stood in front of the boardwith a heap of diagrams and buzzwords, I expect I’d bebooed out of the room,” says Quintain’s Heazell.● Get fresh perspectives. Ask people from onedepartment or region to look at how controls work inother areas. “It’s quite easy to see the gaps when youlook at something from the outside,” says Heazell.● Sell it to employees. Good controls protect themas well as shareholders, and aren’t there to “catchthem out”. “I trust people,” says Heazell. “I don’t likeputting controls in place that imply a lack of trust.”● Learn from past mistakes. It’s easier to get buy-in ifthe need for a particular control has already beenproven. “You get no credit if things don’t go wrong –because you haven’t proved the need for the control,”says Heazell. So prioritise the existing failures.
● Seek competitive advantage. It’s a chance to addvalue, not cost. Use your auditors’ experience of com-pliance with SarbOx and other regulations tobenchmark your own business.
Ideally, of course, internal controls shouldbecome so embedded that staff apply theminstinctively. And there’s already evidence ofemployee “self-assessment” on internal control inmany organisations. RSM Robson Rhodes’ Leesbelieves that, over time, internal audit may evendisappear altogether as this becomes the norm.Perhaps this is what all FDs should aspire to – andit’ll help you lose the “boring” tag, to boot.
Alice Hohler is a veteran interviewer of CFOs for Financial News.
WHERE NEXT...www.frc.org.uk/corporate/internalcontrol.cfmThe revised Turnbull guidance on internal controlhttp://snipurl.com/TurnbullCAEWInstitute advice on implementing Turnbullwww.paypershop.com/press/basda002.htmlHow systems can help deliver strong controlshttp://snipurl.com/KingfisherControlsDuncan Tatton-Brown’s latest report on controls
CONTROL: THE OPERATIONAL BENEFITS
Several of the FDs we’ve spoken tohave emphasised the need to push the finance function’s controlagenda into the business. Nowhere is that more true than in retail, where the volume of in-store transactionsis a massive and explicit risk. Last month we met John Hood, FD of £1.5bn-turnover Lloyds Pharmacy,when he was presenting the results of a project to improve loss prevention across its 1,400 stores using bettercontrols, automated transaction monitoring, enhanced internal audit and better communication.
“I got into retail in the mid-eighties, the good old days,” he says. “Now the environment is tougher forretailers. Margins are slim, and even in our business, where the majority of revenue comes from the NHS,there’s pressure on the top line. That means we have to be a lot tighter on control. Our loss preventionefforts are managed within the finance function: we run a team of internal ‘operational’ auditors and asecurity team. They have close working relationships right across the business. We also have a security datamanager whose role is to look for control lapses in our systems and deliver feedback to operational teams.”
Prior to this new approach, the speed of these feedback loops was a “critical failure”. But new systems,mainly a loss prevention package installed by IntelliQ, have created a much more responsive controlenvironment. So instead of monthly exception reports,for example, the team now gets almost real-timereporting on problems in stores. And, crucially, loss prevention teams get the information directly. “As FD, Idon’t want to use these control systems,” says Hood. “They have to be able to use them and see value inusing them. I would never have taken these new systems to the board if they hadn’t bought into it – or if Ihadn’t seen potential for a return on the investment.”
There’s still a balance between control and keeping the business going. “We never wanted to tie peopleup in forms and procedures,” says Hood. And it pays to prioritise the controls that will deliver the fastestresults. “When it comes to stock loss, process failure is a bigger factor than internal theft,” says Laurence Kingof Oris Group Consulting. “But the anti-shrinkage spend is usually focus on external theft, the shoplifters.”
NOVEMBER 2005 REAL FINANCE 49
Brian Hanks became FD of the English subsidiaryof Intrum Justitia, Europe’s leading provider of creditmanagement services, at the beginning of July2003. His first job? To tackle concerns about thefinance function and a realisation that internalcontrol had broken down. “We had to make aninitial calculation of the problem within two weeks,”says Hanks. “Two of us came up with an estimate: amisstatement of about £6m. It was serious enoughfor the Swedish parent company to issue a pressrelease about accounting irregularities.”
That brought about an invasion of forensicaccountants to calculate the exact error. Was it actually£6m, as Hanks had calculated? Or was it £16m? Or,even worse, £0.6m? “The £6m figure had been a veryquick estimate,” says the FD. “In fact, the final numberwas within spitting distance of it, which proves that theback of the envelope can often work!”
The finance department was about 25-strong,but Hanks took on 20 qualified and part-qualifiedaccountants on a temporary basis to get thereconciliations up to date. “We then had these 30forensic accountants in from PwC,” he says. “Thoseguys could have come up with a conclusion thatactually everything was OK – that would have been anightmare for us, especially since Group had actedso quickly after we’d come up with the £6m figure. Itall rather focuses the mind.”
Hanks’s first four or five months were all aboutgetting to the bottom of the problem and finding outwhat allowed it to happen. “That would enable us to
move to the next stage: fixing all of those issues andensuring it didn’t happen in the future,” he says.“Some of the problems were obvious. One of thebank recs had 11,500 unreconciled items on it, forexample. We had a lack of control over the postingto ledgers. And we had cash books that containedwrong entries.”
So how had control broken down so badly?“There were three main factors,” says Hanks. “Thedepartment was run on manual processes; therewas a lack of documentation or review of process;and there was a lack of qualified accountants. So assoon as you got a resignation, for example, theoutgoing person would do a hand-over. But if theleaver didn’t fully understand their own job and thenew person only picked up half of what they’d beentold, it would start to break down completely.”
That meant re-evaluating every process andchecking all the data – while keeping the departmentrunning and supporting the business at the sametime. “If we spotted something that could be fixedimmediately, processes were changed that day,”says Hanks. “For example, cheque books weredotted around the building with whoever was a signatory. We pulled all of those back in to be keptsecure in finance as soon as we found that out.”
Hanks admits there was tension between theincumbent staff (who took flak for the problem), theforensic guys and the new team members brought into tighten up the ship. “It was a sizeable enoughproblem that everybody knew about it,” says the FD.“But that meant we were able to harness resourcesacross the whole business.”
That’s a key point: “Fixing internal control meanslooking throughout the business,” he says. “Eventoday we still have quality checks. People may ask whywe need somebody else to review their work. But Ithink it adds a safety level. We don’t want things to gowrong again. And it’s now far easier for us to get thecontrol message across outside finance because I canalways say, ‘Here’s what happened in July 2003.’”
Intrum Justitia is more than just back on track – it’sbetter run now than ever before. “But I wouldn’t say Iam happy with internal control,” says Hanks. “I don’tthink that any FD can, because there’s always acost/benefit trade-off. But I am happy that I have theappropriate controls in place and that we now have
much more risk awareness. We’ve got departmentstalking to each other where maybe they didn’t in thepast. People question the ‘done thing’.”
Hanks has learned some valuable lessons abouthandling a breakdown in control – and developingworld-class control systems.● Be transparent about failure. “The Swedishapproach is very open. They explained what they’dfound, that they’d put a team in to deal with it – andthey made it clear they had confidence in us.”● Reducing the cost is not the answer. “Youmight save overhead by keeping finance numberslow. But accounting irregularities or lack of focus oncredit control will cost you. I don’t want to build afinance empire, just a department that’s fit forpurpose. If I need more people, I shout for morepeople. Getting the right people in place is the key.”● Focus on documentation. “People shouldphysically sign to authorise things. It’s about leavingan audit trail. People throughout the business mustunderstand their accountability.”● Educate people outside finance. “Financialcontrol goes across the whole organisation. A lot ofour problems were out in the business – finance justhappened to be the department that added thenumbers together. You have to get buy-in from theother directors and the rest of management. Theyneed an understanding of how it all links together.”● Good systems help. “We could have tried totweak the system. But there’s a limit to how manytweaks you can make. It’s still about changing theway things happen. So I may have a state-of-the-artaccounting suite, but unless I use the outputs andcontrol the inputs correctly, I still won’t have acontrolled environment.”● Use different people to review controls.“We used people from elsewhere in the group tolook at different functions. It gets you back to the‘why?’ Why is this process like it is? You’ve probablygot people in-house who can ask those questions –and they’ll do it a lot cheaper than consultants.”
The end result? Intrum Justitia not only has a tight,effective finance function now. Its new routines ensurethat customers can rely on a qualified partner – andthat’s the real value from good control. www.intrum.co.uk
Interview by Real Finance editor Richard Young
CONTROL AFTER CALAMITYWhat happens when internal control collapses? Simple: you hire a good FD to fix it.
