The Controller’s Toolkit
-
Upload
others
-
View
9
-
Download
0
Embed Size (px)
Citation preview
Introduction: About This Toolkit v
Chapter 1: Defining the Role of a Controller 1 Overview 1
Controller’s Tool 1 – Suggested Job Responsibilities for a
Controller 1 Controller’s Tool 2 – Core Competencies of a
Controller 2 Controller’s Tool 3 – The Controller’s Business
Partnership Matrix 5 Controller’s Tool 4 – The Controller’s Span of
Influence 7
Chapter 1: Test Your Knowledge 9 Chapter 1: Solutions and Suggested
Responses 11
SECTION 1: CORPORATE AND REPUTATIONAL RISK 13
Chapter 2: The Controller and Risk Management 15 Overview 15 Risk
Management Defined 15 Controller’s Tool 5 – Types of Risk 17
Controller’s Tool 6 – Risk Management Frameworks 18 Controller’s
Tool 7 – Considerations for Managing Risk with an Enterprise
Risk
Management Model 19 Table of Controls – Risk Management 21 Table of
Risks and Controls – Risk Management 22
Chapter 2: Test Your Knowledge 29 Chapter 2: Solutions and
Suggested Responses 31
Chapter 3: The Controller and Ethics 33 Overview 33 What Is Tone at
the Top? 33 Example – Code of Conduct: MCI 35 The Reaction to
Unethical Behavior 35 Sarbanes–Oxley and Whistleblower Protection
37 Controller’s Tool 8 – Ethics Training Programs 37 Controller’s
Tool 9 – Key Considerations and How to Manage an Ethics Hotline 37
Controller’s Tool 10 – Tone at the Top and the Tone in the Middle
38 Tone at the Top and US Sentencing Guidelines 39 Tone at the Top
and the Foreign Corrupt Practices Act 40 Anti-Bribery Provisions of
the FCPA 40 Recordkeeping Requirements of the FCPA 40 Guidelines
for FCPA Compliance 41 The Dodd–Frank Act 41 The Whistleblower
Protection Act of 1989 41
ii • Table of Contents
The False Claims Act 41 Table of Controls – Ethics Program 42 Table
of Risks and Controls – Ethics Program 43
Chapter 3: Test Your Knowledge 51 Chapter 3: Solutions and
Suggested Responses 53
Chapter 4: The Controller and Corporate Governance 55 Overview 55
The 1992 Cadbury Committee 55 The International Finance Corporation
and the Global Corporate Governance Forum 57 The Organization for
Economic Cooperation and Development and Corporate Governance 57
Corporate Governance in Practice 58 When Corporate Governance Is
Flawed 60 Controller’s Tool 11 – The Sarbanes–Oxley Act of 2002 and
Corporate Governance 61 Controller’s Tool 12 – Examples of Board
Committees 64 Table of Controls – Corporate Governance 66 Table of
Risks and Controls – Corporate Governance 69
Chapter 4: Test Your Knowledge 75 Chapter 4: Solutions and
Suggested Responses 77
Chapter 5: Entity-Level Controls 79 Overview 79 Benefits Of
Entity-Level Controls 79 Why Is The Committee Of Sponsoring
Organizations Of The Treadway
Commission Framework Important To Entity-Level Controls? 81
Controller’s Tool 13 – Implementing An Entity-Level Controls
Framework 84 Controller’s Tool 14 – Examples Of Entity-Level
Controls 84 Table Of Controls – Entity-Level Controls 87 Table Of
Risks And Controls – Entity-Level Controls 90
Chapter 5: Test Your Knowledge 97 Chapter 5: Solutions and
Suggested Responses 99
SECTION 2: STRATEGIC PLANNING AND MERGERS AND ACQUISITIONS RISK
101
Chapter 6: Strategic Planning and Mergers and Acquisitions 103
Overview – Strategic Planning 103 The Strategic Planning Process
103 Step 1 – Prepare for Strategy 105 Step 2 – Articulate the
Mission, Vision, and Values 106 Step 3 – Assess the Situation 107
Step 4 – Develop Strategies, Goals, Objectives, and Budgets 108
Step 5 – Write the Strategic Plan 109 Controller’s Tool 15 – Sample
Strategic Plan Table of Contents 110 Step 6 – Evaluate the
Effectiveness of the Strategic Plan 111 Table of Controls –
Strategic Planning 112 Table of Risks and Controls – Strategic
Planning 113
Table of Contents • iii
Overview – Mergers and Acquisitions 114 Controller’s Tool 16 –
Mergers and Acquisitions Due Diligence Checklist 117 Table of
Controls – Mergers and Acquisitions 131 Table of Risks and Controls
– Mergers and Acquisitions 132
Chapter 6: Test Your Knowledge 135 Chapter 6: Solutions and
Suggested Responses 137
SECTION 3: INTERNAL CONTROL RISK 139
Chapter 7: Internal Control Program 141 Overview 141 The Three
Critical Corporate Controls 143 The Committee of Sponsoring
Organizations of the Treadway Commission
and Internal Controls 144 Controller’s Tool 17 – Roles and
Responsibilities for Internal Controls 146 The Impact of Section
404 of the Sarbanes–Oxley Act of 2002 on Internal
Control Programs 150 Controller’s Tool 18 – Internal Control Best
Practices for Privately Held Companies 151 Controller’s Tool 19 –
Leveraging Internal Control Basics to Implement a
Control Self-Assessment Program 152 Internal Controls and Fraud
Prevention 155 The Fraud Triangle 155 The Five Elements of Fraud
and the Fraud Diamond 156 Definition and Examples Of Fraud 157
Table of Controls – Internal Control Program 157 Table of Risks and
Controls – Internal Control Program 159
Chapter 7: Test Your Knowledge 165 Chapter 7: Solutions and
Suggested Responses 167
SECTION 4: COMPLIANCE RISK 169
Chapter 8: Regulatory Compliance 171 Overview 171 Controller’s Tool
20 – Regulatory Compliance Toolkit 171 Table of Controls –
Regulatory Compliance 193 Table of Risks and Controls – Regulatory
Compliance 195
Chapter 8: Test Your Knowledge 201 Chapter 8: Solutions and
Suggested Responses 203
PART 2 205
SECTION 5: PAYMENT RISK 207
Chapter 9: Procure-to-Pay 211 Overview 211 1.0 Procurement 213 1.1
Supplier Selection and Management 213
iv • Table of Contents
1.2 Contract Management 218 1.3 Purchasing and Ordering 220 1.4
Reporting, Metrics, and Analytics 227 2.0 Accounts Payable 231 2.1
Supplier Master File 233 2.2 Invoice Processing 238 2.3 Payment
Process 243 2.4 Accounting Process 251 2.5 Customer Service 256 2.6
Reporting, Metrics, and Analytics 260 2.7 P-Cards 264 2.8 Travel
and Entertainment 272
Chapter 9: Test Your Knowledge 279 Chapter 9: Solutions and
Suggested Responses 281
Chapter 10: Hire-to-Retire 283 Overview 283 3.0 Human Resources 285
3.1 Human Resources Process 285 4.0 Payroll 293 4.1 Payroll
Processing Process 295 4.2 Payroll Payment Process 301 4.3
Reporting, Metrics, and Analytics 307
Chapter 10: Test Your Knowledge 313 Chapter 10: Solutions and
Suggested Responses 315
Chapter 11: Order-to-Cash 317 Overview 317 5.0 Order-to-Cash 317
5.1 Sales 319 5.2 Customer Master File 326 5.3 Credit Analysis 331
5.4 Order Fulfillment and Invoicing 337 5.5 Accounts Receivable and
Collections 347 5.6 Cash Application and Management 356 5.7
Reporting, Metrics, and Analytics 365
Chapter 11: Test Your Knowledge 371 Chapter 11: Solutions and
Suggested Responses 373
PART 3 375
SECTION 6: FINANCIAL OPERATIONS RISK 377
Chapter 12: Record-to-Report 379 Overview 379 Controller’s Tool 22
– Monthly Closing Best Practices 381
Table of Contents • v
Controller’s Tool 23 – 15 Best Practices to Simplify Your Financial
Close 381 Fraud within the Record-to-Report Process 383
Controller’s Tool 24 – General Financial Statement Fraud Red Flags
384 Controller’s Tool 25 – Fraud Red Flags for Lenders and
Investors 385 Table of Controls – Record-to-Report 386 Table of
Risks and Controls – Record-to-Report 389
Chapter 12: Test Your Knowledge 399 Chapter 12: Solutions and
Suggested Responses 401
Chapter 13: Budgets, Forecasts, and Capital Budgeting 403 Overview
– Budgets and Forecasts 403 Financial Statement Analysis 403 The
Purpose of Budgeting 403 Controller’s Tool 26 – Types of Budgeting
405 Controller’s Tool 27 – The Budgeting Process 406 Controller’s
Tool 28 – Budget Process Best Practices 409 Moving Your Finance
Function to Dynamic Budgeting and Planning 412 Controller’s Tool 29
– Types of Financial Forecasting Models 413 Controller’s Tool 30 –
The Forecasting Process for Small Businesses 415 Table of Controls
– Budgets and Forecasts 416 Table of Risk and Controls – Budgets
and Forecasts 417 Overview – Capital Budget and Fixed Assets 418
Developing the Capital Budget 419 Controller’s Tool 31 –
Controller’s Areas of Responsibility for the Capital
Budget and Fixed Assets 419 Controller’s Tool 32 – Alternative
Methods for Capital Budgeting 420 Table of Controls – Capital
Budget and Fixed Assets 421 Table of Risks and Controls – Capital
Budget and Fixed Assets 423
Chapter 13: Test Your Knowledge 425 Chapter 13: Solutions and
Suggested Responses 427
Chapter 14: Supply Chain Management and Inventory Control 429
Overview 429 The Role of the Controller 429 Supply Chain Finance
429 Controller’s Tool 33 – Blockchain Features That Enable Supply
Chain Financing 431 Inventory Types 431 Inventory Management 432
Inventory Costing Methods 434 Trends in Inventory Management 434
Other Processes Relevant to the Supply Chain Business Process 435
Controller’s Tool 34 – Supply Chain Performance Metrics 437 Table
of Controls – Supply Chain Management and Inventory Control 439
Table of Risks and Controls – Supply Chain Management and Inventory
Control 444
Chapter 14: Test Your Knowledge 455 Chapter 14: Solutions and
Suggested Responses 457
vi • Table of Contents
Chapter 15: Treasury and Cash Management 459 Overview 459
Controller’s Tool 35 – Responsibilities of the Treasury Department
459 Controller’s Tool 36 – What Are the Components of Cash Flow?
461 How Does a Company Practice Good Cash Flow Management? 461
Controller’s Tool 37 – Cash Forecasts 462 Payment Float 463 Letter
of Credit 463 Foreign Exchange Policy: Management and Controls 464
Controller’s Tool 38 – Foreign Exchange Policy Development Process
465 Controller’s Tool 39 – Cash Management Rules for Petty Cash 466
Cash Management 467 Controller’s Tool 40 – International Payment
Methods 468 Table of Controls – Treasury and Cash Management 472
Table of Risks and Controls – Treasury and Cash Management
475
Chapter 15: Test Your Knowledge 483 Chapter 15: Solutions and
Suggested Responses 485
Chapter 16: Shared Services and Business Process Outsourcing 487
Overview 487 Controller’s Tool 41 – Five Ways That Human Resources
Shared Services
Helps Small Business 489 Controller’s Tool 42 – The Benefits of
Implementing Shared Services Centers 489 Controller’s Tool 43 –
Types of Outsourcing Models 490 Controller’s Tool 44 – The
Advantages of Outsourcing 492 Business Process Outsourcing 493
Controller’s Tool 45 – Cost-Benefit Analysis 493 Controller’s Tool
46 – Information for Supplier Evaluation 494 Controller’s Tool 47 –
Considerations in Implementing Service Level Agreements
and Metrics 497 Table of Controls – Shared Service Centers and
Business Process Outsourcing 498 Table of Risks and Controls –
Shared Service Centers and Business Process Outsourcing 499
Chapter 16: Test Your Knowledge 503 Chapter 16: Solutions and
Suggested Responses 505
Chapter 17: Dashboards, Data Validation, Analytics, Metrics, and
Benchmarking 507 Overview 507 Controller’s Tool 48 – Key
Considerations for Dashboard Technology 507 Controller’s Tool 49 –
Types of Benchmarking 509 Controller’s Tool 50 – Implementing
Metrics 513 Table of Controls – Data Validation, Analytics,
Metrics, and Benchmarking 515 Table of Risks and Controls – Data
Validation, Analytics, Metrics, and Benchmarking 516
Chapter 17: Test Your Knowledge 519 Chapter 17: Solutions and
Suggested Responses 521
SECTION 7: INFORMATION TECHNOLOGY RISK 523
Table of Contents • vii
Chapter 18: Information Technology Controls and Cybersecurity 525
Overview 525 Access Control 525 User Accounts 528 Login and
Resource Access Requests 528 Internal Service Level Agreements 529
Management and Control 529 Vulnerability and Threat Management 529
Controller’s Tool 51 – Control Objectives for Information and
Related Technologies 530 Controller’s Tool 52 – Other It Internal
Control Frameworks and Considerations 532 Controller’s Tool 53 – It
Framework and Internal Control Considerations for
Small Businesses 533 Controller’s Tool 54 – Key Components of
Successful It Governance 534 Table of Controls – Information
Technology Controls and Cybersecurity 535 Table of Risks And
Controls – Information Technology Controls and Cybersecurity
541
Chapter 18: Test Your Knowledge 555 Chapter 18: Solutions and
Suggested Responses 557
SECTION 8: BUSINESS CONTINUITY AND PHYSICAL SECURITY RISK 559
Chapter 19: Business Continuity and Physical Security 561 Overview
– Business Continuity 561 Business Continuity and Disaster
Recovery: Key Definitions 561 Controller’s Tool 55 – Business
Continuity: Personnel 563 Controller’s Tool 56 – Business
Continuity: Information Technology 564 Table of Controls – Business
Continuity 565 Table of Risks and Controls – Business Continuity
567 Overview – Physical Security 570 Security Controls: Key
Definitions 570 Controller’s Tool 57 – ISO/IEC 17799:2005 572 Table
of Controls – Physical Security 574 Table of Risks and Controls –
Physical Security 577
Chapter 19: Test Your Knowledge 581 Chapter 19: Solutions and
Suggested Responses 583
SECTION 9: LEADERSHIP AND CHANGE MANAGEMENT RISK 585
Chapter 20: Leadership and Managing Change 587 Overview 587
Controller’s Tool 58 – The Henri Fayol Principles of Business
Management 587 Controller’s Tool 59 – Leadership Traits 589
Controller’s Tool 60 – Communication for Controllers 590
Controller’s Tool 61 – Guidelines for Active Listening 590 Table of
Controls – Leadership and Managing Change 591 Table of Risks and
Controls – Leadership and Managing Change 592
Chapter 20: Test Your Knowledge 595 Chapter 20: Solutions and
Suggested Responses 597
viii • Table of Contents
Chapter 21: Trends, Process Transformation, and Digitization 599
Overview 599 Controller’s Tool 62 – Blockchain Uses 599
Controller’s Tool 63 – Identifying SAAS Imposters 602 Controller’s
Tool 64 – 10 Critical Requirements for Cloud Applications 602
Process Digitization 603 Controller’s Tool 65 – Types of It
Solutions To Consider 603 Developing the Business Case 614
Controller’s Tool 66 – The Business Case Template 614 Table of
Controls – Trends, Process Transformation, and Digitization 618
Table of Risks and Controls – Trends, Process Transformation, and
Digitization 619
Chapter 21: Test Your Knowledge 625 Chapter 21: Solutions and
Suggested Responses 627
Glossary 631
Index 647
NOTICE This course and test have been adapted from supplemental
materials and uses the materials entitled The Controller’s Toolkit
by Christine H. Doxey, © 2021 by John Wiley and Sons, Inc.
Displayed by permission of the publisher, John Wiley & Sons,
Inc., Hoboken, New Jersey.
The views expressed in this text are those of the author(s) and do
not necessarily reflect the views, opinions, or positions of
Professional Education Services, LP, its employees, or
owners.
Use of these materials or services provided by Professional
Education Services, LP (“PES”) is governed by the Terms and
Conditions on PES’ website (www.mypescpe.com). PES provides this
course with the understanding that it is not providing any
accounting, legal, or other professional advice and assumes no
liability whatsoever in connection with its use. PES has used
diligent efforts to provide quality information and material to its
customers, but does not warrant or guarantee the accuracy,
timeliness, completeness, or currency of the information contained
herein. Ultimately, the responsibility to comply with applicable
legal requirements falls solely on the individual licensee, not
PES. PES encourages you to contact your state Board or licensing
agency for the latest information and to confirm or clarify any
questions or concerns you have regarding your duties or obligations
as a licensed professional.
© Professional Education Services, LP 2021
Program Publication Date 8/18/2021
INTRODUCTION: ABOUT THIS TOOLKIT
The Controller’s Toolkit provides a single source for everything
that controllers and finance and accounting professionals need to
know to be successful. This toolkit will enable aspiring, new, and
current controllers to take a giant leap forward and gain
proficiency as corporate leaders.
The comprehensive content provided in this toolkit consists of
process flows, checklists, tables of controls, and tables of risks
and controls. Each comprehensive table of risks and controls
identifies the risks to the business process, recommended policies,
controls that will mitigate the risks, and internal control
metrics. Besides laying out the accounting and technical
requirements of the controllership, this toolkit describes the
leadership skills that support the success of a controller’s
career.
This toolkit is a must-have for accounting and finance
professionals wishing to advance their careers and expand their
skills and knowledge. This toolkit may also appeal to chief
operating officers (CEOs), chief financial officers (CFOs), chief
human resources officers, controllers, treasurers, and anyone else
who is in the chain of command or who serves as an influencer for
corporate finance and accounting processes.
This toolkit is a great reference for many roles within these
wide-ranging corporate functions and for companies of many sizes.
It can also serve as a training tool, since the content takes a new
look at the roles and responsibilities of a controller.
This comprehensive toolkit is organized by specifically defined
areas of risk that apply to any company or industry. Each chapter
is focused on a business process and includes an overview, a
process flow, a table of controls, and a table of risks and
controls. The author has included 66 tools, each of which has been
designed specifically for controllers to tackle the challenges of a
specific business process. Here’s how this toolkit is
organized.
How This Toolkit Is Organized
Section Number Area of Risk Chapter Number Chapter Title
Introduction About This Toolkit 1 Defining the Role of a
Controller
1 Corporate and Reputational Risk
2 The Controller and Risk Management
3 The Controller and Ethics 4 The Controller and Corporate
Governance 5 Entity-Level Controls
6 Strategic Planning and Mergers and Acquisitions
3 Internal Control Risk 7 Internal Control Program
xii • Introduction: About This Toolkit
Section Number Area of Risk Chapter Number Chapter Title
4 Compliance Risk 8 Regulatory Compliance
5 Payment Risk 9 Procure-to-Pay 10 Hire-to-Retire 11
Order-to-Cash
6 Financial Operations Risk
14 Supply Chain Management and Inventory Control
15 Treasury and Cash Management 16 Shared Services and
Business
Process Outsourcing 17 Dashboards, Data Validation,
Analytics, Metrics, and Benchmarking
7 Information Technology Risk
8 Business Continuity and Physical Security Risk
19 Business Continuity and Physical Security
9 Leadership and Change Management Risk
20 Leadership and Managing Change
21 Trends, Process Transformation, and Digitization
Chapter 1: Defining the Role of a Controller • 1
CHAPTER 1: DEFINING THE ROLE OF A CONTROLLER
Chapter Objective
After completing this chapter, you should be able to: • Identify
the person in charge of the process related to finance and
accounting.
OVERVIEW
The controllership function is carried out by a controller, which
usually is the individual in charge of and with authority over the
processes related to finance and accounting. A controller has the
main goal of keeping the company’s bottom line secure by accurate
internal controls and well-defined financial operations. But a good
controller needs to be aware of all areas of risk that may impact a
company and its ongoing success.
The role of the controller is often defined as being a business
partner to other functions and divisions within an organization. In
many organizations the role of the finance professional is defined
as being a business partner to the organizations supported.
Controllers are faced with much broader challenges and
opportunities in today’s business world and are being asked to take
on additional responsibilities outside of the traditional “chief
accounting officer” role. Controllers are connected to most of the
key business processes within an organization. Controllers provide
the stewardship and accountability systems that ensure that the
organization is conducting its business in an appropriate, ethical
manner.
Controllers and their staffs should also provide the information,
analysis, and advice that will enable the organization’s
operational management to perform effectively. This means
understanding the impacts that the supply chain can have upon the
accounting processes for the organization.
Controllers are process driven and are always looking for practical
tools to manage their areas of responsibility and to advance their
careers. These tools can extend the competencies and efficiencies
of corporate and controllership processes, which fall under the
umbrella of governance, risk management, and compliance
(GRC).
CONTROLLER’S TOOL 1 – SUGGESTED JOB RESPONSIBILITIES FOR A
CONTROLLER
Introduction. Monster is a global online employment solution for
people seeking jobs and employers. Monster has expanded from its
roots as a job board to a global provider of a full array of
job-seeking, career-management, recruitment, and talent-management
products and services. Monster recommends the following list of job
responsibilities for a controller:
2 • Chapter 1: Defining the Role of a Controller
Suggested Job Responsibilities for a Controller • Achieves budget
objectives by scheduling expenditures, analyzing variances, and
initiating
corrective actions. • Provides status of financial condition by
collecting, interpreting, and reporting financial data. • Prepares
special reports by collecting, analyzing, and summarizing
information and trends. • Complies with federal, state, and local
legal requirements by studying existing and new legislation,
anticipating future legislation, enforcing adherence to
requirements, filing financial reports, and advising management on
needed actions.
• Ensures operation of equipment by establishing preventive
maintenance requirements and service contracts, maintaining
equipment inventories, and evaluating new equipment and
techniques.
• Completes operational requirements by scheduling and assigning
employees and by following up on work results.
• Maintains financial staff by recruiting, selecting, orienting,
and training employees. • Maintains financial staff job results by
coaching, counseling, and disciplining employees and by
planning, monitoring, and appraising job results. • Protects
operations by keeping financial information and plans
confidential.1
CONTROLLER’S TOOL 2 – CORE COMPETENCIES OF A CONTROLLER
Introduction. Within their companies, controllers are always looked
upon as accounting and financial leaders. Many controllers are
thought of as the chief accounting officer. I recently authored a
blog entry for Nvoicepay that highlights the 15 leadership skills
that a controller should have. Controllers should have a blend of
skills from two key areas: (1) accounting and business knowledge,
and (2) leadership and influence, as listed below.2
Accounting and Business Knowledge
1. Cost Control. As an example, a cost-control process would be
implemented for a major project to monitor cost performance, ensure
changes are recorded accurately, prohibit unauthorized changes,
inform stakeholders of cost changes, maintain expected costs with
acceptable limits, and monitor and document reasons for favorable
or unfavorable cost variances. As a controller, you’re responsible
for controlling cost. This involves developing policies and
procedures, systems, processes, and metrics to make sure that costs
are under control.
2. Internal Controls and Compliance. A controller usually has
overall responsibility for the internal controls program and
processes for their organization. This means that the design,
development, and testing of the operational effectiveness of each
control is the responsibility of you and your team. If you work for
a publicly traded company, you’ll also need to prepare all of the
quarterly and annual reporting requirements for Sarbanes– Oxley
(SOX).
1. Monster (n.d.). Controller job description sample. Monster
website, Job Description Templates (accessed March 8, 2020).
https://hiring.monster.com/employer-resources/job-description-templates/controller-job-description-sample.
2. Doxey, Chris (2017). 15 leadership skills every controller must
have. Nvoicepay website (June 29; accessed March 8, 2020).
https://www.nvoicepay.com/resources/blog/15-leadership-skills-controllers-must-have.
Chapter 1: Defining the Role of a Controller • 3
3. Financial Reporting and Adding Value. Controllers and their
staffs typically drive the fiscal closing process and are always
looking for ways to streamline the process and provide the results
sooner through automation and a quicker closing process.
4. Corporate Transaction Processes. Controllers have ownership of
corporate transaction processes, which include accounts payable,
accounts receivable, payroll, travel and expense (T&E), general
accounting, and others. There are always large opportunities for
streamlining these processes, as evidenced by automation and
transformation initiatives in the procure-to-pay (P2P) and
order-to-cash (O2C) processes.
5. Corporate Knowledge. Controllers should have an excellent
knowledge of what their companies do and how they are organized.
What is the culture of the company? How is the company organized?
How quickly do decisions get made?
6. Efficiency Improvements. Along with having a solid knowledge of
the corporate transaction processes that are the backbone of your
company, you should always look for ways to improve them through
process efficiencies and automation. Are there ways to combine
similar processes into a shared services organization? Can you
reduce manual invoices through implementing an e-invoicing
solution? Can you streamline your payment process by implementing
e-payment solutions or even outsourcing your payment process?
7. Analytics. A savvy controller is driven by analytics and
metrics. The results of a well- developed metrics program will
indicate how well your company’s business processes are working and
where improvements were successfully implemented. Metrics will also
reveal problem areas and should have the analytics to drill down to
find the solution.
Leadership and Influence
8. Business Partnerships. Since a controller oversees the
accounting processes for a company, maintaining good business
partnerships is a key success factor. You should identify your
areas of influence and ensure you have a good relationship or
partnership with the leadership in other departments. Key
departments usually include information technology (IT), legal,
human resources (HR), business ethics, supply chain, and
procurement.
9. Communication. Communication is a personal process that should
be appropriate for both the audience and situation. Choosing the
wrong communications channel could send the wrong message. For
example, a decision that dramatically impacts a person’s career
should never be delivered via an impersonal form letter. It’s
always good to consider how it would feel to be on the receiving
end. Think about it: If you were being recognized for outstanding
work or many years of service, would a personal thank-you note or
an e-mail be more meaningful to you?
4 • Chapter 1: Defining the Role of a Controller
10. Active Listening. The concept behind active listening is
encouraging the speaker to state what they really mean and stems
from the work of counselors and therapists. The goal of active
listening is to help associates express themselves, offer
suggestions, and get to the root of a matter.
1) Listen for the content of the message and organize it into key
components.
2) Listen for feelings about the key points being conveyed.
3) Ensure that you respond to feelings appropriately and with
compassion.
4) Be cognizant of any overreaction to the situation.
5) Watch verbal and nonverbal signals and be prepared to reconvene
the discussion if necessary.
6) Repeat and paraphrase the key points that were conveyed.
7) Wait until the speaker is finished.
8) Do not plan your response until the speaker is finished.
9) Never interrupt to state you own opinion.
10) Maintain eye contact if you are in a face-to-face
meeting.
11. Leadership Style. Based on an analysis of all the leadership
styles, it makes sense that a controller should be flexible,
understand his or her own core leadership style, value team
members, and be cognizant of all factors impacting a situation.
Although situational leadership is touted as the best leadership
style, the situation should not change one’s core values or ethics.
Great leaders have an in-depth understanding of which leadership
style works best for them.
12. Motivation and Inspiration. Motivation involves using words and
examples that give your team the will to accomplish an objective or
take action. Motivation occurs when one has confidence, feels a
sense of belonging to a solid team, and has good leadership.
Motivation is nurtured by constant reinforcement, a level of trust,
and loyalty to the organizational leader, the company, or both.
True team motivation occurs when team members motivate each
other.
13. Managing Change. One of the major challenges of change
management is assessing readiness for change. Unfortunately, this
assessment does not always take place and the risks associated with
the change are not always properly addressed. The goal of assessing
change readiness is to identify specific issues and to plan for and
address those issues so that risks are minimized. If that
assessment does not take place, performance improvement may either
be delayed or not achieved, and associated costs can be higher than
expected.
14. Emotional Intelligence. Psychologist and author Daniel Goleman
is cochair of the Consortium for Research on Emotional Intelligence
in Organizations, based at Rutgers University. He first brought the
term emotional intelligence to a wide audience with his
Chapter 1: Defining the Role of a Controller • 5
1995 book of the same name. According to Goleman, the chief
components of emotional intelligence are self-awareness,
self-regulation, motivation, empathy, and social skills.
15. Building a Strong Team. Choosing the right team members is
critical to being a good controller. Unless your staff is
competent, cohesive, communicative, and committed, you will not be
able to fulfill your controllership responsibilities.
CONTROLLER’S TOOL 3 – THE CONTROLLER’S BUSINESS PARTNERSHIP
MATRIX
Introduction. Controllers should consider building business
partnerships with the organizations included in the table below.
This business partnership matrix was developed to provide a listing
of potential business partnership organizations. The matrix also
includes the areas of influence that will drive the business
partnership. Although the areas of influence will differ in public
and private companies, the value of a business partnership can be
critical to the success of a controller.
Suggested Business Partnership Organization
Area of Influence
HR and Benefits • HR and Payroll Internal Controls • Entity-Level
Controls • HR Policy • HR Policies to Support Internal Controls,
Such as Policies
for Corporate Cardholder Agreements • Controller Staff Development
and Training Programs • Benefit Plan Decision Making • Pension Plan
Investment Analysis and Decision Making • Sarbanes–Oxley 302 and
404
Facilities • Physical Security Controls • Facility Strategy
• Closing Old Facilities • Building New Facilities
• Capital Budgets • Depreciation Analysis • Risk Management •
Insurance Plans • Asset Impairment • Sarbanes–Oxley 302 and
404
Supply Chain • Supply Chain Internal Controls • Supply Chain
Strategy • Logistics Outsourcing Strategy • Inventory Control •
Inventory Fraud Detection and Prevention • Operational Metrics and
Reporting • Risk Management • Sarbanes–Oxley 302 and 404
6 • Chapter 1: Defining the Role of a Controller
Suggested Business Partnership Organization
Legal and Risk Management • Entity-Level Controls • Risk Management
• Insurance • Record Management • Contract Compliance • Regulatory
Compliance Issues • Fraud Detection and Prevention • Sarbanes–Oxley
302 and 404
Compliance • Regulatory Compliance Applicable to the Organization •
Address Compliance Issues and Ensure the Implementation
of Corrective Action Plans • Sarbanes–Oxley 302 and 404
Internal Audit • Control Self-Assessment Programs • Address Control
Issues and Ensure the Implementation of
Corrective Action Plans • Recommend Audit Plan and Focus •
Sarbanes–Oxley 302 and 404
Ethics and Compliance • Entity-Level Controls • Entity-Level
Control Questionnaire • Ethics Hotline Issues • Whistleblower
Protection • Fraud Detection and Prevention • Tone at the Top •
Sarbanes–Oxley 302 and 404
Security and Investigations • Ethics Hotline Issues • Fraud
Detection and Prevention • Security Controls • Physical Security •
Protection of Company Data
Information Technology • Develop IT Strategy • IT Controls
• System Access Controls • Reporting and Metrics • Selection of ERP
Systems
• Cost Analysis • Functionality
• Financial Systems • Capital Budget • Asset Impairment • IT
Business Continuity Plan • Sarbanes–Oxley 302 and 404
Chapter 1: Defining the Role of a Controller • 7
CONTROLLER’S TOOL 4 – THE CONTROLLER’S SPAN OF INFLUENCE
Introduction. The controller position impacts nearly every aspect
of the organization. The role of the controller now requires broad
interpersonal skills. It is important to build relationships with
the management or senior team members of every function within the
organization. As an example, if there is a large investment in
inventory, the controller should establish a relationship with the
inventory controls manager and the materials manager for the
organization. The wider range of functions managed by the
controller means a broader range of functional knowledge. In
general, the controller should be familiar with enterprise resource
planning (ERP) systems, internal auditing, and the organization’s
functional and administrative areas.
The Controller’s Span of Influence • Ensure that regulatory and
compliance requirements are followed across all divisions. • Attend
and participate in interdepartmental meetings. • Support strategic
planning and ensure that corporate budgets are linked to the
planning process. • Provide opinions on the effectiveness of other
departments. • Implement and manage the company’s internal program
and ensure that controls are operating
effectively. • Implement and manage the effectiveness of corporate
policies, including:
• Delegation of authority policy • Segregation of duties policy •
Internal controls policy
• Develop enhanced internal control programs and remediation
activities to address control weaknesses.
• Develop and implement organization-wide metrics, scorecards, and
analytics. • Acquire and approve insurance coverage. • Conduct
public offerings. • Deal with investors and lenders. • Determine
credit limits for strategic customers. • Invest pension funds. •
Invest surplus funds. • Administer changes to the pension plan. •
Maintain employee files.
8 • Chapter 1: Defining the Role of a Controller
THIS PAGE INTENTIONALLY LEFT BLANK.
Chapter 1: Defining the Role of a Controller • 9
CHAPTER 1: TEST YOUR KNOWLEDGE
The following questions are designed to ensure that you have a
complete understanding of the information presented in the chapter
(assignment). They are included as an additional tool to enhance
your learning experience and do not need to be submitted in order
to receive CPE credit.
We recommend that you answer each question and then compare your
response to the suggested solutions on the following page(s) before
answering the final exam questions related to this chapter
(assignment).
1. Which of the following is generally correct regarding
controllers:
A. controllers are only concerned with risks that affect the bottom
line of a company
B. controllers generally limit themselves to performing the
traditional tasks of the chief accounting officer
C. controllers generally are more results driven than process
driven
D. controllers are usually in charge of the process related to
finance and accounting
2. Which of the following is a best practice for being an active
listener:
A. interrupt as needed to state an opinion
B. plan a response while the speaker is speaking
C. repeat and paraphrase key points that were conveyed
D. avoid frequent eye contact
10 • Chapter 1: Defining the Role of a Controller
THIS PAGE INTENTIONALLY LEFT BLANK.
Chapter 1: Defining the Role of a Controller • 11
CHAPTER 1: SOLUTIONS AND SUGGESTED RESPONSES
Below are the solutions and suggested responses for the questions
on the previous page(s). If you choose an incorrect answer, you
should review the pages as indicated for each question to ensure
comprehension of the material.
1. A. Incorrect. Good controllers need to be aware of all areas of
risk that may impact a company and its ongoing success, not just
the risks associated with the bottom line.
B. Incorrect. Controllers are faced with much broader challenges
and opportunities in today’s business world and being asked to take
on additional responsibilities outside of the traditional chief
accounting officer role.
C. Incorrect. Controllers are process driven and are always looking
for practical tools to manage their areas of responsibility.
D. CORRECT. The controllership function is carried out by a
controller, which usually is the individual in charge of, and with
the authority over, the process related to finance and
accounting.
(See page 1 of the course material.)
2. A. Incorrect. To be an active listener, individuals should never
interrupt a speaker in order to state their own opinion.
B. Incorrect. The active listener should not plan their response
until the other person is done talking.
C. CORRECT. One hallmark of active listening is to repeat and
paraphrase key points that were conveyed.
D. Incorrect. Active listeners should maintain eye contact when in
face-to-face meetings.
(See page 4 of the course material.)
12 • Chapter 1: Defining the Role of a Controller
THIS PAGE INTENTIONALLY LEFT BLANK.
Section 1: Corporate and Reputational Risk • 13
SECTION 1: CORPORATE AND REPUTATIONAL RISK
SECTION INTRODUCTION
“We are living in a trust paradox,” said Richard Edelman, CEO of
Edelman, a global communications firm. “Since we began measuring
trust 20 years ago, economic growth has fostered rising trust. This
continues in Asia and the Middle East but not in developed markets,
where national income inequality is now the more important factor.
Fears are stifling hope, and long-held assumptions about hard work
leading to upward mobility are now invalid.”1
The trust of employees, shareholders, and customers drives
corporate and reputational risk. Reputational risk has
traditionally been seen as an outcome of other risks and not
necessarily as a stand-alone risk. This view has been gradually
changing, because it is increasingly clear that reputation is
critical to the viability of a company.
Reputational risk refers to the potential for negative publicity,
public perception, or uncontrollable events to have an adverse
impact on a company’s reputation, thereby affecting its revenue. A
controller can mitigate reputational risk through risk management
processes, code of conduct, ethics, corporate governance, and the
implementation and ongoing validation of entity-level controls.
Mitigating reputational and corporate risk is an ongoing process
that is critical to the success of a company.
1. Edelman (2020). 2020 Edelman Trust Barometer reveals growing
sense of inequality is undermining trust in institutions. January
19, 2020, Edelman website, accessed April 10, 2020,
https://www.edelman.com/news-awards/2020-edelman-trust-
barometer.
14 • Section 1: Corporate and Reputational Risk
THIS PAGE INTENTIONALLY LEFT BLANK.
Chapter 2: The Controller and Risk Management • 15
CHAPTER 2: THE CONTROLLER AND RISK MANAGEMENT
Chapter Objective
After completing this chapter, you should be able to: • Recall the
characteristics of risk management.
OVERVIEW
Companies of all sizes are subject to a variety of risks. Among
them are legal, regulatory, strategic, operational, financial, and
reputational. Each functional organization is subject to one or
more of these types of risk, each of which may impact the company’s
bottom line. Companies use a number of tools, such as insurance,
establishment of reserve funds, and investment policies (including
options and futures), to address some of their risks.
The controller should ensure that the organization’s internal
controls properly address risk by conducting a risk assessment and
analysis of the relevant risks that may impact the achievement of
company objectives. Furthermore, economic, industry, regulatory,
operating, and compliance impacts are always changing. A controller
should establish the appropriate methodology to assess and react to
different kinds of risk.
RISK MANAGEMENT DEFINED
Risk management is a process for identifying, assessing, and
prioritizing risks of different kinds. Once the risks are
identified, the risk manager will create a plan to minimize or
eliminate the impact of negative events. Risk management can also
be defined as the process of assessing risk and acting in such a
manner, or prescribing policies and procedures, so as to avoid or
minimize loss associated with such risk. Risk management is not a
regulatory requirement but is an important focus of all types of
organizations.
The Committee of Sponsoring Organizations of the Treadway
Commission (COSO) defines enterprise risk management (ERM) as
follows:
Enterprise risk management is a process, effected by an entity’s
board of directors, management, and other personnel, applied in
strategy setting and across the enterprise, designed to identify
potential events that may affect the entity, and manage risk to be
within its risk appetite, to provide reasonable assurance regarding
the achievement of entity objectives.
The Global Association of Risk Professionals (GARP) defines risk
management in this way:
Risk management is a structured approach to monitoring, measuring,
and managing exposures to reduce the potential impact of an
uncertain event happening.
16 • Chapter 2: The Controller and Risk Management
RISK MANAGEMENT PROCESS FLOW
Chapter 2: The Controller and Risk Management • 17
When developing a risk management plan, a controller should
consider the factors that may create risk. These factors are:
• Inadequate management reporting and monitoring
• Inadequate financial performance metrics
• Legal and regulatory violations
• Excessive bad debt and inventory write-offs
• Internal and external fraud
• Lack of a business continuity plan
After considering the risk factors above, a controller should
develop a risk policy that outlines the risk management framework
of an organization in relation to its objective. Risk policies will
vary across industries and companies based on the ability to absorb
losses and the rate of return an organization seeks from
operations.
CONTROLLER’S TOOL 5 – TYPES OF RISK
Introduction. Besides the types of risk identified in this book,
there are other types of risk that controllers should consider when
defining a risk management process for their companies. These types
of risk are provided below.
Type of Risk
Operational Risk. Operational risk is a potential risk of loss
resulting from inadequate or failed internal processes, from people
and systems, or from external events. The result of unmanaged
operational risk is an operational failure.
Financial Risk. Financial risk is sometimes referred to as treasury
risk. Hedging attempts to reduce financial risk by matching a
position with an opposite and offsetting position in a financial
instrument that tracks or mirrors the value changes in the
position.
Fraud Risk. Fraud risk is a potential violation of the
organization’s ethics and compliance standards, business practice
requirements, financial reporting integrity, and other
objectives.
Market Risk. Market risk deals with the different types of
financial market risks, such as interest rate risk, equity risk,
commodity risk, and currency risk.
Credit Risk. Credit risk is the risk of loss due to nonpayment of a
loan, bond, or other credit instrument.
18 • Chapter 2: The Controller and Risk Management
Commodity Risk. Commodity risk is a potential loss from an adverse
change in commodity prices.
Currency Risk. Currency risk management focuses on the fluctuations
in currency values (see Financial Risk).
Project Risk. Project risk is the risk associated with not
completing a project within the expected timeline and budget.
Technology and Software Risks. Technology and software risks are
associated with implementation of new technology or software and
the impact that the implementation may have on the
organization.
CONTROLLER’S TOOL 6 – RISK MANAGEMENT FRAMEWORKS
Introduction. There are several risk management frameworks that a
controller should consider when developing an internal controls
structure to mitigate specific areas of risk across the company.
The type of framework selected will depend upon company strategy
and customer requirements. As the company works with the risk
management team, it should consider the risk events that can be
fatal to the company and jeopardize its survival.
Multiple studies have found that people overestimate their ability
to influence events that, in fact, are heavily determined by
chance. We tend to be overconfident about the accuracy of our
forecasts and risk assessments and far too narrow in our assessment
of the range of outcomes that may occur.1
Type of Risk Management Framework
Overview
ISO 31000:2018
https://www.iso.org/ standard/65694.html
This updated standard now defines risk as the “effect of
uncertainty on objectives,” with a focus on the effect of
incomplete knowledge of events or circumstances on an
organization’s decision-making.
This requires a change in the traditional understanding of risk,
forcing organizations to tailor risk management to their needs and
objectives – a key benefit of the standard. Jason Brown explains:
“ISO 31000 provides a risk management framework that supports all
activities, including decision-making across all levels of the
organization.
“The ISO 31000 framework and its processes should be integrated
with management systems to ensure consistency and the effectiveness
of management control across all areas of the organization.” This
would include strategy and planning, organizational resilience, IT,
corporate governance, HR, compliance, quality, health and safety,
business continuity, crisis management, and security.2
1. Kaplan, Robert S. and Mikes, Anette (2012). Managing risks: A
new framework. Harvard Business Review (June; accessed April 28,
2020). https://hbr.org/2012/06/managing-risks-a-new-framework. 2.
Tranchard, Sandrine (2018). The new ISO 31000 keeps risk management
simple. ISO website, News (February 15; accessed March 24, 2020).
https://www.iso.org/news/ref2263.html.
Chapter 2: The Controller and Risk Management • 19
Type of Risk Management Framework
Overview
COSO Enterprise Risk Management – Integrating with Strategy and
Performance (2017)
https://www.coso.org/ Pages/default.aspx
“In keeping with its overall mission, the COSO board commissioned
and published in 2004 Enterprise Risk Management – Integrated
Framework. Over the past decade, that publication has gained broad
acceptance by organizations in their efforts to manage risk.
“However, also through that period, the complexity of risk has
changed, new risks have emerged, and both boards and executives
have enhanced their awareness and oversight of enterprise risk
management while asking for improved risk reporting. This update to
the 2004 publication addresses the evolution of enterprise risk
management and the need for organizations to improve their approach
to managing risk to meet the demands of an evolving business
environment. The updated document, titled Enterprise Risk
Management – Integrating with Strategy and Performance, highlights
the importance of considering risk in both the strategy-setting
process and in driving performance.”3
National Institute of Standards and Technology (NIST) Risk
Management Framework
https://www.nist. gov/system/files/ documents/2018/03/28/
vickie_nist_risk_ management_ framework_overview- hpc.pdf
The selection and specification of security controls for a system
is accomplished as part of an organization-wide information
security program that involves the management of organizational
risk – that is, the risk to the organization or to individuals
associated with the operation of a system. The management of
organizational risk is a key element in the organization’s
information security program and provides an effective framework
for selecting the appropriate security controls for a system – the
security controls necessary to protect individuals and the
operations and assets of the organization.4
CONTROLLER’S TOOL 7 – CONSIDERATIONS FOR MANAGING RISK WITH AN
ENTERPRISE RISK MANAGEMENT MODEL
Introduction. The following tool provides an approach to consider
when implementing an ERM model. ERM aims to attain informed
business decisions by evaluating total returns relative to total
risks, which can be determined by asking these questions:
3. COSO (n.d.). Guidance on enterprise risk management. COSO
website (accessed March 24, 2020). https://www.coso.org/
Pages/erm.aspx. 4. NIST (2016). FISMA implementation project, risk
management framework (RMF) overview. NIST website, Projects
(accessed March 24, 2020).
https://csrc.nist.gov/projects/risk-management/risk-management-framework-(RMF)-Overview.
20 • Chapter 2: The Controller and Risk Management
I. Internal Environment 1. What is the overall risk appetite of the
organization? 2. How committed is the board of directors (BoD) to
establishing a risk management
philosophy? 3. Are there integrity, ethical values, and a
commitment to competence in the organization? 4. Is the assignment
of authority and responsibility over risks well managed? Who
manages this process? 5. What is the organizational structure of
the company and departments? 6. What HR standards related to risk
management are currently in place?
II. Objective Setting 7. How well are strategic and related
objectives defined? 8. How is the achievement of these objectives
monitored? 9. What activities are on your risk management goal
sheet for this year? 10. What does the company need to do well over
the next year in order to succeed and
reach its goals? What factors do you consider to be critical to
your company’s success in the next year?
11. What areas would you like to see moved to the next level of
performance? 12. What could prevent you from achieving your goals
(e.g. people, processes, funding,
etc.)? III. Event Identification
13. How do internal and external forces impact the risk profile?
14. What other event identification techniques are in place (e.g.
self-assessments, SOX,
report reviews, trend reporting, fraud hotline, etc.)? 15. How are
deficiencies captured and reported? 16. How does the organization
distinguish between risks and opportunities?
IV. Risk Assessment 17. What does management perceive to be the
largest risks to the company, in terms of
significance and likelihood? 18. What do managers perceive to be
the biggest risks within their areas of control? Please
provide examples. 19. Thinking of other areas within the company,
how well does management receive
information from shared services groups (e.g. IT, finance, HR)? 20.
What additional information would management like to have
accessible in order to better
perform its responsibilities? 21. In management’s opinion, what
areas or processes are most susceptible to fraud? 22. Is management
aware of any instances of fraud within the company?
What/how/who?
V. Risk Response 23. How are risks monitored and reported within
the organization? 24. How effectively are identified risks managed?
25. What is management doing specifically to manage identified
risks (e.g. financial
statement variance reporting, trend reporting, credit reporting,
insurance policies, legal, BoD involvement and reporting)?
Chapter 2: The Controller and Risk Management • 21
VI. Control Activity 26. What is management’s assessment of the
effectiveness of overall controls in preventing
risks and carrying out risk activities within your organization?
27. How are the defined control activities tested? 28. What type of
review process takes place for policies and procedures? 29. What
type of review process takes place for IT application controls and
the IT general
control environment? 30. What components are included in the
company’s entity-level controls program?
VII. Information and Communication 31. How does the
organization/department capture information and communicate
related
risk? 32. What communications barriers are present within the
organization? 33. What ongoing monitoring activities are in place
(e.g. compliance monitoring, Internal
Audit (IA), risk management group, BoD monitoring, etc.)?
TABLE OF CONTROLS – RISK MANAGEMENT
Process: Risk Management 1. Governance and ownership of the risk
management process are clearly established. 2. Roles and
responsibilities for the risk management process are clearly
defined. 3. Risk management processes begin and end with clearly
defined business objectives. 4. The risk management model to be
used is defined and communicated to executive
management for approval and implementation. 5. A risk rating system
is defined in relation to organization’s objectives and considers
all
types of risks applicable to the company. Risk rating scales are
tied to the company’s risk management model and establish risk
tolerances and are determined based on the calculated or perceived
severity of the consequences. Leading indicators are used to
provide insight into potential risks using market, industry trends,
and weather and world health impacts.
6. A risk portfolio is developed to support decision-making. This
portfolio is updated on an annual basis.
7. Action plans and remediation activities are in place to address
potential risks. 8. Risk-based internal controls are prioritized
based on mitigating risk. All companies,
regardless of size, structure, nature, or industry encounter risks
at all levels within their organizations. Risks affect each
company’s ability to survive, successfully compete within its
industry, maintain financial strength and a positive public image,
and maintain the overall quality of its products, services, and
people. Since there is no practical way to reduce risk to zero,
management should determine how much risk should be prudently
accepted and strive to maintain risk at acceptable levels by
considering the implementation of risk-based controls.
9. Risk assessment plans and schedules are communicated to the
audit committee, the BoD, and executive management. A schedule is
in place to ensure that a risk assessment is conducted in a timely
manner.
10. Significant risks are communicated to executive management and
the BoD when they are identified.
22 • Chapter 2: The Controller and Risk Management
TABLE OF RISKS AND CONTROLS – RISK MANAGEMENT
Process: Risk Management
Process Risk Recommended
Policies Internal Controls KPIs
1. The value of a risk management process is limited. The owner of
a risk assessment must clearly communicate its purpose, process,
and expected benefits. The right parties must be engaged to ensure
relevant input, informed assessment, and meaningful and actionable
results.
Risk Strategy
Risk Tolerance
8. Risk-Based Controls
10.Communication of Significant Risks
Number of Risks Requiring Remediation
Number of Risks That Occurred More than Once
Predicted Risk Severity Compared to Actual Severity
Number of Risks That Were Not Identified
Cost of Risk Management
Number of Risks Mitigated
2. Results are difficult to use. Failure to effectively organize
and manage the volume and quality of assessment data makes
interpreting that data a challenge. Tools, templates, and guidance
are necessary to ensure consistency in data capture, assessment,
and reporting.
Risk Strategy
Risk Tolerance
8. Risk-Based Controls
Number of Risks Requiring Remediation
Number of Risks That Occurred More than Once
Predicted Risk Severity Compared to Actual Severity
Number of Risks That Were Not Identified
Number of Risks Mitigated
Process: Risk Management
Process Risk Recommended
Policies Internal Controls KPIs
3. Results of the risk assessment are not acted upon. Lack of
clarity and accountability around objectives frequently leads to a
failure to follow through on assessment findings.
Risk Assessment Policy
Internal Controls Policy
8. Risk-Based Controls
10. Communication of Significant Risks
Number of Risks Identified per Period
Number of Risks Requiring Remediation
Number of Risks That Occurred More than Once
Predicted Risk Severity Compared to Actual Severity
Number of Risks That Were Not Identified
Number of Risks Mitigated
4. Risk is overcontrolled, resulting in excessive costs and stifled
innovation. Lack of an effective risk assessment process and
defined risk tolerance could result in an organization
overcontrolling a risk, which could place an excessive cost burden
on the organization and/ or stifle its ability to seize
opportunities.
Risk Strategy
Risk Tolerance
8. Risk-Based Controls
10. Communication of Significant Risks
Cost of Risk Management
Process: Risk Management
Process Risk Recommended
Policies Internal Controls KPIs
5. Risk assessments become stale, providing the same results every
time. Without their data capture, process, and reporting being
refreshed from time to time, risk assessments may lose
relevance.
Risk Management Policy
Risk Assessment Policy
Internal Controls Policy
8. Risk-Based Controls
10. Communication of Significant Risks
Number of Risks Identified per Period
Number of Risks Requiring Remediation
Number of Risks That Occurred More than Once
Predicted Risk Severity Compared to Actual Severity
Number of Risks That Were Not Identified
Cost of Risk Management
Number of Risks Mitigated
6. Risk assessment is added onto day-to-day responsibilities
without being integrated into business processes. While tools and
templates are helpful to ensure consistency in data capture,
assessment, and reporting, it is important that the risk assessment
process be anchored and integrated into existing business
processes.
Risk Management Policy
Risk Assessment Policy
Internal Controls Policy
8. Risk-Based Controls
10. Communication of Significant Risks
Number of Risks Identified per Period
Number of Risks Requiring Remediation
Number of Risks That Occurred More than Once
Predicted Risk Severity Compared to Actual Severity
Number of Risks That Were Not Identified
Cost of Risk Management
Number of Risks Mitigated
Process: Risk Management
Process Risk Recommended
Policies Internal Controls KPIs
7. Too many different risk assessments are performed across the
organization. A shared approach should be defined for performing
risk assessments, using common tools or templates, common data sets
(e.g. risk categories, libraries of risks and controls, rating
scales), and flexible hierarchies to enable streamlined data
capture, an integrated assessment process, and flexible
reporting.
Risk Management Policy
Risk Assessment Policy
8. Risk-Based Controls
10. Communication of Significant Risks
Number of Risks Identified per Period
Number of Risks Requiring Remediation
Number of Risks That Occurred More than Once
Predicted Risk Severity Compared to Actual Severity
Number of Risks That Were Not Identified
Cost of Risk Management
Number of Risks Mitigated
Process: Risk Management
Process Risk Recommended
Policies Internal Controls KPIs
8. Risk assessments are not structured to prevent the next big
failure. As risk assessment provides a means for facilitating the
discussion around key risks and potential control failures, it
helps reduce the risk of breakdowns, unanticipated losses, and
other significant failures. Risk assessments need to invoke the
right subject- matter experts and consider not only past experience
but also forward-looking analysis.
Risk Strategy
Risk Tolerance
8. Risk-Based Controls
10. Communication of Significant Risks
Number of Risks Identified per Period
Number of Risks Requiring Remediation
Number of Risks That Occurred More than Once
Predicted Risk Severity Compared to Actual Severity
Number of Risks That Were Not Identified
Cost of Risk Management
Number of Risks Mitigated
Process: Risk Management
Process Risk Recommended
Policies Internal Controls KPIs
9. Key principles are not put to work. With organizations facing a
fluid and seemingly endless array of risks and obligations, these
key principles should be leveraged to provide the consistent
platform necessary to effectively manage these risks in a cost-
effective and sensible way.
Risk Strategy
Risk Tolerance
8. Risk-Based Controls
10. Communication of Significant Risks
Number of Risks Identified per Period
Number of Risks Requiring Remediation
Number of Risks That Occurred More than Once
Predicted Risk Severity Compared to Actual Severity
Number of Risks That Were Not Identified
Cost of Risk Management
Number of Risks Mitigated
THIS PAGE INTENTIONALLY LEFT BLANK.
Chapter 2: The Controller and Risk Management • 29
CHAPTER 2: TEST YOUR KNOWLEDGE
The following questions are designed to ensure that you have a
complete understanding of the information presented in the chapter
(assignment). They are included as an additional tool to enhance
your learning experience and do not need to be submitted in order
to receive CPE credit.
We recommend that you answer each question and then compare your
response to the suggested solutions on the following page(s) before
answering the final exam questions related to this chapter
(assignment).
1. Which of the following is correct regarding the risks faced by
companies:
A. the risks faced by companies rarely change over time
B. the controller should ensure that an organization’s internal
controls properly address risk
C. generally, the only types of risk faced by organizations are
legal or regulatory
D. all of the above
2. Hedging is utilized in an attempt to reduce which of the
following types of risk:
A. operational risk
B. credit risk
C. financial risk
D. project risk
THIS PAGE INTENTIONALLY LEFT BLANK.
Chapter 2: The Controller and Risk Management • 31
CHAPTER 2: SOLUTIONS AND SUGGESTED RESPONSES
Below are the solutions and suggested responses for the questions
on the previous page(s). If you choose an incorrect answer, you
should review the pages as indicated for each question to ensure
comprehension of the material.
1. A. Incorrect. Economic, industry, regulatory, operating, and
compliance risks are always changing. Risk is rarely static.
B. CORRECT. The controller should ensure that the organization’s
internal controls properly address risk by conducting a risk
assessment and analysis of the relevant risks that may impact the
achievement of company objectives.
C. Incorrect. Companies face a variety of risks, including legal,
regulatory, strategic, operational, financial, and
reputational.
D. Incorrect. Only one of the provided selections is correct.
(See page 15 of the course material.)
2. A. Incorrect. Hedging is not used in an effort to minimize
operational risk.
B. Incorrect. Credit risk is the risk of loss due to nonpayment of
a loan, bond, or other credit instrument. Hedging does not minimize
this risk.
C. CORRECT. Hedging attempts to reduce financial risk by matching a
position with an opposite and offsetting position in a financial
instrument that tracks or mirrors the value changes in the
position.
D. Incorrect. Project risk is not mitigated through the use of
hedging.
(See page 17 of the course material.)
32 • Chapter 2: The Controller and Risk Management
THIS PAGE INTENTIONALLY LEFT BLANK.
Chapter 3: The Controller and Ethics • 33
CHAPTER 3: THE CONTROLLER AND ETHICS
Chapter Objective
After completing this chapter, you should be able to: • Recall
recommendations to consider when implementing an ethics training
program.
OVERVIEW
In this chapter we’ll define the requirements for an ethics program
that supports the company’s tone at the top and ensures corporate
compliance. We’ll demonstrate how tone at the top can impact the
external perception of the company and influence the attitude of
employees and dedication to internal controls. A code of conduct is
defined as the policies and procedures that support the
organization’s tone at the top.
The connection between fraud and the tone at the top of an
organization has received a great deal of attention over the last
few years. Tone at the top refers to the ethical atmosphere that is
created in the workplace by the organization’s leadership. Whatever
tone management sets will have a trickle-down effect on employees
of the company. If the tone set by managers upholds ethics and
integrity, employees will be more inclined to uphold those same
values.
As a best practice, many organizations integrate ethics and
compliance requirements into all business processes. Controllers
need to ensure that an environment of ethics and compliance is
embedded within their areas of responsibility. A controller plays a
key role in managing all internal control initiatives in private
and public companies. These initiatives usually include the
deployment of ethical standards and/ or a code of conduct for the
organization. The controller may work with the organization’s
ethics and/or compliance officer to ensure that the tone at the top
is embedded in internal controls programs.
WHAT IS TONE AT THE TOP?
The tone at the top establishes the integrity of a company and
directs how employees, shareholders, and stakeholders of a company
will behave. A tone at the top focused on personal salary and greed
that supports and overlooks fraudulent activities results in a
company that may behave the same way. A tone at the top that is
focused on doing the right thing for employees, shareholders, and
stakeholders results in a company that has an environment of
openness and honesty. As Michael Volkov of the Volkov Law Group
states, “Compliance professionals frequently cite “tone-at-top” as
an essential component of a compliance program. It sounds good and
a few quick sentences on the topic is usually all that is provided
when explaining what this means.”1
1. Volkov, Michael (2012). How to define “tone-at-the-top.”
Corruption, Crime & Compliance blog (September 30; accessed
March 24, 2020).
https://blog.volkovlaw.com/2012/09/how-to-define-tone-at-the-top.
34 • Chapter 3: The Controller and Ethics
ETHICS PROGRAM PROCESS FLOW
Chapter 3: The Controller and Ethics • 35
Business owners and managers affect an organization’s ethical
culture by implementing practices, policies, and procedures – and
equally importantly, by following them. Properly setting the tone
at the top of a business can help to send a clear message,
reinforcing the owners’ and managers’ commitment to integrity and
ethical values. Tone at the top must be constantly communicated and
enforced so that there is a clear understanding of the company’s
emphasis on ethical behavior. Employees must understand the
consequences if there is a violation of this organization-wide
requirement.
EXAMPLE – CODE OF CONDUCT: MCI
Several codes of conduct are provided in the reference section of
this chapter. But as a compelling example, we are providing the
code of conduct that was used at MCI (formerly WorldCom) below.
Much of the content of this code were taken from the code of
conduct that Michael Capellas developed when he was CEO of Compaq
Computer Corporation (acquired by Hewlett-Packard). When Capellas
became CEO of MCI, he knew that one of his most important actions
would be to establish a foundation of ethics and integrity at the
company.
He hired an ethics officer from Boeing and started a company-wide
campaign to communicate the company’s tone at the top. Every
employee attended web-based quarterly training sessions and was
tested at the end of every session. Additionally, employees were
often asked to recite all 10 components of the company’s code of
conduct by Capellas:
1. Do what you say and say what you do.
2. Treat each other with dignity and integrity.
3. Everyone should be comfortable to speak his or her own
mind.
4. Management leads by example.
5. Follow company policy and regulatory requirements.
6. Avoid conflicts of interest.
7. Establish metrics and report results accurately.
8. Focus on what is important and not what is convenient.
9. Be loyal to your families, your company, yourselves.
10. Do the right thing because it’s the right thing to do.
THE REACTION TO UNETHICAL BEHAVIOR
The federal government and the accounting industry have responded
to the erosion of public trust in the accuracy of financial
reporting results by enacting legislation and standards that
specifically address management’s responsibilities.
The Sarbanes–Oxley Act of 2002 (SOX) addresses publicly held
entities and identifies the CEO and CFO as the primary parties
responsible for setting the tone at the top of an organization;
moreover, it holds
36 • Chapter 3: The Controller and Ethics
them personally accountable for accurate financial reporting and
discovering and disclosing fraudulent behavior. Even though SOX
applies to publicly held companies, many privately held companies
and organizations have implemented its internal control
requirements as best practices. And many private companies strongly
embrace its internal control requirements if there are plans to
become public.
An overview of Sections 302 and 404 of SOX is provided for your
reference in the figure in the next section. The main requirements
of Sections 302 and 404 are the annual management assessment
process and the quarterly certification process (respectively). An
example of a quarterly internal control certification process is
included in the figure.
Both processes require the statements that the tone at the top is
ethically sound and that no fraudulent activities have occurred
during the reporting period.
Establishing (and continually reviewing) a code of conduct, ethics
policy, and statement of business principles identifies and
documents exactly what behaviors are acceptable within an
organization. HR policies that reflect these protocols can ensure
that the company is adequately protected from unethical behavior,
and implementing such policies related to hiring, training, and
promoting staff can keep unethical individuals from joining an
organization or obtaining a position of trust.
A COMPARISON OF SARBANES–OXLEY SECTION 302 AND SECTION 404
Chapter 3: The Controller and Ethics • 37
SARBANES–OXLEY AND WHISTLEBLOWER PROTECTION
SOX encourages the disclosure of corporate fraud by protecting
employees of publicly traded companies or their subsidiaries who
report illegal activities. Section 806 of SOX authorizes the US
Department of Labor to protect whistleblowers against employers who
retaliate and further authorizes the US Department of Justice to
criminally charge those responsible for the retaliation.
Under Section 806 of SOX, an employee engages in protected
whistleblower conduct by providing information about matters that
he or she reasonably believes are violations of:
• Federal mail, wire, bank, or securities fraud statutes
• Federal law relating to fraud against shareholders
• Any rule or regulation of the Securities and Exchange Commission
(SEC)
CONTROLLER’S TOOL 8 – ETHICS TRAINING PROGRAMS
Introduction. An ethics training program is more effective when
employees can apply the concepts to their work environments.
Examples include the discussion of case studies and role playing
exercises. Training is often the responsibility of an ethics or
compliance officer and should be provided quarterly and at least
annually. An ethics training program should focus on the required
behavior within specific situations, such as when and how to report
fraud. Some companies focus on their training efforts after a
significant event has occurred. These companies refer to the
significant event during the training so that employees have a
real-life point of reference. The list below provides
recommendations to consider when implementing an ethics training
program.
1. Ethics programs should target the required behavior.
2. Ethics programs should include a process for asking questions
and getting management action to correct possible weaknesses in
procedures.
3. Ethics training participants must perform the specified behavior
by responding to case studies or role playing.
4. Training programs should include examples where the particular
behavior is demonstrated by people who are similar to the
participants.
5. Training instructors should review and positively reinforce
behaviors learned by participants.
6. Training program participants should experience and learn to
cope with the stresses associated with ethical behavior by
assessing their own emotional and physical states.
7. The general principles of codes of conduct should be an integral
part of the strategic planning process.
38 • Chapter 3: The Controller and Ethics
CONTROLLER’S TOOL 9 – KEY CONSIDERATIONS AND HOW TO MANAGE AN
ETHICS HOTLINE
Introduction. Tips from employees are one of the best ways that
unethical behavior and fraud is detected, according to the
Association of Certified Fraud Examiners. Under current US
Sentencing Guidelines, a corporation convicted of a federal offense
may seek leniency if it has maintained an effective program to
prevent and detect violations of criminal laws. To take advantage
of this provision, the company must prove that it has the following
requirements in place and is properly managing its ethics
hotline.
1. Management and Training. The ethics hotline is managed by a
senior staff member and often by the legal department of the ethics
office. Ensure that employees with a propensity to commit crimes
are not given discretionary authority. Determine whether the
hotline should be managed within the company or by a third party.
Train the hotline staff with specific scripts to assure employees
that there will be no retaliation.
2. Tone at the Top. Promote the tone at the top as part of the
culture of company. Ethics line procedures and visibility will
likely reduce the prospect of criminal activity.
3. Communication. Provide effective communications and training for
the ethics program. Publicize the hotline using posters, intranet
notices, and employee fraud awareness training. Publicizing the
hotline is required by US Sentencing Guidelines.
4. Alleviate Fear of Retribution. Ensure that the ethics hotline is
a system that allows employees to report misconduct without fear of
retribution. Employees need to know that all communication will be
kept in the utmost confidence and that a proper investigation will
take place. Provide other options for employees to use to report an
issue, such as e-mail and postal mail.
5. Response and Reporting. Provide adequate methods for responding
to ethics violations that have been reported. Establish an easily
accessible channel with a toll-free number and test the hotline to
make sure that it’s working. Be sure to validate caller wait times.
Identify the types of issues that require immediate visibility.
Establish procedures for escalating and reporting issues to
executive management, audit committees, and disclosure committees.
Ensure there is a reporting process in which issues may be reported
by type, such as employee issues, misconduct, violation of
accounting policies and practices, supplier contracts, transaction
processing issues, and potential evidence of fraud or
collusion.
6. Validate Effectiveness. The ethics hotline and process should be
tested on an annual basis as part of the entity-level controls
program.
CONTROLLER’S TOOL 10 – TONE AT THE TOP AND THE TONE IN THE
MIDDLE
Introduction. In his article entitled “Ethics and the Middle
Manager: Creating ‘Tone in the Middle,’” Kirk Hanson listed eight
specific actions that top executives should take that will
demonstrate the commitment of their company and themselves to
ethics and compliance. His recommendations are listed below.
Chapter 3: The Controller and Ethics • 39
1. Top executives must themselves exhibit all the tone at the top
behaviors, including acting ethically, talking frequently about the
organization’s values and ethics, and supporting the organization’s
and individual employee’s adherence to these values.
2. Top executives must explicitly ask middle managers what dilemmas
arise in implementing the ethical commitments of the organization
in the work of their groups.
3. Top executives must give general guidance about how values apply
to those specific dilemmas.
4. Top executives must explicitly delegate resolution of those
dilemmas to the middle managers.
5. Top executives must make it clear to middle managers that their
ethical performance is being watched as closely as their financial
performance.
6. Top executives must make ethical competence and commitment of
middle managers a part of their performance evaluation.
7. The organization must provide opportunities for middle managers
to work with peers on resolving hard cases.
8. Top executives must be available to middle managers to discuss
the hardest cases, to provide coaching, and to help resolve those
cases.
TONE AT THE TOP AND US SENTENCING GUIDELINES
In November of 1991 the US Sentencing Commission adopted new
sentencing guidelines (the Guidelines) applicable to all
organizational defendants in criminal cases. The Guidelines
substantially increase the financial penalties for corporations
whose employees engage in unlawful conduct that is ostensibly
intended for the corporation’s benefit.
The Guidelines are the product of the US Sentencing Commission,
which was created by the Sentencing Reform Act of 1984. Following
the savings and loan crisis of the 1980s, the US Sentencing
Commission responded to the public’s frustration with the criminal
justice system by releasing the Federal Sentencing Guidelines for
organizations, which imposed harsh penalties on organizations whose
employees or other agents have committed federal crimes. The
Guidelines – comprising seven steps for mitigating the risk of such
crimes – include implementing compliance standards and procedures,
assigning compliance oversight responsibility to high-level
personnel, avoiding delegation to individuals prone to committing
crimes, providing information and training on standards,
establishing systems for monitoring and reporting criminal conduct
without fear of reprisal, enforcing standards and assigning
responsibility for detecting offenses, and taking all reasonable
steps to guard against offenses in the future.
The US government would also appear to believe that a company’s
ethics and compliance culture are set by the very top levels of
management because the US Sentencing Guidelines states: “High-level
personnel and substantial authority personnel of the organization
shall be knowledgeable about the content and operation of the
compliance and ethics program … and shall promote an organizational
culture that encourages ethical conduct and a commitment to
compliance with the law.”
40 • Chapter 3: The Controller and Ethics
While the Guidelines apply to all corporations, the larger the
organization, the more formal the program should be, and the
greater the penalty for failure to comply. Formal policies and
procedures, and extensive communication programs, are expected of a
large, publicly traded corporation. The expectations are not as
extensive for a small business.
TONE AT THE TOP AND THE FOREIGN CORRUPT PRACTICES ACT
If top management is not fully committed to an ethical environment,
the lack of tone at the top will be evidenced throughout the
company, specifically in middle management. As noted above, the US
Sentencing Guidelines mandate that the highest levels of management
promote and encourage not only ethical conduct but a commitment to
comply with the Foreign Corrupt Practices Act (FCPA) itself.
When passed in 1977, the FCPA was characterized by the American Bar
Association as the most extensive application of federal law to the
regulation of business since the passage of the 1933 and 1934
securities acts.
Congress acted decisively to restore the reputation of American
business and eliminate improper payments to foreign governments,
politicians, and political parties. In fact, the FCPA is actually
an amendment to the 1934 Securities Exchange Act and is
administered by the SEC.
The FCPA contains both provisions against bribery and rules
establishing accounting standards. The accounting rules apply only
to companies that are required to report financial information
under the securities laws. These accounting and record-keeping
rules are broad. Your accounting advisor or securities lawyer can
advise you if you think that you may be subject to these
requirements. Summaries of the fundamental objectives of the FCPA,
which are legal requirements, are included below
ANTI-BRIBERY PROVISIONS OF THE FCPA
The FCPA generally applies to all US corporations, partnerships,
and other business organization (generically, a “company”), as well
as all persons acting on behalf of those entities. For purposes of
this discussion, suffice it to say that the FCPA applies to a US
company and its corporate subsidiaries, as well as their officers,
directors, agents, and shareholders. The FCPA prohibits any payment
or offer of payment to a “foreign official” for the purpose of
influencing that official to assist in obtaining or retaining
business for a company. The act applies to any act or event that is
“in furtherance of” a payment to a foreign official. Further, the
payment clause of the FCPA is broadly phrased. It covers not only
the actual payment of money, but also the offer, promise, or
authorization of the payment of money and the offer, gift, promise,
or authorization of the giving of “anything of value.” The act also
applies to payments to foreign officials, foreign political
parties, officials of foreign political parties, and candidates for
foreign political office.
RECORDKEEPING REQUIREMENTS OF THE FCPA
In addition to its anti-bribery provisions, the FCPA also imposes
certain accounting requirements on companies. Specifically, the
FCPA requires that a company maintain books, records, and accounts
that, in reasonable detail, accurately reflect the transactions and
dispositions of that company. In order to comply with these
requirements, it is imperative that company employees, agents, and
others acting on
Chapter 3: The Controller and Ethics • 41
its behalf maintain complete and accurate records with respect to
all transactions undertaken on behalf of the company.
GUIDELINES FOR FCPA COMPLIANCE The consequences of failing to
comply with the FCPA are potentially disastrous for a company and
its employees. Violation of the FCPA and related laws by a company
employee can result in millions of dollars in fines against the
company and can subject the employee to prosecution, criminal
fines, and imprisonment, as well as disciplinary action by the
company, including dismissal. Note that the FCPA states that fines
and penalties imposed upon individuals may not be paid directly or
indirectly by any corporation for which they may have acted.
THE DODD–FRANK ACT
The Dodd–Frank Act (fully known as the Dodd–Frank Wall Street
Reform and Consumer Protection Act) is a US federal law that places
regulation of the financial industry in the hands of the
government.
The legislation, enacted in July 2010, aims to prevent another
significant financial crisis by creating new financial regulatory
processes that enforce transparency and accountability while
implementing rules for consumer protection.
To both ensure cooperation by financial insiders and fight
corruption in the financial industry, the Dodd– Frank Act contains
a whistleblowing provision. This means that persons with original
information about security violations can report the information to
the government for a financial reward.
THE WHISTLEBLOWER PROTECTION ACT OF 1989
The Whistleblower Protection Act of 1989 is a US federal law that
protects federal whist