The Controller’s Toolkit

Introduction: About This Toolkit v
Chapter 1: Defining the Role of a Controller 1 Overview 1 Controller’s Tool 1 – Suggested Job Responsibilities for a Controller 1 Controller’s Tool 2 – Core Competencies of a Controller 2 Controller’s Tool 3 – The Controller’s Business Partnership Matrix 5 Controller’s Tool 4 – The Controller’s Span of Influence 7
Chapter 1: Test Your Knowledge 9 Chapter 1: Solutions and Suggested Responses 11
SECTION 1: CORPORATE AND REPUTATIONAL RISK 13
Chapter 2: The Controller and Risk Management 15 Overview 15 Risk Management Defined 15 Controller’s Tool 5 – Types of Risk 17 Controller’s Tool 6 – Risk Management Frameworks 18 Controller’s Tool 7 – Considerations for Managing Risk with an Enterprise Risk
Management Model 19 Table of Controls – Risk Management 21 Table of Risks and Controls – Risk Management 22
Chapter 3: The Controller and Ethics 33 Overview 33 What Is Tone at the Top? 33 Example – Code of Conduct: MCI 35 The Reaction to Unethical Behavior 35 Sarbanes–Oxley and Whistleblower Protection 37 Controller’s Tool 8 – Ethics Training Programs 37 Controller’s Tool 9 – Key Considerations and How to Manage an Ethics Hotline 37 Controller’s Tool 10 – Tone at the Top and the Tone in the Middle 38 Tone at the Top and US Sentencing Guidelines 39 Tone at the Top and the Foreign Corrupt Practices Act 40 Anti-Bribery Provisions of the FCPA 40 Recordkeeping Requirements of the FCPA 40 Guidelines for FCPA Compliance 41 The Dodd–Frank Act 41 The Whistleblower Protection Act of 1989 41
ii • Table of Contents
The False Claims Act 41 Table of Controls – Ethics Program 42 Table of Risks and Controls – Ethics Program 43
Chapter 4: The Controller and Corporate Governance 55 Overview 55 The 1992 Cadbury Committee 55 The International Finance Corporation and the Global Corporate Governance Forum 57 The Organization for Economic Cooperation and Development and Corporate Governance 57 Corporate Governance in Practice 58 When Corporate Governance Is Flawed 60 Controller’s Tool 11 – The Sarbanes–Oxley Act of 2002 and Corporate Governance 61 Controller’s Tool 12 – Examples of Board Committees 64 Table of Controls – Corporate Governance 66 Table of Risks and Controls – Corporate Governance 69
Chapter 5: Entity-Level Controls 79 Overview 79 Benefits Of Entity-Level Controls 79 Why Is The Committee Of Sponsoring Organizations Of The Treadway
Commission Framework Important To Entity-Level Controls? 81 Controller’s Tool 13 – Implementing An Entity-Level Controls Framework 84 Controller’s Tool 14 – Examples Of Entity-Level Controls 84 Table Of Controls – Entity-Level Controls 87 Table Of Risks And Controls – Entity-Level Controls 90
SECTION 2: STRATEGIC PLANNING AND MERGERS AND ACQUISITIONS RISK 101
Chapter 6: Strategic Planning and Mergers and Acquisitions 103 Overview – Strategic Planning 103 The Strategic Planning Process 103 Step 1 – Prepare for Strategy 105 Step 2 – Articulate the Mission, Vision, and Values 106 Step 3 – Assess the Situation 107 Step 4 – Develop Strategies, Goals, Objectives, and Budgets 108 Step 5 – Write the Strategic Plan 109 Controller’s Tool 15 – Sample Strategic Plan Table of Contents 110 Step 6 – Evaluate the Effectiveness of the Strategic Plan 111 Table of Controls – Strategic Planning 112 Table of Risks and Controls – Strategic Planning 113
Table of Contents • iii
Overview – Mergers and Acquisitions 114 Controller’s Tool 16 – Mergers and Acquisitions Due Diligence Checklist 117 Table of Controls – Mergers and Acquisitions 131 Table of Risks and Controls – Mergers and Acquisitions 132
SECTION 3: INTERNAL CONTROL RISK 139
Chapter 7: Internal Control Program 141 Overview 141 The Three Critical Corporate Controls 143 The Committee of Sponsoring Organizations of the Treadway Commission
and Internal Controls 144 Controller’s Tool 17 – Roles and Responsibilities for Internal Controls 146 The Impact of Section 404 of the Sarbanes–Oxley Act of 2002 on Internal
Control Programs 150 Controller’s Tool 18 – Internal Control Best Practices for Privately Held Companies 151 Controller’s Tool 19 – Leveraging Internal Control Basics to Implement a
Control Self-Assessment Program 152 Internal Controls and Fraud Prevention 155 The Fraud Triangle 155 The Five Elements of Fraud and the Fraud Diamond 156 Definition and Examples Of Fraud 157 Table of Controls – Internal Control Program 157 Table of Risks and Controls – Internal Control Program 159
SECTION 4: COMPLIANCE RISK 169
Chapter 8: Regulatory Compliance 171 Overview 171 Controller’s Tool 20 – Regulatory Compliance Toolkit 171 Table of Controls – Regulatory Compliance 193 Table of Risks and Controls – Regulatory Compliance 195
PART 2 205
SECTION 5: PAYMENT RISK 207
Chapter 9: Procure-to-Pay 211 Overview 211 1.0 Procurement 213 1.1 Supplier Selection and Management 213
iv • Table of Contents
1.2 Contract Management 218 1.3 Purchasing and Ordering 220 1.4 Reporting, Metrics, and Analytics 227 2.0 Accounts Payable 231 2.1 Supplier Master File 233 2.2 Invoice Processing 238 2.3 Payment Process 243 2.4 Accounting Process 251 2.5 Customer Service 256 2.6 Reporting, Metrics, and Analytics 260 2.7 P-Cards 264 2.8 Travel and Entertainment 272
Chapter 10: Hire-to-Retire 283 Overview 283 3.0 Human Resources 285 3.1 Human Resources Process 285 4.0 Payroll 293 4.1 Payroll Processing Process 295 4.2 Payroll Payment Process 301 4.3 Reporting, Metrics, and Analytics 307
Chapter 11: Order-to-Cash 317 Overview 317 5.0 Order-to-Cash 317 5.1 Sales 319 5.2 Customer Master File 326 5.3 Credit Analysis 331 5.4 Order Fulfillment and Invoicing 337 5.5 Accounts Receivable and Collections 347 5.6 Cash Application and Management 356 5.7 Reporting, Metrics, and Analytics 365
PART 3 375
SECTION 6: FINANCIAL OPERATIONS RISK 377
Chapter 12: Record-to-Report 379 Overview 379 Controller’s Tool 22 – Monthly Closing Best Practices 381
Table of Contents • v
Controller’s Tool 23 – 15 Best Practices to Simplify Your Financial Close 381 Fraud within the Record-to-Report Process 383 Controller’s Tool 24 – General Financial Statement Fraud Red Flags 384 Controller’s Tool 25 – Fraud Red Flags for Lenders and Investors 385 Table of Controls – Record-to-Report 386 Table of Risks and Controls – Record-to-Report 389
Chapter 13: Budgets, Forecasts, and Capital Budgeting 403 Overview – Budgets and Forecasts 403 Financial Statement Analysis 403 The Purpose of Budgeting 403 Controller’s Tool 26 – Types of Budgeting 405 Controller’s Tool 27 – The Budgeting Process 406 Controller’s Tool 28 – Budget Process Best Practices 409 Moving Your Finance Function to Dynamic Budgeting and Planning 412 Controller’s Tool 29 – Types of Financial Forecasting Models 413 Controller’s Tool 30 – The Forecasting Process for Small Businesses 415 Table of Controls – Budgets and Forecasts 416 Table of Risk and Controls – Budgets and Forecasts 417 Overview – Capital Budget and Fixed Assets 418 Developing the Capital Budget 419 Controller’s Tool 31 – Controller’s Areas of Responsibility for the Capital
Budget and Fixed Assets 419 Controller’s Tool 32 – Alternative Methods for Capital Budgeting 420 Table of Controls – Capital Budget and Fixed Assets 421 Table of Risks and Controls – Capital Budget and Fixed Assets 423
Chapter 14: Supply Chain Management and Inventory Control 429 Overview 429 The Role of the Controller 429 Supply Chain Finance 429 Controller’s Tool 33 – Blockchain Features That Enable Supply Chain Financing 431 Inventory Types 431 Inventory Management 432 Inventory Costing Methods 434 Trends in Inventory Management 434 Other Processes Relevant to the Supply Chain Business Process 435 Controller’s Tool 34 – Supply Chain Performance Metrics 437 Table of Controls – Supply Chain Management and Inventory Control 439 Table of Risks and Controls – Supply Chain Management and Inventory Control 444
vi • Table of Contents
Chapter 15: Treasury and Cash Management 459 Overview 459 Controller’s Tool 35 – Responsibilities of the Treasury Department 459 Controller’s Tool 36 – What Are the Components of Cash Flow? 461 How Does a Company Practice Good Cash Flow Management? 461 Controller’s Tool 37 – Cash Forecasts 462 Payment Float 463 Letter of Credit 463 Foreign Exchange Policy: Management and Controls 464 Controller’s Tool 38 – Foreign Exchange Policy Development Process 465 Controller’s Tool 39 – Cash Management Rules for Petty Cash 466 Cash Management 467 Controller’s Tool 40 – International Payment Methods 468 Table of Controls – Treasury and Cash Management 472 Table of Risks and Controls – Treasury and Cash Management 475
Chapter 16: Shared Services and Business Process Outsourcing 487 Overview 487 Controller’s Tool 41 – Five Ways That Human Resources Shared Services
Helps Small Business 489 Controller’s Tool 42 – The Benefits of Implementing Shared Services Centers 489 Controller’s Tool 43 – Types of Outsourcing Models 490 Controller’s Tool 44 – The Advantages of Outsourcing 492 Business Process Outsourcing 493 Controller’s Tool 45 – Cost-Benefit Analysis 493 Controller’s Tool 46 – Information for Supplier Evaluation 494 Controller’s Tool 47 – Considerations in Implementing Service Level Agreements
and Metrics 497 Table of Controls – Shared Service Centers and Business Process Outsourcing 498 Table of Risks and Controls – Shared Service Centers and Business Process Outsourcing 499
Chapter 17: Dashboards, Data Validation, Analytics, Metrics, and Benchmarking 507 Overview 507 Controller’s Tool 48 – Key Considerations for Dashboard Technology 507 Controller’s Tool 49 – Types of Benchmarking 509 Controller’s Tool 50 – Implementing Metrics 513 Table of Controls – Data Validation, Analytics, Metrics, and Benchmarking 515 Table of Risks and Controls – Data Validation, Analytics, Metrics, and Benchmarking 516
SECTION 7: INFORMATION TECHNOLOGY RISK 523
Table of Contents • vii
Chapter 18: Information Technology Controls and Cybersecurity 525 Overview 525 Access Control 525 User Accounts 528 Login and Resource Access Requests 528 Internal Service Level Agreements 529 Management and Control 529 Vulnerability and Threat Management 529 Controller’s Tool 51 – Control Objectives for Information and Related Technologies 530 Controller’s Tool 52 – Other It Internal Control Frameworks and Considerations 532 Controller’s Tool 53 – It Framework and Internal Control Considerations for
Small Businesses 533 Controller’s Tool 54 – Key Components of Successful It Governance 534 Table of Controls – Information Technology Controls and Cybersecurity 535 Table of Risks And Controls – Information Technology Controls and Cybersecurity 541
SECTION 8: BUSINESS CONTINUITY AND PHYSICAL SECURITY RISK 559
Chapter 19: Business Continuity and Physical Security 561 Overview – Business Continuity 561 Business Continuity and Disaster Recovery: Key Definitions 561 Controller’s Tool 55 – Business Continuity: Personnel 563 Controller’s Tool 56 – Business Continuity: Information Technology 564 Table of Controls – Business Continuity 565 Table of Risks and Controls – Business Continuity 567 Overview – Physical Security 570 Security Controls: Key Definitions 570 Controller’s Tool 57 – ISO/IEC 17799:2005 572 Table of Controls – Physical Security 574 Table of Risks and Controls – Physical Security 577
SECTION 9: LEADERSHIP AND CHANGE MANAGEMENT RISK 585
Chapter 20: Leadership and Managing Change 587 Overview 587 Controller’s Tool 58 – The Henri Fayol Principles of Business Management 587 Controller’s Tool 59 – Leadership Traits 589 Controller’s Tool 60 – Communication for Controllers 590 Controller’s Tool 61 – Guidelines for Active Listening 590 Table of Controls – Leadership and Managing Change 591 Table of Risks and Controls – Leadership and Managing Change 592
viii • Table of Contents
Chapter 21: Trends, Process Transformation, and Digitization 599 Overview 599 Controller’s Tool 62 – Blockchain Uses 599 Controller’s Tool 63 – Identifying SAAS Imposters 602 Controller’s Tool 64 – 10 Critical Requirements for Cloud Applications 602 Process Digitization 603 Controller’s Tool 65 – Types of It Solutions To Consider 603 Developing the Business Case 614 Controller’s Tool 66 – The Business Case Template 614 Table of Controls – Trends, Process Transformation, and Digitization 618 Table of Risks and Controls – Trends, Process Transformation, and Digitization 619
Glossary 631
Index 647
NOTICE This course and test have been adapted from supplemental materials and uses the materials entitled The Controller’s Toolkit by Christine H. Doxey, © 2021 by John Wiley and Sons, Inc. Displayed by permission of the publisher, John Wiley & Sons, Inc., Hoboken, New Jersey.
The views expressed in this text are those of the author(s) and do not necessarily reflect the views, opinions, or positions of Professional Education Services, LP, its employees, or owners.
Use of these materials or services provided by Professional Education Services, LP (“PES”) is governed by the Terms and Conditions on PES’ website (www.mypescpe.com). PES provides this course with the understanding that it is not providing any accounting, legal, or other professional advice and assumes no liability whatsoever in connection with its use. PES has used diligent efforts to provide quality information and material to its customers, but does not warrant or guarantee the accuracy, timeliness, completeness, or currency of the information contained herein. Ultimately, the responsibility to comply with applicable legal requirements falls solely on the individual licensee, not PES. PES encourages you to contact your state Board or licensing agency for the latest information and to confirm or clarify any questions or concerns you have regarding your duties or obligations as a licensed professional.
© Professional Education Services, LP 2021
Program Publication Date 8/18/2021
INTRODUCTION: ABOUT THIS TOOLKIT
The Controller’s Toolkit provides a single source for everything that controllers and finance and accounting professionals need to know to be successful. This toolkit will enable aspiring, new, and current controllers to take a giant leap forward and gain proficiency as corporate leaders.
The comprehensive content provided in this toolkit consists of process flows, checklists, tables of controls, and tables of risks and controls. Each comprehensive table of risks and controls identifies the risks to the business process, recommended policies, controls that will mitigate the risks, and internal control metrics. Besides laying out the accounting and technical requirements of the controllership, this toolkit describes the leadership skills that support the success of a controller’s career.
This toolkit is a must-have for accounting and finance professionals wishing to advance their careers and expand their skills and knowledge. This toolkit may also appeal to chief operating officers (CEOs), chief financial officers (CFOs), chief human resources officers, controllers, treasurers, and anyone else who is in the chain of command or who serves as an influencer for corporate finance and accounting processes.
This toolkit is a great reference for many roles within these wide-ranging corporate functions and for companies of many sizes. It can also serve as a training tool, since the content takes a new look at the roles and responsibilities of a controller.
This comprehensive toolkit is organized by specifically defined areas of risk that apply to any company or industry. Each chapter is focused on a business process and includes an overview, a process flow, a table of controls, and a table of risks and controls. The author has included 66 tools, each of which has been designed specifically for controllers to tackle the challenges of a specific business process. Here’s how this toolkit is organized.
How This Toolkit Is Organized
Section Number Area of Risk Chapter Number Chapter Title
Introduction About This Toolkit 1 Defining the Role of a Controller
1 Corporate and Reputational Risk
2 The Controller and Risk Management
3 The Controller and Ethics 4 The Controller and Corporate
Governance 5 Entity-Level Controls
6 Strategic Planning and Mergers and Acquisitions
3 Internal Control Risk 7 Internal Control Program
xii • Introduction: About This Toolkit
Section Number Area of Risk Chapter Number Chapter Title
4 Compliance Risk 8 Regulatory Compliance
5 Payment Risk 9 Procure-to-Pay 10 Hire-to-Retire 11 Order-to-Cash
6 Financial Operations Risk
14 Supply Chain Management and Inventory Control
15 Treasury and Cash Management 16 Shared Services and Business
Process Outsourcing 17 Dashboards, Data Validation,
Analytics, Metrics, and Benchmarking
7 Information Technology Risk
8 Business Continuity and Physical Security Risk
19 Business Continuity and Physical Security
9 Leadership and Change Management Risk
20 Leadership and Managing Change
21 Trends, Process Transformation, and Digitization
Chapter 1: Defining the Role of a Controller • 1
CHAPTER 1: DEFINING THE ROLE OF A CONTROLLER
Chapter Objective
After completing this chapter, you should be able to: • Identify the person in charge of the process related to finance and accounting.
OVERVIEW
The controllership function is carried out by a controller, which usually is the individual in charge of and with authority over the processes related to finance and accounting. A controller has the main goal of keeping the company’s bottom line secure by accurate internal controls and well-defined financial operations. But a good controller needs to be aware of all areas of risk that may impact a company and its ongoing success.
The role of the controller is often defined as being a business partner to other functions and divisions within an organization. In many organizations the role of the finance professional is defined as being a business partner to the organizations supported.
Controllers are faced with much broader challenges and opportunities in today’s business world and are being asked to take on additional responsibilities outside of the traditional “chief accounting officer” role. Controllers are connected to most of the key business processes within an organization. Controllers provide the stewardship and accountability systems that ensure that the organization is conducting its business in an appropriate, ethical manner.
Controllers and their staffs should also provide the information, analysis, and advice that will enable the organization’s operational management to perform effectively. This means understanding the impacts that the supply chain can have upon the accounting processes for the organization.
Controllers are process driven and are always looking for practical tools to manage their areas of responsibility and to advance their careers. These tools can extend the competencies and efficiencies of corporate and controllership processes, which fall under the umbrella of governance, risk management, and compliance (GRC).
CONTROLLER’S TOOL 1 – SUGGESTED JOB RESPONSIBILITIES FOR A CONTROLLER
Introduction. Monster is a global online employment solution for people seeking jobs and employers. Monster has expanded from its roots as a job board to a global provider of a full array of job-seeking, career-management, recruitment, and talent-management products and services. Monster recommends the following list of job responsibilities for a controller:
2 • Chapter 1: Defining the Role of a Controller
Suggested Job Responsibilities for a Controller • Achieves budget objectives by scheduling expenditures, analyzing variances, and initiating
corrective actions. • Provides status of financial condition by collecting, interpreting, and reporting financial data. • Prepares special reports by collecting, analyzing, and summarizing information and trends. • Complies with federal, state, and local legal requirements by studying existing and new legislation,
anticipating future legislation, enforcing adherence to requirements, filing financial reports, and advising management on needed actions.
• Ensures operation of equipment by establishing preventive maintenance requirements and service contracts, maintaining equipment inventories, and evaluating new equipment and techniques.
• Completes operational requirements by scheduling and assigning employees and by following up on work results.
• Maintains financial staff by recruiting, selecting, orienting, and training employees. • Maintains financial staff job results by coaching, counseling, and disciplining employees and by
planning, monitoring, and appraising job results. • Protects operations by keeping financial information and plans confidential.1
CONTROLLER’S TOOL 2 – CORE COMPETENCIES OF A CONTROLLER
Introduction. Within their companies, controllers are always looked upon as accounting and financial leaders. Many controllers are thought of as the chief accounting officer. I recently authored a blog entry for Nvoicepay that highlights the 15 leadership skills that a controller should have. Controllers should have a blend of skills from two key areas: (1) accounting and business knowledge, and (2) leadership and influence, as listed below.2
Accounting and Business Knowledge
1. Cost Control. As an example, a cost-control process would be implemented for a major project to monitor cost performance, ensure changes are recorded accurately, prohibit unauthorized changes, inform stakeholders of cost changes, maintain expected costs with acceptable limits, and monitor and document reasons for favorable or unfavorable cost variances. As a controller, you’re responsible for controlling cost. This involves developing policies and procedures, systems, processes, and metrics to make sure that costs are under control.
2. Internal Controls and Compliance. A controller usually has overall responsibility for the internal controls program and processes for their organization. This means that the design, development, and testing of the operational effectiveness of each control is the responsibility of you and your team. If you work for a publicly traded company, you’ll also need to prepare all of the quarterly and annual reporting requirements for Sarbanes– Oxley (SOX).
1. Monster (n.d.). Controller job description sample. Monster website, Job Description Templates (accessed March 8, 2020). https://hiring.monster.com/employer-resources/job-description-templates/controller-job-description-sample. 2. Doxey, Chris (2017). 15 leadership skills every controller must have. Nvoicepay website (June 29; accessed March 8, 2020). https://www.nvoicepay.com/resources/blog/15-leadership-skills-controllers-must-have.
3. Financial Reporting and Adding Value. Controllers and their staffs typically drive the fiscal closing process and are always looking for ways to streamline the process and provide the results sooner through automation and a quicker closing process.
4. Corporate Transaction Processes. Controllers have ownership of corporate transaction processes, which include accounts payable, accounts receivable, payroll, travel and expense (T&E), general accounting, and others. There are always large opportunities for streamlining these processes, as evidenced by automation and transformation initiatives in the procure-to-pay (P2P) and order-to-cash (O2C) processes.
5. Corporate Knowledge. Controllers should have an excellent knowledge of what their companies do and how they are organized. What is the culture of the company? How is the company organized? How quickly do decisions get made?
6. Efficiency Improvements. Along with having a solid knowledge of the corporate transaction processes that are the backbone of your company, you should always look for ways to improve them through process efficiencies and automation. Are there ways to combine similar processes into a shared services organization? Can you reduce manual invoices through implementing an e-invoicing solution? Can you streamline your payment process by implementing e-payment solutions or even outsourcing your payment process?
7. Analytics. A savvy controller is driven by analytics and metrics. The results of a well- developed metrics program will indicate how well your company’s business processes are working and where improvements were successfully implemented. Metrics will also reveal problem areas and should have the analytics to drill down to find the solution.
Leadership and Influence
8. Business Partnerships. Since a controller oversees the accounting processes for a company, maintaining good business partnerships is a key success factor. You should identify your areas of influence and ensure you have a good relationship or partnership with the leadership in other departments. Key departments usually include information technology (IT), legal, human resources (HR), business ethics, supply chain, and procurement.
9. Communication. Communication is a personal process that should be appropriate for both the audience and situation. Choosing the wrong communications channel could send the wrong message. For example, a decision that dramatically impacts a person’s career should never be delivered via an impersonal form letter. It’s always good to consider how it would feel to be on the receiving end. Think about it: If you were being recognized for outstanding work or many years of service, would a personal thank-you note or an e-mail be more meaningful to you?
10. Active Listening. The concept behind active listening is encouraging the speaker to state what they really mean and stems from the work of counselors and therapists. The goal of active listening is to help associates express themselves, offer suggestions, and get to the root of a matter.
1) Listen for the content of the message and organize it into key components.
2) Listen for feelings about the key points being conveyed.
3) Ensure that you respond to feelings appropriately and with compassion.
4) Be cognizant of any overreaction to the situation.
5) Watch verbal and nonverbal signals and be prepared to reconvene the discussion if necessary.
6) Repeat and paraphrase the key points that were conveyed.
7) Wait until the speaker is finished.
8) Do not plan your response until the speaker is finished.
9) Never interrupt to state you own opinion.
10) Maintain eye contact if you are in a face-to-face meeting.
11. Leadership Style. Based on an analysis of all the leadership styles, it makes sense that a controller should be flexible, understand his or her own core leadership style, value team members, and be cognizant of all factors impacting a situation. Although situational leadership is touted as the best leadership style, the situation should not change one’s core values or ethics. Great leaders have an in-depth understanding of which leadership style works best for them.
12. Motivation and Inspiration. Motivation involves using words and examples that give your team the will to accomplish an objective or take action. Motivation occurs when one has confidence, feels a sense of belonging to a solid team, and has good leadership. Motivation is nurtured by constant reinforcement, a level of trust, and loyalty to the organizational leader, the company, or both. True team motivation occurs when team members motivate each other.
13. Managing Change. One of the major challenges of change management is assessing readiness for change. Unfortunately, this assessment does not always take place and the risks associated with the change are not always properly addressed. The goal of assessing change readiness is to identify specific issues and to plan for and address those issues so that risks are minimized. If that assessment does not take place, performance improvement may either be delayed or not achieved, and associated costs can be higher than expected.
14. Emotional Intelligence. Psychologist and author Daniel Goleman is cochair of the Consortium for Research on Emotional Intelligence in Organizations, based at Rutgers University. He first brought the term emotional intelligence to a wide audience with his
1995 book of the same name. According to Goleman, the chief components of emotional intelligence are self-awareness, self-regulation, motivation, empathy, and social skills.
15. Building a Strong Team. Choosing the right team members is critical to being a good controller. Unless your staff is competent, cohesive, communicative, and committed, you will not be able to fulfill your controllership responsibilities.
CONTROLLER’S TOOL 3 – THE CONTROLLER’S BUSINESS PARTNERSHIP MATRIX
Introduction. Controllers should consider building business partnerships with the organizations included in the table below. This business partnership matrix was developed to provide a listing of potential business partnership organizations. The matrix also includes the areas of influence that will drive the business partnership. Although the areas of influence will differ in public and private companies, the value of a business partnership can be critical to the success of a controller.
Suggested Business Partnership Organization
Area of Influence
HR and Benefits • HR and Payroll Internal Controls • Entity-Level Controls • HR Policy • HR Policies to Support Internal Controls, Such as Policies
for Corporate Cardholder Agreements • Controller Staff Development and Training Programs • Benefit Plan Decision Making • Pension Plan Investment Analysis and Decision Making • Sarbanes–Oxley 302 and 404
Facilities • Physical Security Controls • Facility Strategy
• Closing Old Facilities • Building New Facilities
• Capital Budgets • Depreciation Analysis • Risk Management • Insurance Plans • Asset Impairment • Sarbanes–Oxley 302 and 404
Supply Chain • Supply Chain Internal Controls • Supply Chain Strategy • Logistics Outsourcing Strategy • Inventory Control • Inventory Fraud Detection and Prevention • Operational Metrics and Reporting • Risk Management • Sarbanes–Oxley 302 and 404
Suggested Business Partnership Organization
Legal and Risk Management • Entity-Level Controls • Risk Management • Insurance • Record Management • Contract Compliance • Regulatory Compliance Issues • Fraud Detection and Prevention • Sarbanes–Oxley 302 and 404
Compliance • Regulatory Compliance Applicable to the Organization • Address Compliance Issues and Ensure the Implementation
of Corrective Action Plans • Sarbanes–Oxley 302 and 404
Internal Audit • Control Self-Assessment Programs • Address Control Issues and Ensure the Implementation of
Corrective Action Plans • Recommend Audit Plan and Focus • Sarbanes–Oxley 302 and 404
Ethics and Compliance • Entity-Level Controls • Entity-Level Control Questionnaire • Ethics Hotline Issues • Whistleblower Protection • Fraud Detection and Prevention • Tone at the Top • Sarbanes–Oxley 302 and 404
Security and Investigations • Ethics Hotline Issues • Fraud Detection and Prevention • Security Controls • Physical Security • Protection of Company Data
Information Technology • Develop IT Strategy • IT Controls
• System Access Controls • Reporting and Metrics • Selection of ERP Systems
• Cost Analysis • Functionality
• Financial Systems • Capital Budget • Asset Impairment • IT Business Continuity Plan • Sarbanes–Oxley 302 and 404
CONTROLLER’S TOOL 4 – THE CONTROLLER’S SPAN OF INFLUENCE
Introduction. The controller position impacts nearly every aspect of the organization. The role of the controller now requires broad interpersonal skills. It is important to build relationships with the management or senior team members of every function within the organization. As an example, if there is a large investment in inventory, the controller should establish a relationship with the inventory controls manager and the materials manager for the organization. The wider range of functions managed by the controller means a broader range of functional knowledge. In general, the controller should be familiar with enterprise resource planning (ERP) systems, internal auditing, and the organization’s functional and administrative areas.
The Controller’s Span of Influence • Ensure that regulatory and compliance requirements are followed across all divisions. • Attend and participate in interdepartmental meetings. • Support strategic planning and ensure that corporate budgets are linked to the planning process. • Provide opinions on the effectiveness of other departments. • Implement and manage the company’s internal program and ensure that controls are operating
effectively. • Implement and manage the effectiveness of corporate policies, including:
• Delegation of authority policy • Segregation of duties policy • Internal controls policy
• Develop enhanced internal control programs and remediation activities to address control weaknesses.
• Develop and implement organization-wide metrics, scorecards, and analytics. • Acquire and approve insurance coverage. • Conduct public offerings. • Deal with investors and lenders. • Determine credit limits for strategic customers. • Invest pension funds. • Invest surplus funds. • Administer changes to the pension plan. • Maintain employee files.
THIS PAGE INTENTIONALLY LEFT BLANK.
CHAPTER 1: TEST YOUR KNOWLEDGE
The following questions are designed to ensure that you have a complete understanding of the information presented in the chapter (assignment). They are included as an additional tool to enhance your learning experience and do not need to be submitted in order to receive CPE credit.
We recommend that you answer each question and then compare your response to the suggested solutions on the following page(s) before answering the final exam questions related to this chapter (assignment).
1. Which of the following is generally correct regarding controllers:
A. controllers are only concerned with risks that affect the bottom line of a company
B. controllers generally limit themselves to performing the traditional tasks of the chief accounting officer
C. controllers generally are more results driven than process driven
D. controllers are usually in charge of the process related to finance and accounting
2. Which of the following is a best practice for being an active listener:
A. interrupt as needed to state an opinion
B. plan a response while the speaker is speaking
C. repeat and paraphrase key points that were conveyed
D. avoid frequent eye contact
CHAPTER 1: SOLUTIONS AND SUGGESTED RESPONSES
Below are the solutions and suggested responses for the questions on the previous page(s). If you choose an incorrect answer, you should review the pages as indicated for each question to ensure comprehension of the material.
1. A. Incorrect. Good controllers need to be aware of all areas of risk that may impact a company and its ongoing success, not just the risks associated with the bottom line.
B. Incorrect. Controllers are faced with much broader challenges and opportunities in today’s business world and being asked to take on additional responsibilities outside of the traditional chief accounting officer role.
C. Incorrect. Controllers are process driven and are always looking for practical tools to manage their areas of responsibility.
D. CORRECT. The controllership function is carried out by a controller, which usually is the individual in charge of, and with the authority over, the process related to finance and accounting.
(See page 1 of the course material.)
2. A. Incorrect. To be an active listener, individuals should never interrupt a speaker in order to state their own opinion.
B. Incorrect. The active listener should not plan their response until the other person is done talking.
C. CORRECT. One hallmark of active listening is to repeat and paraphrase key points that were conveyed.
D. Incorrect. Active listeners should maintain eye contact when in face-to-face meetings.
Section 1: Corporate and Reputational Risk • 13
SECTION 1: CORPORATE AND REPUTATIONAL RISK
SECTION INTRODUCTION
“We are living in a trust paradox,” said Richard Edelman, CEO of Edelman, a global communications firm. “Since we began measuring trust 20 years ago, economic growth has fostered rising trust. This continues in Asia and the Middle East but not in developed markets, where national income inequality is now the more important factor. Fears are stifling hope, and long-held assumptions about hard work leading to upward mobility are now invalid.”1
The trust of employees, shareholders, and customers drives corporate and reputational risk. Reputational risk has traditionally been seen as an outcome of other risks and not necessarily as a stand-alone risk. This view has been gradually changing, because it is increasingly clear that reputation is critical to the viability of a company.
Reputational risk refers to the potential for negative publicity, public perception, or uncontrollable events to have an adverse impact on a company’s reputation, thereby affecting its revenue. A controller can mitigate reputational risk through risk management processes, code of conduct, ethics, corporate governance, and the implementation and ongoing validation of entity-level controls. Mitigating reputational and corporate risk is an ongoing process that is critical to the success of a company.
1. Edelman (2020). 2020 Edelman Trust Barometer reveals growing sense of inequality is undermining trust in institutions. January 19, 2020, Edelman website, accessed April 10, 2020, https://www.edelman.com/news-awards/2020-edelman-trust- barometer.
14 • Section 1: Corporate and Reputational Risk
Chapter 2: The Controller and Risk Management • 15
CHAPTER 2: THE CONTROLLER AND RISK MANAGEMENT
Chapter Objective
After completing this chapter, you should be able to: • Recall the characteristics of risk management.
OVERVIEW
Companies of all sizes are subject to a variety of risks. Among them are legal, regulatory, strategic, operational, financial, and reputational. Each functional organization is subject to one or more of these types of risk, each of which may impact the company’s bottom line. Companies use a number of tools, such as insurance, establishment of reserve funds, and investment policies (including options and futures), to address some of their risks.
The controller should ensure that the organization’s internal controls properly address risk by conducting a risk assessment and analysis of the relevant risks that may impact the achievement of company objectives. Furthermore, economic, industry, regulatory, operating, and compliance impacts are always changing. A controller should establish the appropriate methodology to assess and react to different kinds of risk.
RISK MANAGEMENT DEFINED
Risk management is a process for identifying, assessing, and prioritizing risks of different kinds. Once the risks are identified, the risk manager will create a plan to minimize or eliminate the impact of negative events. Risk management can also be defined as the process of assessing risk and acting in such a manner, or prescribing policies and procedures, so as to avoid or minimize loss associated with such risk. Risk management is not a regulatory requirement but is an important focus of all types of organizations.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines enterprise risk management (ERM) as follows:
Enterprise risk management is a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
The Global Association of Risk Professionals (GARP) defines risk management in this way:
Risk management is a structured approach to monitoring, measuring, and managing exposures to reduce the potential impact of an uncertain event happening.
16 • Chapter 2: The Controller and Risk Management
RISK MANAGEMENT PROCESS FLOW
When developing a risk management plan, a controller should consider the factors that may create risk. These factors are:
• Inadequate management reporting and monitoring
• Inadequate financial performance metrics
• Legal and regulatory violations
• Excessive bad debt and inventory write-offs
• Internal and external fraud
• Lack of a business continuity plan
After considering the risk factors above, a controller should develop a risk policy that outlines the risk management framework of an organization in relation to its objective. Risk policies will vary across industries and companies based on the ability to absorb losses and the rate of return an organization seeks from operations.
CONTROLLER’S TOOL 5 – TYPES OF RISK
Introduction. Besides the types of risk identified in this book, there are other types of risk that controllers should consider when defining a risk management process for their companies. These types of risk are provided below.
Type of Risk
Operational Risk. Operational risk is a potential risk of loss resulting from inadequate or failed internal processes, from people and systems, or from external events. The result of unmanaged operational risk is an operational failure.
Financial Risk. Financial risk is sometimes referred to as treasury risk. Hedging attempts to reduce financial risk by matching a position with an opposite and offsetting position in a financial instrument that tracks or mirrors the value changes in the position.
Fraud Risk. Fraud risk is a potential violation of the organization’s ethics and compliance standards, business practice requirements, financial reporting integrity, and other objectives.
Market Risk. Market risk deals with the different types of financial market risks, such as interest rate risk, equity risk, commodity risk, and currency risk.
Credit Risk. Credit risk is the risk of loss due to nonpayment of a loan, bond, or other credit instrument.
Commodity Risk. Commodity risk is a potential loss from an adverse change in commodity prices.
Currency Risk. Currency risk management focuses on the fluctuations in currency values (see Financial Risk).
Project Risk. Project risk is the risk associated with not completing a project within the expected timeline and budget.
Technology and Software Risks. Technology and software risks are associated with implementation of new technology or software and the impact that the implementation may have on the organization.
CONTROLLER’S TOOL 6 – RISK MANAGEMENT FRAMEWORKS
Introduction. There are several risk management frameworks that a controller should consider when developing an internal controls structure to mitigate specific areas of risk across the company. The type of framework selected will depend upon company strategy and customer requirements. As the company works with the risk management team, it should consider the risk events that can be fatal to the company and jeopardize its survival.
Multiple studies have found that people overestimate their ability to influence events that, in fact, are heavily determined by chance. We tend to be overconfident about the accuracy of our forecasts and risk assessments and far too narrow in our assessment of the range of outcomes that may occur.1
Type of Risk Management Framework
Overview
ISO 31000:2018
https://www.iso.org/ standard/65694.html
This updated standard now defines risk as the “effect of uncertainty on objectives,” with a focus on the effect of incomplete knowledge of events or circumstances on an organization’s decision-making.
This requires a change in the traditional understanding of risk, forcing organizations to tailor risk management to their needs and objectives – a key benefit of the standard. Jason Brown explains: “ISO 31000 provides a risk management framework that supports all activities, including decision-making across all levels of the organization.
“The ISO 31000 framework and its processes should be integrated with management systems to ensure consistency and the effectiveness of management control across all areas of the organization.” This would include strategy and planning, organizational resilience, IT, corporate governance, HR, compliance, quality, health and safety, business continuity, crisis management, and security.2
1. Kaplan, Robert S. and Mikes, Anette (2012). Managing risks: A new framework. Harvard Business Review (June; accessed April 28, 2020). https://hbr.org/2012/06/managing-risks-a-new-framework. 2. Tranchard, Sandrine (2018). The new ISO 31000 keeps risk management simple. ISO website, News (February 15; accessed March 24, 2020). https://www.iso.org/news/ref2263.html.
Type of Risk Management Framework
Overview
COSO Enterprise Risk Management – Integrating with Strategy and Performance (2017)
https://www.coso.org/ Pages/default.aspx
“In keeping with its overall mission, the COSO board commissioned and published in 2004 Enterprise Risk Management – Integrated Framework. Over the past decade, that publication has gained broad acceptance by organizations in their efforts to manage risk.
“However, also through that period, the complexity of risk has changed, new risks have emerged, and both boards and executives have enhanced their awareness and oversight of enterprise risk management while asking for improved risk reporting. This update to the 2004 publication addresses the evolution of enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment. The updated document, titled Enterprise Risk Management – Integrating with Strategy and Performance, highlights the importance of considering risk in both the strategy-setting process and in driving performance.”3
National Institute of Standards and Technology (NIST) Risk Management Framework
https://www.nist. gov/system/files/ documents/2018/03/28/ vickie_nist_risk_ management_ framework_overview- hpc.pdf
The selection and specification of security controls for a system is accomplished as part of an organization-wide information security program that involves the management of organizational risk – that is, the risk to the organization or to individuals associated with the operation of a system. The management of organizational risk is a key element in the organization’s information security program and provides an effective framework for selecting the appropriate security controls for a system – the security controls necessary to protect individuals and the operations and assets of the organization.4
CONTROLLER’S TOOL 7 – CONSIDERATIONS FOR MANAGING RISK WITH AN ENTERPRISE RISK MANAGEMENT MODEL
Introduction. The following tool provides an approach to consider when implementing an ERM model. ERM aims to attain informed business decisions by evaluating total returns relative to total risks, which can be determined by asking these questions:
3. COSO (n.d.). Guidance on enterprise risk management. COSO website (accessed March 24, 2020). https://www.coso.org/ Pages/erm.aspx. 4. NIST (2016). FISMA implementation project, risk management framework (RMF) overview. NIST website, Projects (accessed March 24, 2020). https://csrc.nist.gov/projects/risk-management/risk-management-framework-(RMF)-Overview.
I. Internal Environment 1. What is the overall risk appetite of the organization? 2. How committed is the board of directors (BoD) to establishing a risk management
philosophy? 3. Are there integrity, ethical values, and a commitment to competence in the organization? 4. Is the assignment of authority and responsibility over risks well managed? Who
manages this process? 5. What is the organizational structure of the company and departments? 6. What HR standards related to risk management are currently in place?
II. Objective Setting 7. How well are strategic and related objectives defined? 8. How is the achievement of these objectives monitored? 9. What activities are on your risk management goal sheet for this year? 10. What does the company need to do well over the next year in order to succeed and
reach its goals? What factors do you consider to be critical to your company’s success in the next year?
11. What areas would you like to see moved to the next level of performance? 12. What could prevent you from achieving your goals (e.g. people, processes, funding,
etc.)? III. Event Identification
13. How do internal and external forces impact the risk profile? 14. What other event identification techniques are in place (e.g. self-assessments, SOX,
report reviews, trend reporting, fraud hotline, etc.)? 15. How are deficiencies captured and reported? 16. How does the organization distinguish between risks and opportunities?
IV. Risk Assessment 17. What does management perceive to be the largest risks to the company, in terms of
significance and likelihood? 18. What do managers perceive to be the biggest risks within their areas of control? Please
provide examples. 19. Thinking of other areas within the company, how well does management receive
information from shared services groups (e.g. IT, finance, HR)? 20. What additional information would management like to have accessible in order to better
perform its responsibilities? 21. In management’s opinion, what areas or processes are most susceptible to fraud? 22. Is management aware of any instances of fraud within the company? What/how/who?
V. Risk Response 23. How are risks monitored and reported within the organization? 24. How effectively are identified risks managed? 25. What is management doing specifically to manage identified risks (e.g. financial
statement variance reporting, trend reporting, credit reporting, insurance policies, legal, BoD involvement and reporting)?
VI. Control Activity 26. What is management’s assessment of the effectiveness of overall controls in preventing
risks and carrying out risk activities within your organization? 27. How are the defined control activities tested? 28. What type of review process takes place for policies and procedures? 29. What type of review process takes place for IT application controls and the IT general
control environment? 30. What components are included in the company’s entity-level controls program?
VII. Information and Communication 31. How does the organization/department capture information and communicate related
risk? 32. What communications barriers are present within the organization? 33. What ongoing monitoring activities are in place (e.g. compliance monitoring, Internal
Audit (IA), risk management group, BoD monitoring, etc.)?
TABLE OF CONTROLS – RISK MANAGEMENT
Process: Risk Management 1. Governance and ownership of the risk management process are clearly established. 2. Roles and responsibilities for the risk management process are clearly defined. 3. Risk management processes begin and end with clearly defined business objectives. 4. The risk management model to be used is defined and communicated to executive
management for approval and implementation. 5. A risk rating system is defined in relation to organization’s objectives and considers all
types of risks applicable to the company. Risk rating scales are tied to the company’s risk management model and establish risk tolerances and are determined based on the calculated or perceived severity of the consequences. Leading indicators are used to provide insight into potential risks using market, industry trends, and weather and world health impacts.
6. A risk portfolio is developed to support decision-making. This portfolio is updated on an annual basis.
7. Action plans and remediation activities are in place to address potential risks. 8. Risk-based internal controls are prioritized based on mitigating risk. All companies,
regardless of size, structure, nature, or industry encounter risks at all levels within their organizations. Risks affect each company’s ability to survive, successfully compete within its industry, maintain financial strength and a positive public image, and maintain the overall quality of its products, services, and people. Since there is no practical way to reduce risk to zero, management should determine how much risk should be prudently accepted and strive to maintain risk at acceptable levels by considering the implementation of risk-based controls.
9. Risk assessment plans and schedules are communicated to the audit committee, the BoD, and executive management. A schedule is in place to ensure that a risk assessment is conducted in a timely manner.
10. Significant risks are communicated to executive management and the BoD when they are identified.
TABLE OF RISKS AND CONTROLS – RISK MANAGEMENT
Process: Risk Management
Process Risk Recommended
Policies Internal Controls KPIs
1. The value of a risk management process is limited. The owner of a risk assessment must clearly communicate its purpose, process, and expected benefits. The right parties must be engaged to ensure relevant input, informed assessment, and meaningful and actionable results.
Risk Strategy
Risk Tolerance
8. Risk-Based Controls
10.Communication of Significant Risks
Number of Risks Requiring Remediation
Number of Risks That Occurred More than Once
Predicted Risk Severity Compared to Actual Severity
Number of Risks That Were Not Identified
Cost of Risk Management
Number of Risks Mitigated
2. Results are difficult to use. Failure to effectively organize and manage the volume and quality of assessment data makes interpreting that data a challenge. Tools, templates, and guidance are necessary to ensure consistency in data capture, assessment, and reporting.
Risk Strategy
Risk Tolerance
3. Results of the risk assessment are not acted upon. Lack of clarity and accountability around objectives frequently leads to a failure to follow through on assessment findings.
Risk Assessment Policy
Internal Controls Policy
10. Communication of Significant Risks
Number of Risks Identified per Period
4. Risk is overcontrolled, resulting in excessive costs and stifled innovation. Lack of an effective risk assessment process and defined risk tolerance could result in an organization overcontrolling a risk, which could place an excessive cost burden on the organization and/ or stifle its ability to seize opportunities.
Risk Strategy
Risk Tolerance
5. Risk assessments become stale, providing the same results every time. Without their data capture, process, and reporting being refreshed from time to time, risk assessments may lose relevance.
Risk Management Policy
6. Risk assessment is added onto day-to-day responsibilities without being integrated into business processes. While tools and templates are helpful to ensure consistency in data capture, assessment, and reporting, it is important that the risk assessment process be anchored and integrated into existing business processes.
7. Too many different risk assessments are performed across the organization. A shared approach should be defined for performing risk assessments, using common tools or templates, common data sets (e.g. risk categories, libraries of risks and controls, rating scales), and flexible hierarchies to enable streamlined data capture, an integrated assessment process, and flexible reporting.
8. Risk assessments are not structured to prevent the next big failure. As risk assessment provides a means for facilitating the discussion around key risks and potential control failures, it helps reduce the risk of breakdowns, unanticipated losses, and other significant failures. Risk assessments need to invoke the right subject- matter experts and consider not only past experience but also forward-looking analysis.
Risk Strategy
Risk Tolerance
9. Key principles are not put to work. With organizations facing a fluid and seemingly endless array of risks and obligations, these key principles should be leveraged to provide the consistent platform necessary to effectively manage these risks in a cost- effective and sensible way.
Risk Strategy
Risk Tolerance
CHAPTER 2: TEST YOUR KNOWLEDGE
The following questions are designed to ensure that you have a complete understanding of the information presented in the chapter (assignment). They are included as an additional tool to enhance your learning experience and do not need to be submitted in order to receive CPE credit.
We recommend that you answer each question and then compare your response to the suggested solutions on the following page(s) before answering the final exam questions related to this chapter (assignment).
1. Which of the following is correct regarding the risks faced by companies:
A. the risks faced by companies rarely change over time
B. the controller should ensure that an organization’s internal controls properly address risk
C. generally, the only types of risk faced by organizations are legal or regulatory
D. all of the above
2. Hedging is utilized in an attempt to reduce which of the following types of risk:
A. operational risk
B. credit risk
C. financial risk
D. project risk
CHAPTER 2: SOLUTIONS AND SUGGESTED RESPONSES
Below are the solutions and suggested responses for the questions on the previous page(s). If you choose an incorrect answer, you should review the pages as indicated for each question to ensure comprehension of the material.
1. A. Incorrect. Economic, industry, regulatory, operating, and compliance risks are always changing. Risk is rarely static.
B. CORRECT. The controller should ensure that the organization’s internal controls properly address risk by conducting a risk assessment and analysis of the relevant risks that may impact the achievement of company objectives.
C. Incorrect. Companies face a variety of risks, including legal, regulatory, strategic, operational, financial, and reputational.
D. Incorrect. Only one of the provided selections is correct.
2. A. Incorrect. Hedging is not used in an effort to minimize operational risk.
B. Incorrect. Credit risk is the risk of loss due to nonpayment of a loan, bond, or other credit instrument. Hedging does not minimize this risk.
C. CORRECT. Hedging attempts to reduce financial risk by matching a position with an opposite and offsetting position in a financial instrument that tracks or mirrors the value changes in the position.
D. Incorrect. Project risk is not mitigated through the use of hedging.
Chapter 3: The Controller and Ethics • 33
CHAPTER 3: THE CONTROLLER AND ETHICS
Chapter Objective
After completing this chapter, you should be able to: • Recall recommendations to consider when implementing an ethics training program.
OVERVIEW
In this chapter we’ll define the requirements for an ethics program that supports the company’s tone at the top and ensures corporate compliance. We’ll demonstrate how tone at the top can impact the external perception of the company and influence the attitude of employees and dedication to internal controls. A code of conduct is defined as the policies and procedures that support the organization’s tone at the top.
The connection between fraud and the tone at the top of an organization has received a great deal of attention over the last few years. Tone at the top refers to the ethical atmosphere that is created in the workplace by the organization’s leadership. Whatever tone management sets will have a trickle-down effect on employees of the company. If the tone set by managers upholds ethics and integrity, employees will be more inclined to uphold those same values.
As a best practice, many organizations integrate ethics and compliance requirements into all business processes. Controllers need to ensure that an environment of ethics and compliance is embedded within their areas of responsibility. A controller plays a key role in managing all internal control initiatives in private and public companies. These initiatives usually include the deployment of ethical standards and/ or a code of conduct for the organization. The controller may work with the organization’s ethics and/or compliance officer to ensure that the tone at the top is embedded in internal controls programs.
WHAT IS TONE AT THE TOP?
The tone at the top establishes the integrity of a company and directs how employees, shareholders, and stakeholders of a company will behave. A tone at the top focused on personal salary and greed that supports and overlooks fraudulent activities results in a company that may behave the same way. A tone at the top that is focused on doing the right thing for employees, shareholders, and stakeholders results in a company that has an environment of openness and honesty. As Michael Volkov of the Volkov Law Group states, “Compliance professionals frequently cite “tone-at-top” as an essential component of a compliance program. It sounds good and a few quick sentences on the topic is usually all that is provided when explaining what this means.”1
1. Volkov, Michael (2012). How to define “tone-at-the-top.” Corruption, Crime & Compliance blog (September 30; accessed March 24, 2020). https://blog.volkovlaw.com/2012/09/how-to-define-tone-at-the-top.
34 • Chapter 3: The Controller and Ethics
ETHICS PROGRAM PROCESS FLOW
Business owners and managers affect an organization’s ethical culture by implementing practices, policies, and procedures – and equally importantly, by following them. Properly setting the tone at the top of a business can help to send a clear message, reinforcing the owners’ and managers’ commitment to integrity and ethical values. Tone at the top must be constantly communicated and enforced so that there is a clear understanding of the company’s emphasis on ethical behavior. Employees must understand the consequences if there is a violation of this organization-wide requirement.
EXAMPLE – CODE OF CONDUCT: MCI
Several codes of conduct are provided in the reference section of this chapter. But as a compelling example, we are providing the code of conduct that was used at MCI (formerly WorldCom) below. Much of the content of this code were taken from the code of conduct that Michael Capellas developed when he was CEO of Compaq Computer Corporation (acquired by Hewlett-Packard). When Capellas became CEO of MCI, he knew that one of his most important actions would be to establish a foundation of ethics and integrity at the company.
He hired an ethics officer from Boeing and started a company-wide campaign to communicate the company’s tone at the top. Every employee attended web-based quarterly training sessions and was tested at the end of every session. Additionally, employees were often asked to recite all 10 components of the company’s code of conduct by Capellas:
1. Do what you say and say what you do.
2. Treat each other with dignity and integrity.
3. Everyone should be comfortable to speak his or her own mind.
4. Management leads by example.
5. Follow company policy and regulatory requirements.
6. Avoid conflicts of interest.
7. Establish metrics and report results accurately.
8. Focus on what is important and not what is convenient.
9. Be loyal to your families, your company, yourselves.
10. Do the right thing because it’s the right thing to do.
THE REACTION TO UNETHICAL BEHAVIOR
The federal government and the accounting industry have responded to the erosion of public trust in the accuracy of financial reporting results by enacting legislation and standards that specifically address management’s responsibilities.
The Sarbanes–Oxley Act of 2002 (SOX) addresses publicly held entities and identifies the CEO and CFO as the primary parties responsible for setting the tone at the top of an organization; moreover, it holds
them personally accountable for accurate financial reporting and discovering and disclosing fraudulent behavior. Even though SOX applies to publicly held companies, many privately held companies and organizations have implemented its internal control requirements as best practices. And many private companies strongly embrace its internal control requirements if there are plans to become public.
An overview of Sections 302 and 404 of SOX is provided for your reference in the figure in the next section. The main requirements of Sections 302 and 404 are the annual management assessment process and the quarterly certification process (respectively). An example of a quarterly internal control certification process is included in the figure.
Both processes require the statements that the tone at the top is ethically sound and that no fraudulent activities have occurred during the reporting period.
Establishing (and continually reviewing) a code of conduct, ethics policy, and statement of business principles identifies and documents exactly what behaviors are acceptable within an organization. HR policies that reflect these protocols can ensure that the company is adequately protected from unethical behavior, and implementing such policies related to hiring, training, and promoting staff can keep unethical individuals from joining an organization or obtaining a position of trust.
A COMPARISON OF SARBANES–OXLEY SECTION 302 AND SECTION 404
SARBANES–OXLEY AND WHISTLEBLOWER PROTECTION
SOX encourages the disclosure of corporate fraud by protecting employees of publicly traded companies or their subsidiaries who report illegal activities. Section 806 of SOX authorizes the US Department of Labor to protect whistleblowers against employers who retaliate and further authorizes the US Department of Justice to criminally charge those responsible for the retaliation.
Under Section 806 of SOX, an employee engages in protected whistleblower conduct by providing information about matters that he or she reasonably believes are violations of:
• Federal mail, wire, bank, or securities fraud statutes
• Federal law relating to fraud against shareholders
• Any rule or regulation of the Securities and Exchange Commission (SEC)
CONTROLLER’S TOOL 8 – ETHICS TRAINING PROGRAMS
Introduction. An ethics training program is more effective when employees can apply the concepts to their work environments. Examples include the discussion of case studies and role playing exercises. Training is often the responsibility of an ethics or compliance officer and should be provided quarterly and at least annually. An ethics training program should focus on the required behavior within specific situations, such as when and how to report fraud. Some companies focus on their training efforts after a significant event has occurred. These companies refer to the significant event during the training so that employees have a real-life point of reference. The list below provides recommendations to consider when implementing an ethics training program.
1. Ethics programs should target the required behavior.
2. Ethics programs should include a process for asking questions and getting management action to correct possible weaknesses in procedures.
3. Ethics training participants must perform the specified behavior by responding to case studies or role playing.
4. Training programs should include examples where the particular behavior is demonstrated by people who are similar to the participants.
5. Training instructors should review and positively reinforce behaviors learned by participants.
6. Training program participants should experience and learn to cope with the stresses associated with ethical behavior by assessing their own emotional and physical states.
7. The general principles of codes of conduct should be an integral part of the strategic planning process.
CONTROLLER’S TOOL 9 – KEY CONSIDERATIONS AND HOW TO MANAGE AN ETHICS HOTLINE
Introduction. Tips from employees are one of the best ways that unethical behavior and fraud is detected, according to the Association of Certified Fraud Examiners. Under current US Sentencing Guidelines, a corporation convicted of a federal offense may seek leniency if it has maintained an effective program to prevent and detect violations of criminal laws. To take advantage of this provision, the company must prove that it has the following requirements in place and is properly managing its ethics hotline.
1. Management and Training. The ethics hotline is managed by a senior staff member and often by the legal department of the ethics office. Ensure that employees with a propensity to commit crimes are not given discretionary authority. Determine whether the hotline should be managed within the company or by a third party. Train the hotline staff with specific scripts to assure employees that there will be no retaliation.
2. Tone at the Top. Promote the tone at the top as part of the culture of company. Ethics line procedures and visibility will likely reduce the prospect of criminal activity.
3. Communication. Provide effective communications and training for the ethics program. Publicize the hotline using posters, intranet notices, and employee fraud awareness training. Publicizing the hotline is required by US Sentencing Guidelines.
4. Alleviate Fear of Retribution. Ensure that the ethics hotline is a system that allows employees to report misconduct without fear of retribution. Employees need to know that all communication will be kept in the utmost confidence and that a proper investigation will take place. Provide other options for employees to use to report an issue, such as e-mail and postal mail.
5. Response and Reporting. Provide adequate methods for responding to ethics violations that have been reported. Establish an easily accessible channel with a toll-free number and test the hotline to make sure that it’s working. Be sure to validate caller wait times. Identify the types of issues that require immediate visibility. Establish procedures for escalating and reporting issues to executive management, audit committees, and disclosure committees. Ensure there is a reporting process in which issues may be reported by type, such as employee issues, misconduct, violation of accounting policies and practices, supplier contracts, transaction processing issues, and potential evidence of fraud or collusion.
6. Validate Effectiveness. The ethics hotline and process should be tested on an annual basis as part of the entity-level controls program.
CONTROLLER’S TOOL 10 – TONE AT THE TOP AND THE TONE IN THE MIDDLE
Introduction. In his article entitled “Ethics and the Middle Manager: Creating ‘Tone in the Middle,’” Kirk Hanson listed eight specific actions that top executives should take that will demonstrate the commitment of their company and themselves to ethics and compliance. His recommendations are listed below.
1. Top executives must themselves exhibit all the tone at the top behaviors, including acting ethically, talking frequently about the organization’s values and ethics, and supporting the organization’s and individual employee’s adherence to these values.
2. Top executives must explicitly ask middle managers what dilemmas arise in implementing the ethical commitments of the organization in the work of their groups.
3. Top executives must give general guidance about how values apply to those specific dilemmas.
4. Top executives must explicitly delegate resolution of those dilemmas to the middle managers.
5. Top executives must make it clear to middle managers that their ethical performance is being watched as closely as their financial performance.
6. Top executives must make ethical competence and commitment of middle managers a part of their performance evaluation.
7. The organization must provide opportunities for middle managers to work with peers on resolving hard cases.
8. Top executives must be available to middle managers to discuss the hardest cases, to provide coaching, and to help resolve those cases.
TONE AT THE TOP AND US SENTENCING GUIDELINES
In November of 1991 the US Sentencing Commission adopted new sentencing guidelines (the Guidelines) applicable to all organizational defendants in criminal cases. The Guidelines substantially increase the financial penalties for corporations whose employees engage in unlawful conduct that is ostensibly intended for the corporation’s benefit.
The Guidelines are the product of the US Sentencing Commission, which was created by the Sentencing Reform Act of 1984. Following the savings and loan crisis of the 1980s, the US Sentencing Commission responded to the public’s frustration with the criminal justice system by releasing the Federal Sentencing Guidelines for organizations, which imposed harsh penalties on organizations whose employees or other agents have committed federal crimes. The Guidelines – comprising seven steps for mitigating the risk of such crimes – include implementing compliance standards and procedures, assigning compliance oversight responsibility to high-level personnel, avoiding delegation to individuals prone to committing crimes, providing information and training on standards, establishing systems for monitoring and reporting criminal conduct without fear of reprisal, enforcing standards and assigning responsibility for detecting offenses, and taking all reasonable steps to guard against offenses in the future.
The US government would also appear to believe that a company’s ethics and compliance culture are set by the very top levels of management because the US Sentencing Guidelines states: “High-level personnel and substantial authority personnel of the organization shall be knowledgeable about the content and operation of the compliance and ethics program … and shall promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”
While the Guidelines apply to all corporations, the larger the organization, the more formal the program should be, and the greater the penalty for failure to comply. Formal policies and procedures, and extensive communication programs, are expected of a large, publicly traded corporation. The expectations are not as extensive for a small business.
TONE AT THE TOP AND THE FOREIGN CORRUPT PRACTICES ACT
If top management is not fully committed to an ethical environment, the lack of tone at the top will be evidenced throughout the company, specifically in middle management. As noted above, the US Sentencing Guidelines mandate that the highest levels of management promote and encourage not only ethical conduct but a commitment to comply with the Foreign Corrupt Practices Act (FCPA) itself.
When passed in 1977, the FCPA was characterized by the American Bar Association as the most extensive application of federal law to the regulation of business since the passage of the 1933 and 1934 securities acts.
Congress acted decisively to restore the reputation of American business and eliminate improper payments to foreign governments, politicians, and political parties. In fact, the FCPA is actually an amendment to the 1934 Securities Exchange Act and is administered by the SEC.
The FCPA contains both provisions against bribery and rules establishing accounting standards. The accounting rules apply only to companies that are required to report financial information under the securities laws. These accounting and record-keeping rules are broad. Your accounting advisor or securities lawyer can advise you if you think that you may be subject to these requirements. Summaries of the fundamental objectives of the FCPA, which are legal requirements, are included below
ANTI-BRIBERY PROVISIONS OF THE FCPA
The FCPA generally applies to all US corporations, partnerships, and other business organization (generically, a “company”), as well as all persons acting on behalf of those entities. For purposes of this discussion, suffice it to say that the FCPA applies to a US company and its corporate subsidiaries, as well as their officers, directors, agents, and shareholders. The FCPA prohibits any payment or offer of payment to a “foreign official” for the purpose of influencing that official to assist in obtaining or retaining business for a company. The act applies to any act or event that is “in furtherance of” a payment to a foreign official. Further, the payment clause of the FCPA is broadly phrased. It covers not only the actual payment of money, but also the offer, promise, or authorization of the payment of money and the offer, gift, promise, or authorization of the giving of “anything of value.” The act also applies to payments to foreign officials, foreign political parties, officials of foreign political parties, and candidates for foreign political office.
RECORDKEEPING REQUIREMENTS OF THE FCPA
In addition to its anti-bribery provisions, the FCPA also imposes certain accounting requirements on companies. Specifically, the FCPA requires that a company maintain books, records, and accounts that, in reasonable detail, accurately reflect the transactions and dispositions of that company. In order to comply with these requirements, it is imperative that company employees, agents, and others acting on
its behalf maintain complete and accurate records with respect to all transactions undertaken on behalf of the company.
GUIDELINES FOR FCPA COMPLIANCE The consequences of failing to comply with the FCPA are potentially disastrous for a company and its employees. Violation of the FCPA and related laws by a company employee can result in millions of dollars in fines against the company and can subject the employee to prosecution, criminal fines, and imprisonment, as well as disciplinary action by the company, including dismissal. Note that the FCPA states that fines and penalties imposed upon individuals may not be paid directly or indirectly by any corporation for which they may have acted.
THE DODD–FRANK ACT
The Dodd–Frank Act (fully known as the Dodd–Frank Wall Street Reform and Consumer Protection Act) is a US federal law that places regulation of the financial industry in the hands of the government.
The legislation, enacted in July 2010, aims to prevent another significant financial crisis by creating new financial regulatory processes that enforce transparency and accountability while implementing rules for consumer protection.
To both ensure cooperation by financial insiders and fight corruption in the financial industry, the Dodd– Frank Act contains a whistleblowing provision. This means that persons with original information about security violations can report the information to the government for a financial reward.
THE WHISTLEBLOWER PROTECTION ACT OF 1989
The Whistleblower Protection Act of 1989 is a US federal law that protects federal whist

Documents

The Controller’s Toolkit