Level Of Trust
"No matter how sophisticated a system of internal control is, its success ultimately requires that you place your trust in certain key personnel"
Introduction
Within any organisation a high level of trust has traditionally been placed in management and key personnel. This has led to some quite public failures in corporate governance and internal controls Enron, WorldCom, HIH insurance etc A lack of effective personnel controls can lead to a multitude of organisation problems such as fraud, theft, excessive costs and poor management decisions. The solution therefore is not to trust the key personnel but instead to trust the controls. This in turn means that organisations need to develop more sophisticated more water-tight' control …show more content…
policies and plans. Truly effective internal controls establish a framework whereby only honest, trustworthy, competent, qualified employees are hired and business objectives are continuously met or surpassed. Sophisticated controls have the ability to eliminate the need to place high levels of trust in key personnel but it can never be a case of develop the control and trust it implicitly with no evaluation or adjustment. These new controls plans need more than just development, they need to be treated as living objects continually reviewed, monitored, assessed and redeveloped in order to move with both society and technology creating a business environment where the trust is on the controls, not the people.
1.0 Personnel Controls
In reducing or eliminating the need to heavily trust key personnel and instead trust the internal controls, the particular control that needs to be addressed is personnel control, more commonly referred to as Human Resource Management'. It is this control in itself which needs to be the most sophisticated of all particularly within the accounting or information systems environment. Why in particular in these environments? Mainly because of the level of access associated with these roles, many accounting staff have access to highly confidential information and AIS, IS & IT staff usually have high levels of access into the computer systems themselves, meaning a multitude of problems could happen if the right staff aren't in place i.e. data deletion, information transmitted to wrong people, incorrect or misleading journals posted, the list could be virtually endless. Personnel controls address not only the recruitment of the right' employees but also the retention, development and termination of employees.
1.1 Recruitment
Recruitment controls are vital in ensuring an organisation is employing, honest, trustworthy and competent people into the roles in which they will provide the most value to the organisation. This goes further than ensuring credit, criminal, reference and qualification checks are performed on potential candidates but also key duties and requirements of the role must be specified. This ensures that the candidate is suited to the role they are given.
1.2 Development
An organisation should always encourage employees to further develop those qualities and skills which made them suitable employees in the first place. Training schedules should also be provided to ensure any deficiencies in an employee's skills are identified and corrected. Development is always a significant expense for an organisation but continual development provides many benefits to an organisation, especially in AIS, IS & IT where the developments and new technologies rapidly improve and change.
1.3 Retention
Retaining quality employees is always a challenge for any organisation, large or small.
Often a large expense to an organisation is the development and training of employees therefore to ensure an organisation receives a benefit from their investment they need to have effective retention plans. Organisations need to ensure that their employees are enjoying their role a lack of job satisfaction has often been cited as a reason an employee has committed fraud. An organisation therefore needs to build into its personnel plans a review stage, where all roles are reviewed and to check that skills and responsibilities required still reflect the person within the role. Varied roles often provide good challenges for employees as well as offering an effective control for organisations. Programmes like job rotations and forced vacations if run effectively benefit both employee and employer. It is also important that employees have access to management opportunities. A major reason given for an employee to leave an organisation is if they feel they have nowhere else to go within the organisation other than …show more content…
sideways.
1.4 Termination
Termination practises can potentially leave an organisation highly unguarded. As mentioned earlier accounting, IS, AIS & IT roles all usually have significant levels of access to information and security rights. Disgruntled employees therefore if given opportunity can potentially cause significant levels of damage if some key guidelines aren't developed. Organisations should ensure that clearance passes, and access to systems are taken from the employee upon termination and where appropriate escorted from the premises. It is common practise for an organisation to require employees to sign, confidentiality agreements or declarations of secrecy to ensure that any information obtained while employed by the organisation cannot be used or disseminated by the employee even after the employment engagement has concluded.
2.0 Cover all bases
It would not be enough to simply plonk some guidelines down and expect all problems to disappear. Creating internal controls sophisticated enough to nullify the necessity for placing disproportionate levels of trust in key personnel requires control policies that cover all four domains as identified in the CobiT framework: Plan and Organise, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. In addressing each domain an organisation can go a long way to ensuring it can trust its controls. An organisation should also be aware that it should take a breach of an internal control for the need to change controls to arise which is the all too common approach. A sort of shutting the gate after the horse has bolted' practice! Thus significance importance needs to be placed on the monitoring and evaluating domain. An organisation needs pay attention to internal controls on a continual basis to ensure they are always best suited to help an organisation meet its business objectives.
3.0 Quantifiable Outputs
What system of personnel control could really call itself sophisticated if it has no way of quantifying its effectiveness?
With no tangible outputs in effect you are still in the same situation of trusting personnel trusting that they are following the controls, trusting that the controls have not become ineffective or out-of-date. This is where the development of tangibles such as key performance indicators (KPI's), key goal indicators (KGI's) and critical success factors (CSF's) all of which are discussed and described in the COBIT framework. Statistics like staff turn-over, head counts, number of customer complaints are all things that can be reviewed and compared and pattern changes in these numbers can all be indicators that controls need to be reviewed or there is a problem within the organisation these can be (hopefully) be used as preventative controls much more than being used as identification controls, alerting an organisation to a problem when it already exists. Other useful tangible outputs are things like staff reviews or employee surveys sometimes it takes the lure of being anonymous to enable an employee to speak out. If there are some less than desirable activities going on in an organisation it is quite common (in my opinion) that someone else already knows about it and is uncomfortable with it they just need a suitable platform on which to unburden'
themselves.
Conclusion
Effective internal controls (in particular personnel controls) are able to transfer the trust an organisation places in key personnel to trusting the controls instead.
Human resource management and control ensures that an organisation can hire, fire, retain & train key personnel to attain business objectives and reduce exposure to risks such as fraud, theft and excessive costs.
Ensuring that the controls meet the business needs and demands an organisation is able to place its trust in the known and absolutes of its control system.
By developing personnel control policies and procedures that ensure high quality, trustworthy staff are employed an organisation can place less trust in these employees, trusting instead in the knowledge that if they weren't suitable for a position within the organisation they personnel controls would have already identified that.
Provided the controls have quantifiable measurement outputs like KGI's, KPI's etc an organisation is enabled to continuously monitor and improve the controls ever trusting that these will be effective.
Introduction
Within any organisation a high level of trust has traditionally been placed in management and key personnel. This has led to some quite public failures in corporate governance and internal controls Enron, WorldCom, HIH insurance etc A lack of effective personnel controls can lead to a multitude of organisation problems such as fraud, theft, excessive costs and poor management decisions. The solution therefore is not to trust the key personnel but instead to trust the controls. This in turn means that organisations need to develop more sophisticated more water-tight' control …show more content…
policies and plans. Truly effective internal controls establish a framework whereby only honest, trustworthy, competent, qualified employees are hired and business objectives are continuously met or surpassed. Sophisticated controls have the ability to eliminate the need to place high levels of trust in key personnel but it can never be a case of develop the control and trust it implicitly with no evaluation or adjustment. These new controls plans need more than just development, they need to be treated as living objects continually reviewed, monitored, assessed and redeveloped in order to move with both society and technology creating a business environment where the trust is on the controls, not the people.
1.0 Personnel Controls
In reducing or eliminating the need to heavily trust key personnel and instead trust the internal controls, the particular control that needs to be addressed is personnel control, more commonly referred to as Human Resource Management'. It is this control in itself which needs to be the most sophisticated of all particularly within the accounting or information systems environment. Why in particular in these environments? Mainly because of the level of access associated with these roles, many accounting staff have access to highly confidential information and AIS, IS & IT staff usually have high levels of access into the computer systems themselves, meaning a multitude of problems could happen if the right staff aren't in place i.e. data deletion, information transmitted to wrong people, incorrect or misleading journals posted, the list could be virtually endless. Personnel controls address not only the recruitment of the right' employees but also the retention, development and termination of employees.
1.1 Recruitment
Recruitment controls are vital in ensuring an organisation is employing, honest, trustworthy and competent people into the roles in which they will provide the most value to the organisation. This goes further than ensuring credit, criminal, reference and qualification checks are performed on potential candidates but also key duties and requirements of the role must be specified. This ensures that the candidate is suited to the role they are given.
1.2 Development
An organisation should always encourage employees to further develop those qualities and skills which made them suitable employees in the first place. Training schedules should also be provided to ensure any deficiencies in an employee's skills are identified and corrected. Development is always a significant expense for an organisation but continual development provides many benefits to an organisation, especially in AIS, IS & IT where the developments and new technologies rapidly improve and change.
1.3 Retention
Retaining quality employees is always a challenge for any organisation, large or small.
Often a large expense to an organisation is the development and training of employees therefore to ensure an organisation receives a benefit from their investment they need to have effective retention plans. Organisations need to ensure that their employees are enjoying their role a lack of job satisfaction has often been cited as a reason an employee has committed fraud. An organisation therefore needs to build into its personnel plans a review stage, where all roles are reviewed and to check that skills and responsibilities required still reflect the person within the role. Varied roles often provide good challenges for employees as well as offering an effective control for organisations. Programmes like job rotations and forced vacations if run effectively benefit both employee and employer. It is also important that employees have access to management opportunities. A major reason given for an employee to leave an organisation is if they feel they have nowhere else to go within the organisation other than …show more content…
sideways.
1.4 Termination
Termination practises can potentially leave an organisation highly unguarded. As mentioned earlier accounting, IS, AIS & IT roles all usually have significant levels of access to information and security rights. Disgruntled employees therefore if given opportunity can potentially cause significant levels of damage if some key guidelines aren't developed. Organisations should ensure that clearance passes, and access to systems are taken from the employee upon termination and where appropriate escorted from the premises. It is common practise for an organisation to require employees to sign, confidentiality agreements or declarations of secrecy to ensure that any information obtained while employed by the organisation cannot be used or disseminated by the employee even after the employment engagement has concluded.
2.0 Cover all bases
It would not be enough to simply plonk some guidelines down and expect all problems to disappear. Creating internal controls sophisticated enough to nullify the necessity for placing disproportionate levels of trust in key personnel requires control policies that cover all four domains as identified in the CobiT framework: Plan and Organise, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. In addressing each domain an organisation can go a long way to ensuring it can trust its controls. An organisation should also be aware that it should take a breach of an internal control for the need to change controls to arise which is the all too common approach. A sort of shutting the gate after the horse has bolted' practice! Thus significance importance needs to be placed on the monitoring and evaluating domain. An organisation needs pay attention to internal controls on a continual basis to ensure they are always best suited to help an organisation meet its business objectives.
3.0 Quantifiable Outputs
What system of personnel control could really call itself sophisticated if it has no way of quantifying its effectiveness?
With no tangible outputs in effect you are still in the same situation of trusting personnel trusting that they are following the controls, trusting that the controls have not become ineffective or out-of-date. This is where the development of tangibles such as key performance indicators (KPI's), key goal indicators (KGI's) and critical success factors (CSF's) all of which are discussed and described in the COBIT framework. Statistics like staff turn-over, head counts, number of customer complaints are all things that can be reviewed and compared and pattern changes in these numbers can all be indicators that controls need to be reviewed or there is a problem within the organisation these can be (hopefully) be used as preventative controls much more than being used as identification controls, alerting an organisation to a problem when it already exists. Other useful tangible outputs are things like staff reviews or employee surveys sometimes it takes the lure of being anonymous to enable an employee to speak out. If there are some less than desirable activities going on in an organisation it is quite common (in my opinion) that someone else already knows about it and is uncomfortable with it they just need a suitable platform on which to unburden'
themselves.
Conclusion
Effective internal controls (in particular personnel controls) are able to transfer the trust an organisation places in key personnel to trusting the controls instead.
Human resource management and control ensures that an organisation can hire, fire, retain & train key personnel to attain business objectives and reduce exposure to risks such as fraud, theft and excessive costs.
Ensuring that the controls meet the business needs and demands an organisation is able to place its trust in the known and absolutes of its control system.
By developing personnel control policies and procedures that ensure high quality, trustworthy staff are employed an organisation can place less trust in these employees, trusting instead in the knowledge that if they weren't suitable for a position within the organisation they personnel controls would have already identified that.
Provided the controls have quantifiable measurement outputs like KGI's, KPI's etc an organisation is enabled to continuously monitor and improve the controls ever trusting that these will be effective.