5.1 Elements that make a control
A control has the following characteristics:
- It understands what is the standard is and ‘detects’ it.
- It measures performance, what it is actually happening, and can interpret compared to the standard.
- It takes action or feeds back to stop differences to the standard occurring or corrects the situation back to the standard.
Therefore, for a control to operate it must have the following phases:
| Phase | Description | Day-to-day example | Operational control | Financial control |
|---|---|---|---|---|
| Detection | There must be a method for the control to detect that a root cause is emerging or an event has occurred. | A fire alarm system needs call points, smoke detectors and/or heat detectors. | Customers report problems with a product. | Employee submits a claim for expenses and accompanying receipts. |
| Interpretation | There must be a method for the control to interpret the information received during the detection. | A sensor will inform the fire alarm system, which will sound a siren as a result of a ‘detection’. | An organisation subject matter expert investigates, gathers further information and reaches a decision. | Initially employee’s manager approves the employee’s expenses. Periodically expenses are reviewed for anomalies by the finance manager. |
| Action | There must be an action, one that is repeatable, arising from the interpretation. | The resultant siren should trigger a fire procedure that will include an evacuation of employees/visitors and summoning of the emergency services. | The organisation acts, which may result in a product recall, communications to notify customers and modification of the production process to prevent re-occurrence. | The finance manager is independent of the manager and employee. She may detect anomalies in submissions that could indicate fraudulent activity and collusion between the two employees. |
When documenting a control you should capture six key pieces of information:
| Information | Definition |
|---|---|
| Why is it there? | What is the control there to do, in the most simplistic terms. |
| Who owns the control? | In organisations (particularly large organisations) it is important to understand who owns (or is accountable for) a control, to be able to recognise the source of expertise in relation to the control. The person is responsible for the design of the control and, to some extent, supporting the successful operation of the control. |
| What, When and How? | Explain the control in terms of detection, interpretation and action. Explain when the control operates: if it is continuously ‘on’, does it only operate at a set time frequency? Explain how it does what it does. |
| What happens if errors or omissions are identified? | If the control detects a problem or issue, how does it respond? This is a specific focus on the action phase in the event of a failure being found and confirms whether the control will act against the failure. |
| Levels of tolerance | What level of imperfection is allowed? E.g. if a machine was counting pennies, how many can it miss in £1,000,000? |
| How is a control evidenced? | The information (evidence) that the organisation retains to demonstrate that the control has been operated. In some regulated industries there may be a legal requirement to retain certain documents to demonstrate that a control has been operated. |
Activity 2 Elements of a control
Look at the information about a control and highlight where the six key pieces of information can be found.
Here is a model control statement; identify the six elements of a control in this statement.
To ensure that changes to Customer Pricing Master Data are accurate and appropriately authorised the Pricing and Revenue Manager will receive XYZ document, and approve its suitability against the prices included for the customer against the forecast and supporting information before approving by signing the document and forwarding this onto the Data Entry Team. If the Pricing and Revenue Manager does not approve any data item, the Data Entry Team will send it back to the Key Account Manager. Evidence of the control being performed is the signature on the data entry sheet held by the Data Entry Team. Try constructing the sequence of the control yourself by dragging each part of the sequence into the correct box.
Remember to open the interactive version in a new window or tab, and it is recommended that you complete this activity using a laptop or PC, rather than a mobile device.