Risk Essentials For Business Owners
Jan 08, 2009
Risk is an interesting subject since it can affect an organization in different ways. Most non-financial folk think of risk and associate it with purchasing insurance. While insurance mitigates some types of risk, other forms of corporate risk; theft, lost sales, lost cash, and inefficiency must also be considered. These risks are mitigated by sound internal controls.
Sarbanes-Oxley ("SOX") was created to identify risks and establish controls. The original SOX pronouncement (AS-2) stated that risks (and associated controls) were identified from the bottom of an organization and up. After a few years, the architects at the SEC decided that this was not the best method for identifying risk. They rolled out AS-5 which suggested that a top down approach to risk was more appropriate. Remember that an audit opinion includes the auditor's examination of internal controls; whether they are functional or cannot be relied upon. When they cannot be relied upon, auditors will increase the scope of their work in order to satisfy themselves, on a transactional basis that controls do not have to be relied upon.
Audits aside, how does a lack of controls affect the day to day functioning of an organization and associated risk? Consider companies who do not have the owner walking the office/plant/factory/warehouse. How is he ensured that the organization is not losing money through inefficiencies, lack of controls, etc?
Part of the answer is to delegate authority and responsibility (I believe that authority is the greater attribute), to professionals who know how to create controls, monitor them, set up systems that sets off the bells and whistles when controls fail. One group of professional's who are experts in internal controls is, of course, are outside auditors/CPA firms. However, they may be precluded from performing an audit if they are too involved with their client in a non-audit environment, and are not the only experts.
Another group of experts in process and controls are CFO's. A CFO lives and breathes controls because he/she knows that no senior executive can be in all places at all times. He/She takes pride in the fact that controls are properly created and functional, to the benefit of the organization. He/She also knows that his/her job, responsibility and authority are enhanced by mitigating risk through controls.
Controls are needed for all size organizations, from the small growing organization where the Owner/Entrepreneur is doing many tasks, and keeping his finger on the pulse, to the mid to large company that has desegregated tasks due to geography or size. One point to always keep in mind is that good controls will ultimately reduce expenses because they create efficiencies and mitigate loss.