The Controller's Toolkit E-Book

Table of Contents

Cover

Title Page

Copyright

Preface

PART ONE

CHAPTER 1: About This Toolkit

CHAPTER 2: Defining the Role of a Controller

OVERVIEW

CONTROLLER'S TOOL 1 – SUGGESTED JOB RESPONSIBILITIES FOR A CONTROLLER

CONTROLLER'S TOOL 2 – CORE COMPETENCIES OF A CONTROLLER

CONTROLLER'S TOOL 3 – THE CONTROLLER'S BUSINESS PARTNERSHIP MATRIX

CONTROLLER'S TOOL 4 – THE CONTROLLER'S SPAN OF INFLUENCE

NOTES

SECTION 1: Corporate and Reputational Risk

SECTION INTRODUCTION

NOTE

CHAPTER 3: The Controller and Risk Management

OVERVIEW

RISK MANAGEMENT PROCESS FLOW

RISK MANAGEMENT DEFINED

CONTROLLER'S TOOL 5 – TYPES OF RISK

CONTROLLER'S TOOL 6 – RISK MANAGEMENT FRAMEWORKS

CONTROLLER'S TOOL 7 – CONSIDERATIONS FOR MANAGING RISK WITH AN ENTERPRISE RISK MANAGEMENT MODEL

TABLE OF CONTROLS – RISK MANAGEMENT

TABLE OF RISKS AND CONTROLS – RISK MANAGEMENT

NOTES

CHAPTER 4: The Controller and Ethics

OVERVIEW

ETHICS PROGRAM PROCESS FLOW

WHAT IS TONE AT THE TOP?

EXAMPLE – CODE OF CONDUCT: MCI

THE REACTION TO UNETHICAL BEHAVIOR

A COMPARISON OF SARBANES–OXLEY SECTION 302 AND SECTION 404

SARBANES–OXLEY AND WHISTLEBLOWER PROTECTION

CONTROLLER'S TOOL 8 – ETHICS TRAINING PROGRAMS

CONTROLLER'S TOOL 9 – KEY CONSIDERATIONS AND HOW TO MANAGE AN ETHICS HOTLINE

CONTROLLER'S TOOL 10 – TONE AT THE TOP AND THE TONE IN THE MIDDLE

TONE AT THE TOP AND US SENTENCING GUIDELINES

TONE AT THE TOP AND THE FOREIGN CORRUPT PRACTICES ACT

ANTI-BRIBERY PROVISIONS OF THE FCPA

RECORD-KEEPING REQUIREMENTS OF THE FCPA

GUIDELINES FOR FCPA COMPLIANCE

THE DODD–FRANK ACT

THE WHISTLEBLOWER PROTECTION ACT OF 1989

THE FALSE CLAIMS ACT

TABLE OF CONTROLS – ETHICS PROGRAM

TABLE OF RISKS AND CONTROLS – ETHICS PROGRAM

NOTE

CHAPTER 5: The Controller and Corporate Governance

OVERVIEW

CORPORATE GOVERNANCE PROCESS FLOW

THE 1992 CADBURY COMMITTEE

THE INTERNATIONAL FINANCE CORPORATION AND THE GLOBAL CORPORATE GOVERNANCE FORUM

THE ORGANIZATION FOR ECONOMIC COOPERATION AND DEVELOPMENT AND CORPORATE GOVERNANCE

CORPORATE GOVERNANCE IN PRACTICE

WHEN CORPORATE GOVERNANCE IS FLAWED

CONTROLLER'S TOOL 11 – THE SARBANES–OXLEY ACT OF 2002 AND CORPORATE GOVERNANCE

CONTROLLER'S TOOL 12 – EXAMPLES OF BOARD COMMITTEES

TABLE OF CONTROLS – CORPORATE GOVERNANCE

TABLE OF RISKS AND CONTROLS – CORPORATE GOVERNANCE

NOTES

CHAPTER 6: Entity-Level Controls

OVERVIEW

ENTITY-LEVEL CONTROLS PROCESS FLOW

BENEFITS OF ENTITY-LEVEL CONTROLS

WHY IS THE COMMITTEE OF SPONSORING ORGANIZATIONS OF THE TREADWAY COMMISSION FRAMEWORK IMPORTANT TO ENTITY-LEVEL CONTROLS?

CONTROLLER'S TOOL 13 – IMPLEMENTING AN ENTITY-LEVEL CONTROLS FRAMEWORK

CONTROLLER'S TOOL 14 – EXAMPLES OF ENTITY-LEVEL CONTROLS

TABLE OF CONTROLS – ENTITY-LEVEL CONTROLS

TABLE OF RISKS AND CONTROLS – ENTITY-LEVEL CONTROLS

SECTION 2: Strategic Planning and Mergers and Acquisitions Risk

SECTION INTRODUCTION

CHAPTER 7: Strategic Planning and Mergers and Acquisitions

OVERVIEW – STRATEGIC PLANNING

THE STRATEGIC PLANNING PROCESS

STRATEGIC PLANNING PROCESS FLOW

STEP 1 – PREPARE FOR STRATEGY

STEP 2 – ARTICULATE THE MISSION, VISION, AND VALUES

STEP 3 – ASSESS THE SITUATION

STEP 4 – DEVELOP STRATEGIES, GOALS, OBJECTIVES, AND BUDGETS

STEP 5 – WRITE THE STRATEGIC PLAN

CONTROLLER'S TOOL 15 – SAMPLE STRATEGIC PLAN TABLE OF CONTENTS

STEP 6 – EVALUATE THE EFFECTIVENESS OF THE STRATEGIC PLAN

TABLE OF CONTROLS – STRATEGIC PLANNING

TABLE OF RISKS AND CONTROLS – STRATEGIC PLANNING

OVERVIEW – MERGERS AND ACQUISITIONS

MERGERS AND ACQUISITIONS PROCESS FLOW – SELLER

MERGERS AND ACQUISITIONS PROCESS FLOW – BUYER

CONTROLLER'S TOOL 16 – MERGERS AND ACQUISITIONS DUE DILIGENCE CHECKLIST

TABLE OF CONTROLS – MERGERS AND ACQUISITIONS

TABLE OF RISKS AND CONTROLS – MERGERS AND ACQUISITIONS

NOTES

SECTION 3: Internal Control Risk

SECTION INTRODUCTION

CHAPTER 8: Internal Control Program

OVERVIEW

INTERNAL CONTROL PROCESS FLOW

THE THREE CRITICAL CORPORATE CONTROLS

THE COMMITTEE OF SPONSORING ORGANIZATIONS OF THE TREADWAY COMMISSION AND INTERNAL CONTROLS

CONTROLLER'S TOOL 17 – ROLES AND RESPONSIBILITIES FOR INTERNAL CONTROLS

THE IMPACT OF SECTION 404 OF THE SARBANES–OXLEY ACT OF 2002 ON INTERNAL CONTROL PROGRAMS

CONTROLLER'S TOOL 18 – INTERNAL CONTROL BEST PRACTICES FOR PRIVATELY HELD COMPANIES

CONTROLLER'S TOOL 19 – LEVERAGING INTERNAL CONTROL BASICS TO IMPLEMENT A CONTROL SELF-ASSESSMENT PROGRAM

INTERNAL CONTROLS AND FRAUD PREVENTION

THE FRAUD TRIANGLE

THE FIVE ELEMENTS OF FRAUD AND THE FRAUD DIAMOND

DEFINITION AND EXAMPLES OF FRAUD

TABLE OF CONTROLS – INTERNAL CONTROL PROGRAM

TABLE OF RISKS AND CONTROLS – INTERNAL CONTROL PROGRAM

NOTES

SECTION 4: Compliance Risk

SECTION INTRODUCTION

NOTE

CHAPTER 9: Regulatory Compliance

OVERVIEW

REGULATORY COMPLIANCE PROCESS FLOW

CONTROLLER'S TOOL 20 – REGULATORY COMPLIANCE TOOLKIT

TABLE OF CONTROLS – REGULATORY COMPLIANCE

TABLE OF RISKS AND CONTROLS – REGULATORY COMPLIANCE

PART TWO

SECTION 5: Payment Risk

SECTION INTRODUCTION

CONTROLLER'S TOOL 21 – OVERVIEW OF BUSINESS PAYMENT PROCESSES, SUBPROCESSES, RISK IMPACTS, AND INDICATORS

NOTE

CHAPTER 10: Procure-to-Pay

OVERVIEW

1.0 PROCUREMENT

1.1 SUPPLIER SELECTION AND MANAGEMENT

1.2 CONTRACT MANAGEMENT

1.3 PURCHASING AND ORDERING

1.4 REPORTING, METRICS, AND ANALYTICS

2.0 ACCOUNTS PAYABLE

2.1 SUPPLIER MASTER FILE

2.2 INVOICE PROCESSING

2.3 PAYMENT PROCESS

2.4 ACCOUNTING PROCESS

2.5 CUSTOMER SERVICE

2.6 REPORTING, METRICS, AND ANALYTICS

2.7 P-CARDS

2.8 TRAVEL AND ENTERTAINMENT

NOTES

CHAPTER 11: Hire-to-Retire

OVERVIEW

3.0 HUMAN RESOURCES

3.1 HUMAN RESOURCES PROCESS

4.0 PAYROLL

4.1 PAYROLL PROCESSING PROCESS

4.2 PAYROLL PAYMENT PROCESS

4.3 REPORTING, METRICS, AND ANALYTICS

NOTE

CHAPTER 12: Order-to-Cash

OVERVIEW

5.0 ORDER-TO-CASH

5.1 SALES

5.2 CUSTOMER MASTER FILE

5.3 CREDIT ANALYSIS

5.4 ORDER FULFILLMENT AND INVOICING

5.5 ACCOUNTS RECEIVABLE AND COLLECTIONS

5.6 CASH APPLICATION AND MANAGEMENT

5.7 REPORTING, METRICS, AND ANALYTICS

PART THREE

SECTION 6: Financial Operations Risk

SECTION INTRODUCTION

CHAPTER 13: Record-to-Report

OVERVIEW

RECORD-TO-REPORT PROCESS FLOW

CONTROLLER'S TOOL 22 – MONTHLY CLOSING BEST PRACTICES

CONTROLLER'S TOOL 23 – 15 BEST PRACTICES TO SIMPLIFY YOUR FINANCIAL CLOSE

FRAUD WITHIN THE RECORD-TO-REPORT PROCESS

CONTROLLER'S TOOL 24 – GENERAL FINANCIAL STATEMENT FRAUD RED FLAGS

CONTROLLER'S TOOL 25 – FRAUD RED FLAGS FOR LENDERS AND INVESTORS

TABLE OF CONTROLS – RECORD-TO-REPORT

TABLE OF RISKS AND CONTROLS – RECORD-TO-REPORT

CHAPTER 14: Budgets, Forecasts, and Capital Budgeting

OVERVIEW – BUDGETS AND FORECASTS

BUDGETS, FORECASTS, AND CAPITAL BUDGETING PROCESS FLOW

FINANCIAL STATEMENT ANALYSIS

THE PURPOSE OF BUDGETING

CONTROLLER'S TOOL 26 – TYPES OF BUDGETING

CONTROLLER'S TOOL 27 – THE BUDGETING PROCESS

CONTROLLER'S TOOL 28 – BUDGET PROCESS BEST PRACTICES

MOVING YOUR FINANCE FUNCTION TO DYNAMIC BUDGETING AND PLANNING

CONTROLLER'S TOOL 29 – TYPES OF FINANCIAL FORECASTING MODELS

CONTROLLER'S TOOL 30 – THE FORECASTING PROCESS FOR SMALL BUSINESSES

TABLE OF CONTROLS – BUDGETS AND FORECASTS

TABLE OF RISK AND CONTROLS – BUDGETS AND FORECASTS

OVERVIEW – CAPITAL BUDGET AND FIXED ASSETS

DEVELOPING THE CAPITAL BUDGET

CONTROLLER'S TOOL 31 – CONTROLLER'S AREAS OF RESPONSIBILITY FOR THE CAPITAL BUDGET AND FIXED ASSETS

CONTROLLER'S TOOL 32 – ALTERNATIVE METHODS FOR CAPITAL BUDGETING

TABLE OF CONTROLS – CAPITAL BUDGET AND FIXED ASSETS

TABLE OF RISKS AND CONTROLS – CAPITAL BUDGET AND FIXED ASSETS

NOTE

CHAPTER 15: Supply Chain Management and Inventory Control

OVERVIEW

SUPPLY CHAIN MANAGEMENT AND INVENTORY CONTROL PROCESS FLOW

THE ROLE OF THE CONTROLLER

SUPPLY CHAIN FINANCE

CONTROLLER'S TOOL 33 – BLOCKCHAIN FEATURES THAT ENABLE SUPPLY CHAIN FINANCING

INVENTORY TYPES

INVENTORY MANAGEMENT

INVENTORY COSTING METHODS

TRENDS IN INVENTORY MANAGEMENT

OTHER PROCESSES RELEVANT TO THE SUPPLY CHAIN BUSINESS PROCESS

CONTROLLER'S TOOL 34 – SUPPLY CHAIN PERFORMANCE METRICS

TABLE OF CONTROLS – SUPPLY CHAIN MANAGEMENT AND INVENTORY CONTROL

TABLE OF RISKS AND CONTROLS – SUPPLY CHAIN MANAGEMENT AND INVENTORY CONTROL

CHAPTER 16: Treasury and Cash Management

OVERVIEW

TREASURY AND CASH MANAGEMENT PROCESS FLOW

CONTROLLER'S TOOL 35 – RESPONSIBILITIES OF THE TREASURY DEPARTMENT

CONTROLLER'S TOOL 36 – WHAT ARE THE COMPONENTS OF CASH FLOW?

HOW DOES A COMPANY PRACTICE GOOD CASH FLOW MANAGEMENT?

CONTROLLER'S TOOL 37 – CASH FORECASTS

PAYMENT FLOAT

LETTER OF CREDIT

FOREIGN EXCHANGE POLICY: MANAGEMENT AND CONTROLS

CONTROLLER'S TOOL 38 – FOREIGN EXCHANGE POLICY DEVELOPMENT PROCESS

CONTROLLER'S TOOL 39 – CASH MANAGEMENT RULES FOR PETTY CASH

CASH MANAGEMENT

CONTROLLER'S TOOL 40 – INTERNATIONAL PAYMENT METHODS

TABLE OF CONTROLS – TREASURY AND CASH MANAGEMENT

TABLE OF RISKS AND CONTROLS – TREASURY AND CASH MANAGEMENT

CHAPTER 17: Shared Services and Business Process Outsourcing

OVERVIEW

SHARED SERVICES AND BUSINESS PROCESS OUTSOURCING PROCESS FLOW

CONTROLLER'S TOOL 41 – FIVE WAYS THAT HUMAN RESOURCES SHARED SERVICES HELPS SMALL BUSINESS

CONTROLLER'S TOOL 42 – THE BENEFITS OF IMPLEMENTING SHARED SERVICES CENTERS

CONTROLLER'S TOOL 43 – TYPES OF OUTSOURCING MODELS

CONTROLLER'S TOOL 44 – THE ADVANTAGES OF OUTSOURCING

BUSINESS PROCESS OUTSOURCING

CONTROLLER'S TOOL 45 – COST-BENEFIT ANALYSIS

CONTROLLER'S TOOL 46 – INFORMATION FOR SUPPLIER EVALUATION

CONTROLLER'S TOOL 47 – CONSIDERATIONS IN IMPLEMENTING SERVICE LEVEL AGREEMENTS AND METRICS

TABLE OF CONTROLS – SHARED SERVICE CENTERS AND BUSINESS PROCESS OUTSOURCING

TABLE OF RISKS AND CONTROLS – SHARED SERVICE CENTERS AND BUSINESS PROCESS OUTSOURCING

CHAPTER 18: Dashboards, Data Validation, Analytics, Metrics, and Benchmarking

OVERVIEW

DASHBOARDS, DATA VALIDATION, ANALYTICS, METRICS, AND BENCHMARKING PROCESS FLOW

CONTROLLER'S TOOL 48 – KEY CONSIDERATIONS FOR DASHBOARD TECHNOLOGY

CONTROLLER'S TOOL 49 – TYPES OF BENCHMARKING

CONTROLLER'S TOOL 50 – IMPLEMENTING METRICS

TABLE OF CONTROLS – DATA VALIDATION, ANALYTICS, METRICS, AND BENCHMARKING

TABLE OF RISKS AND CONTROLS – DATA VALIDATION, ANALYTICS, METRICS, AND BENCHMARKING

SECTION 7: Information Technology Risk

SECTION INTRODUCTION

CHAPTER 19: Information Technology Controls and Cybersecurity

OVERVIEW

INFORMATION TECHNOLOGY CONTROLS AND CYBERSECURITY PROCESS FLOW

ACCESS CONTROL

USER ACCOUNTS

LOGIN AND RESOURCE ACCESS REQUESTS

INTERNAL SERVICE LEVEL AGREEMENTS

MANAGEMENT AND CONTROL

VULNERABILITY AND THREAT MANAGEMENT

CONTROLLER'S TOOL 51 – CONTROL OBJECTIVES FOR INFORMATION AND RELATED TECHNOLOGIES

CONTROLLER'S TOOL 52 – OTHER IT INTERNAL CONTROL FRAMEWORKS AND CONSIDERATIONS

CONTROLLER'S TOOL 53 – IT FRAMEWORK AND INTERNAL CONTROL CONSIDERATIONS FOR SMALL BUSINESSES

CONTROLLER'S TOOL 54 – KEY COMPONENTS OF SUCCESSFUL IT GOVERNANCE

TABLE OF CONTROLS – INFORMATION TECHNOLOGY CONTROLS AND CYBERSECURITY

TABLE OF RISKS AND CONTROLS – INFORMATION TECHNOLOGY CONTROLS AND CYBERSECURITY

NOTE

SECTION 8: Business Continuity and Physical Security Risk

SECTION INTRODUCTION

CHAPTER 20: Business Continuity and Physical Security

OVERVIEW – BUSINESS CONTINUITY

BUSINESS CONTINUITY PROCESS FLOW

BUSINESS CONTINUITY AND DISASTER RECOVERY: KEY DEFINITIONS

CONTROLLER'S TOOL 55 – BUSINESS CONTINUITY: PERSONNEL

CONTROLLER'S TOOL 56 – BUSINESS CONTINUITY: INFORMATION TECHNOLOGY

TABLE OF CONTROLS – BUSINESS CONTINUITY

TABLE OF RISKS AND CONTROLS – BUSINESS CONTINUITY

OVERVIEW – PHYSICAL SECURITY

PHYSICAL SECURITY PROCESS FLOW

SECURITY CONTROLS: KEY DEFINITIONS

CONTROLLER'S TOOL 57 – ISO/IEC 17799:2005

TABLE OF CONTROLS – PHYSICAL SECURITY

TABLE OF RISKS AND CONTROLS – PHYSICAL SECURITY

NOTE

SECTION 9: Leadership and Change Management Risk

SECTION INTRODUCTION

CHAPTER 21: Leadership and Managing Change

OVERVIEW

LEADERSHIP AND CHANGE MANAGEMENT PROCESS FLOW

CONTROLLER'S TOOL 58 – THE HENRI FAYOL PRINCIPLES OF BUSINESS MANAGEMENT

CONTROLLER'S TOOL 59 – LEADERSHIP TRAITS

CONTROLLER'S TOOL 60 – COMMUNICATION FOR CONTROLLERS

CONTROLLER'S TOOL 61 – GUIDELINES FOR ACTIVE LISTENING

TABLE OF CONTROLS – LEADERSHIP AND MANAGING CHANGE

TABLE OF RISKS AND CONTROLS – LEADERSHIP AND MANAGING CHANGE

NOTE

CHAPTER 22: Trends, Process Transformation, and Digitization

OVERVIEW

TRENDS, PROCESS TRANSFORMATION, AND DIGITIZATION PROCESS FLOW

CONTROLLER'S TOOL 62 – BLOCKCHAIN USES

CONTROLLER'S TOOL 63 – IDENTIFYING SAAS IMPOSTERS

CONTROLLER'S TOOL 64 – 10 CRITICAL REQUIREMENTS FOR CLOUD APPLICATIONS

PROCESS DIGITIZATION

CONTROLLER'S TOOL 65 – TYPES OF IT SOLUTIONS TO CONSIDER

DEVELOPING THE BUSINESS CASE

CONTROLLER'S TOOL 66 – THE BUSINESS CASE TEMPLATE

TABLE OF CONTROLS – TRENDS, PROCESS TRANSFORMATION, AND DIGITIZATION

TABLE OF RISKS AND CONTROLS – TRENDS, PROCESS TRANSFORMATION, AND DIGITIZATION

NOTE

PART FOUR

Glossary

ENDNOTE

Index of Controller's Tools

Key Performance Indicator Library

Index

End User License Agreement

Guide

Cover

Table of Contents

Begin Reading

Pages

ii

iii

iv

xiii

1

3

4

5

6

7

8

9

10

11

13

15

16

17

18

19

20

21

22

23

24

25

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

103

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

125

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

151

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

289

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

373

374

375

376

377

378

379

380

381

382

383

384

385

387

388

389

390

391

392

393

394

395

396

397

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

481

483

484

485

486

487

488

489

490

491

492

493

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

Founded in 1807, John Wiley & Sons is the oldest independent publishing company in the United States. With offices in North America, Europe, Asia, and Australia, Wiley is globally committed to developing and marketing print and electronic products and services for our customers' professional and personal knowledge and understanding.

The Wiley Corporate F&A series provides information, tools, and insights to corporate professionals responsible for issues affecting the profitability of their company, from accounting and finance to internal controls and performance management.

The Controller’s Toolkit

Copyright © 2021 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993, or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

Names: Doxey, Christine H., 1955- author.

Title: The controller’s toolkit / Christine H. Doxey.

Description: Hoboken, New Jersey : Wiley, [2021] | Includes index.

Identifiers: LCCN 2020029244 (print) | LCCN 2020029245 (ebook) | ISBN 9781119700647 (hardback) | ISBN 9781119700623 (Adobe PDF) | ISBN 9781119700654 (epub) | ISBN 9781119700586

Subjects: LCSH: Controllership. | Corporate—Finance. | Risk management. | Corporate governance.

Classification: LCC HG4026 .D68 2021 (print) | LCC HG4026 (ebook) | DDC 658.15/1—dc23

LC record available at https://lccn.loc.gov/2020029244

LC ebook record available at https://lccn.loc.gov/2020029245

Cover Design: Wiley

Cover Image: © nasirkhan/Shutterstock

Preface

This book provides a comprehensive collection of templates, checklists, roadmaps, review sheets, internal controls, policies, and procedures. These practical and implementable tools will enable aspiring, new, and established controllers to take a significant leap forward as finance and accounting leaders. This book is an excellent reference for all finance and accounting professionals because it provides a wide array of information on technical and “soft” competencies. The contents provide concrete examples and tools on business ethics, corporate governance, regulatory compliance, risk management, security, IT processes, leadership, and financial operations. Anyone wishing to learn more about a specific business process—such as accounts payable, accounts receivable, or payroll—can use this valuable resource to quickly become a subject matter expert.

PART ONE

CHAPTER 1About This Toolkit

The Controller's Toolkit provides a single source for everything that controllers and finance and accounting professionals need to know to be successful. This toolkit will enable aspiring, new, and current controllers to take a giant leap forward and gain proficiency as corporate leaders.

The comprehensive content provided in this toolkit consists of process flows, checklists, tables of controls, and tables of risks and controls. Each comprehensive table of risks and controls identifies the risks to the business process, recommended policies, controls that will mitigate the risks, and internal control metrics. Besides laying out the accounting and technical requirements of the controllership, this toolkit describes the leadership skills that support the success of a controller's career.

This toolkit is a must-have for accounting and finance professionals wishing to advance their careers and expand their skills and knowledge. This toolkit may also appeal to chief operating officers (CEOs), chief financial officers (CFOs), chief human resources officers, controllers, treasurers, and anyone else who is in the chain of command or who serves as an influencer for corporate finance and accounting processes.

This toolkit is a great reference for many roles within these wide-ranging corporate functions and for companies of many sizes. It can also serve as a training tool, since the content takes a new look at the roles and responsibilities of a controller.

This comprehensive toolkit is organized by specifically defined areas of risk that apply to any company or industry. Each chapter is focused on a business process and includes an overview, a process flow, a table of controls, and a table of risks and controls. The author has included 66 tools, each of which has been designed specifically for controllers to tackle the challenges of a specific business process. Here's how this toolkit is organized.

How This Toolkit Is Organized

Section Number

Area of Risk

Chapter Number

Chapter Title

Introductory Chapters

1

About This Toolkit

2

Defining the Role of a Controller

1

Corporate and Reputational Risk

3

The Controller and Risk Management

4

The Controller and Ethics

5

The Controller and Corporate Governance

6

Entity-Level Controls

2

Strategic Planning and Mergers and Acquisitions Risk

7

Strategic Planning and Mergers and Acquisitions

3

Internal Control Risk

8

Internal Control Program

4

Compliance Risk

9

Regulatory Compliance

5

Payment Risk

10

Procure-to-Pay

11

Hire-to-Retire

12

Order-to-Cash

6

Financial Operations Risk

13

Record-to-Report

14

Budgets, Forecasts, and Capital Budgeting

15

Supply Chain Management and Inventory Control

16

Treasury and Cash Management

17

Shared Services and Business Process Outsourcing

18

Dashboards, Data Validation, Analytics, Metrics, and Benchmarking

7

Information Technology Risk

19

Information Technology Controls and Cybersecurity

8

Business Continuity and Physical Security Risk

20

Business Continuity and Physical Security

9

Leadership and Change Management Risk

21

Leadership and Managing Change

22

Trends, Process Transformation, and Digitization

CHAPTER 2Defining the Role of a Controller

OVERVIEW

The controllership function is carried out by a controller, which usually is the individual in charge of and with authority over the processes related to finance and accounting. A controller has the main goal of keeping the company's bottom line secure by accurate internal controls and well-defined financial operations. But a good controller needs to be aware of all areas of risk that may impact a company and its ongoing success.

The role of the controller is often defined as being a business partner to other functions and divisions within an organization. In many organizations the role of the finance professional is defined as being a business partner to the organizations supported.

Controllers are faced with much broader challenges and opportunities in today's business world and are being asked to take on additional responsibilities outside of the traditional “chief accounting officer” role. Controllers are connected to most of the key business processes within an organization. Controllers provide the stewardship and accountability systems that ensure that the organization is conducting its business in an appropriate, ethical manner.

Controllers and their staffs should also provide the information, analysis, and advice that will enable the organization's operational management to perform effectively. This means understanding the impacts that the supply chain can have upon the accounting processes for the organization.

Controllers are process driven and are always looking for practical tools to manage their areas of responsibility and to advance their careers. These tools can extend the competencies and efficiencies of corporate and controllership processes, which fall under the umbrella of governance, risk management, and compliance (GRC).

CONTROLLER'S TOOL 1 – SUGGESTED JOB RESPONSIBILITIES FOR A CONTROLLER

Introduction. Monster is a global online employment solution for people seeking jobs and employers. Monster has expanded from its roots as a job board to a global provider of a full array of job-seeking, career-management, recruitment, and talent-management products and services. Monster recommends the following list of job responsibilities for a controller:

Suggested Job Responsibilities for a Controller

Achieves budget objectives by scheduling expenditures, analyzing variances, and initiating corrective actions.

Provides status of financial condition by collecting, interpreting, and reporting financial data.

Prepares special reports by collecting, analyzing, and summarizing information and trends.

Complies with federal, state, and local legal requirements by studying existing and new legislation, anticipating future legislation, enforcing adherence to requirements, filing financial reports, and advising management on needed actions.

Ensures operation of equipment by establishing preventive maintenance requirements and service contracts, maintaining equipment inventories, and evaluating new equipment and techniques.

Completes operational requirements by scheduling and assigning employees and by following up on work results.

Maintains financial staff by recruiting, selecting, orienting, and training employees.

Maintains financial staff job results by coaching, counseling, and disciplining employees and by planning, monitoring, and appraising job results.

Protects operations by keeping financial information and plans confidential.

1

CONTROLLER'S TOOL 2 – CORE COMPETENCIES OF A CONTROLLER

Introduction. Within their companies, controllers are always looked upon as accounting and financial leaders. Many controllers are thought of as the chief accounting officer. I recently authored a blog entry for Nvoicepay that highlights the 15 leadership skills that a controller should have. Controllers should have a blend of skills from two key areas: (1) accounting and business knowledge, and (2) leadership and influence, as listed below.2

Accounting and Business Knowledge

Cost Control.

As an example, a cost-control process would be implemented for a major project to monitor cost performance, ensure changes are recorded accurately, prohibit unauthorized changes, inform stakeholders of cost changes, maintain expected costs with acceptable limits, and monitor and document reasons for favorable or unfavorable cost variances. As a controller, you're responsible for controlling cost. This involves developing policies and procedures, systems, processes, and metrics to make sure that costs are under control.

Internal Controls and Compliance.

A controller usually has overall responsibility for the internal controls program and processes for their organization. This means that the design, development, and testing of the operational effectiveness of each control is the responsibility of you and your team. If you work for a publicly traded company, you'll also need to prepare all of the quarterly and annual reporting requirements for Sarbanes–Oxley (SOX).

Financial Reporting and Adding Value.

Controllers and their staffs typically drive the fiscal closing process and are always looking for ways to streamline the process and provide the results sooner through automation and a quicker closing process.

Corporate Transaction Processes.

Controllers have ownership of corporate transaction processes, which include accounts payable, accounts receivable, payroll, travel and expense (T&E), general accounting, and others. There are always large opportunities for streamlining these processes, as evidenced by automation and transformation initiatives in the procure-to-pay (P2P) and order-to-cash (O2C) processes.

Corporate Knowledge.

Controllers should have an excellent knowledge of what their companies do and how they are organized. What is the culture of the company? How is the company organized? How quickly do decisions get made?

Efficiency Improvements.

Along with having a solid knowledge of the corporate transaction processes that are the backbone of your company, you should always look for ways to improve them through process efficiencies and automation. Are there ways to combine similar processes into a shared services organization? Can you reduce manual invoices through implementing an e-invoicing solution? Can you streamline your payment process by implementing e-payment solutions or even outsourcing your payment process?

Analytics.

A savvy controller is driven by analytics and metrics. The results of a well-developed metrics program will indicate how well your company's business processes are working and where improvements were successfully implemented. Metrics will also reveal problem areas and should have the analytics to drill down to find the solution.

Leadership and Influence

Business Partnerships.

Since a controller oversees the accounting processes for a company, maintaining good business partnerships is a key success factor. You should identify your areas of influence and ensure you have a good relationship or partnership with the leadership in other departments. Key departments usually include information technology (IT), legal, human resources (HR), business ethics, supply chain, and procurement.

Communication.

Communication is a personal process that should be appropriate for both the audience and situation. Choosing the wrong communications channel could send the wrong message. For example, a decision that dramatically impacts a person's career should never be delivered via an impersonal form letter. It's always good to consider how it would feel to be on the receiving end. Think about it: If you were being recognized for outstanding work or many years of service, would a personal thank-you note or an e-mail be more meaningful to you?

Active Listening.

The concept behind active listening is encouraging the speaker to state what they really mean and stems from the work of counselors and therapists. The goal of active listening is to help associates express themselves, offer suggestions, and get to the root of a matter.

Listen for the content of the message and organize it into key components.

Listen for feelings about the key points being conveyed.

Ensure that you respond to feelings appropriately and with compassion.

Be cognizant of any overreaction to the situation.

Watch verbal and nonverbal signals and be prepared to reconvene the discussion if necessary.

Repeat and paraphrase the key points that were conveyed.

Wait until the speaker is finished.

Do not plan your response until the speaker is finished.

Never interrupt to state you own opinion.

Maintain eye contact if you are in a face-to-face meeting.

Leadership Style.

Based on an analysis of all the leadership styles, it makes sense that a controller should be flexible, understand his or her own core leadership style, value team members, and be cognizant of all factors impacting a situation. Although situational leadership is touted as the best leadership style, the situation should not change one's core values or ethics. Great leaders have an in-depth understanding of which leadership style works best for them.

Motivation and Inspiration.

Motivation involves using words and examples that give your team the will to accomplish an objective or take action. Motivation occurs when one has confidence, feels a sense of belonging to a solid team, and has good leadership. Motivation is nurtured by constant reinforcement, a level of trust, and loyalty to the organizational leader, the company, or both. True team motivation occurs when team members motivate each other.

Managing Change.

One of the major challenges of change management is assessing readiness for change. Unfortunately, this assessment does not always take place and the risks associated with the change are not always properly addressed. The goal of assessing change readiness is to identify specific issues and to plan for and address those issues so that risks are minimized. If that assessment does not take place, performance improvement may either be delayed or not achieved, and associated costs can be higher than expected.

Emotional Intelligence.

Psychologist and author Daniel Goleman is cochair of the Consortium for Research on Emotional Intelligence in Organizations, based at Rutgers University. He first brought the term

emotional intelligence

to a wide audience with his 1995 book of the same name. According to Goleman, the chief components of emotional intelligence are self-awareness, self-regulation, motivation, empathy, and social skills.

Building a Strong Team.

Choosing the right team members is critical to being a good controller. Unless your staff is competent, cohesive, communicative, and committed, you will not be able to fulfill your controllership responsibilities.

CONTROLLER'S TOOL 3 – THE CONTROLLER'S BUSINESS PARTNERSHIP MATRIX

Introduction. Controllers should consider building business partnerships with the organizations included in the table below. This business partnership matrix was developed to provide a listing of potential business partnership organizations. The matrix also includes the areas of influence that will drive the business partnership. Although the areas of influence will differ in public and private companies, the value of a business partnership can be critical to the success of a controller.

Suggested Business Partnership Organization

Area of Influence

HR and Benefits

HR and Payroll Internal Controls

Entity-Level Controls

HR Policy

HR Policies to Support Internal Controls, Such as Policies for Corporate Cardholder Agreements

Controller Staff Development and Training Programs

Benefit Plan Decision Making

Pension Plan Investment Analysis and Decision Making

Sarbanes–Oxley 302 and 404

Facilities

Physical Security Controls

Facility Strategy

Closing Old Facilities

Building New Facilities

Capital Budgets

Depreciation Analysis

Risk Management

Insurance Plans

Asset Impairment

Sarbanes–Oxley 302 and 404

Supply Chain

Supply Chain Internal Controls

Supply Chain Strategy

Logistics Outsourcing Strategy

Inventory Control

Inventory Fraud Detection and Prevention

Operational Metrics and Reporting

Risk Management

Sarbanes–Oxley 302 and 404

Legal and Risk Management

Entity-Level Controls

Risk Management

Insurance

Record Management

Contract Compliance

Regulatory Compliance Issues

Fraud Detection and Prevention

Sarbanes–Oxley 302 and 404

Compliance

Regulatory Compliance Applicable to the Organization

Address Compliance Issues and Ensure the Implementation of Corrective Action Plans

Sarbanes–Oxley 302 and 404

Internal Audit

Control Self-Assessment Programs

Address Control Issues and Ensure the Implementation of Corrective Action Plans

Recommend Audit Plan and Focus

Sarbanes–Oxley 302 and 404

Ethics and Compliance

Entity-Level Controls

Entity-Level Control Questionnaire

Ethics Hotline Issues

Whistleblower Protection

Fraud Detection and Prevention

Tone at the Top

Sarbanes–Oxley 302 and 404

Security and Investigations

Ethics Hotline Issues

Fraud Detection and Prevention

Security Controls

Physical Security

Protection of Company Data

Information Technology

Develop IT Strategy

IT Controls

System Access Controls

Reporting and Metrics

Selection of ERP Systems

Cost Analysis

Functionality

Financial Systems

Capital Budget

Asset Impairment

IT Business Continuity Plan

Sarbanes–Oxley 302 and 404

CONTROLLER'S TOOL 4 – THE CONTROLLER'S SPAN OF INFLUENCE

Introduction. The controller position impacts nearly every aspect of the organization. The role of the controller now requires broad interpersonal skills. It is important to build relationships with the management or senior team members of every function within the organization. As an example, if there is a large investment in inventory, the controller should establish a relationship with the inventory controls manager and the materials manager for the organization. The wider range of functions managed by the controller means a broader range of functional knowledge. In general, the controller should be familiar with enterprise resource planning (ERP) systems, internal auditing, and the organization's functional and administrative areas.

The Controller's Span of Influence

Ensure that regulatory and compliance requirements are followed across all divisions.

Attend and participate in interdepartmental meetings.

Support strategic planning and ensure that corporate budgets are linked to the planning process.

Provide opinions on the effectiveness of other departments.

Implement and manage the company's internal program and ensure that controls are operating effectively.

Implement and manage the effectiveness of corporate policies, including:

Delegation of authority policy

Segregation of duties policy

Internal controls policy

Develop enhanced internal control programs and remediation activities to address control weaknesses.

Develop and implement organization-wide metrics, scorecards, and analytics.

Acquire and approve insurance coverage.

Conduct public offerings.

Deal with investors and lenders.

Determine credit limits for strategic customers.

Invest pension funds.

Invest surplus funds.

Administer changes to the pension plan.

Maintain employee files.

NOTES

1

   Monster (n.d.). Controller job description sample. Monster website, Job Description Templates (accessed March 8, 2020).

https://hiring.monster.com/employer-resources/job-description-templates/controller-job-description-sample

.

2

   Doxey, Chris (2017). 15 leadership skills every controller must have. Nvoicepay website (June 29; accessed March 8, 2020).

https://www.nvoicepay.com/resources/blog/15-leadership-skills-controllers-must-have

.

SECTION 1Corporate and Reputational Risk

SECTION INTRODUCTION

“We are living in a trust paradox,” said Richard Edelman, CEO of Edelman, a global communications firm. “Since we began measuring trust 20 years ago, economic growth has fostered rising trust. This continues in Asia and the Middle East but not in developed markets, where national income inequality is now the more important factor. Fears are stifling hope, and long-held assumptions about hard work leading to upward mobility are now invalid.”1

The trust of employees, shareholders, and customers drives corporate and reputational risk. Reputational risk has traditionally been seen as an outcome of other risks and not necessarily as a stand-alone risk. This view has been gradually changing, because it is increasingly clear that reputation is critical to the viability of a company.

Reputational risk refers to the potential for negative publicity, public perception, or uncontrollable events to have an adverse impact on a company's reputation, thereby affecting its revenue. A controller can mitigate reputational risk through risk management processes, code of conduct, ethics, corporate governance, and the implementation and ongoing validation of entity-level controls. Mitigating reputational and corporate risk is an ongoing process that is critical to the success of a company.

NOTE

1

   Edelman (2020). 2020 Edelman Trust Barometer reveals growing sense of inequality is undermining trust in institutions. January 19, 2020, Edelman website, accessed April 10, 2020,

https://www.edelman.com/news-awards/2020-edelman-trust-barometer

.

CHAPTER 3The Controller and Risk Management

OVERVIEW

Companies of all sizes are subject to a variety of risks. Among them are legal, regulatory, strategic, operational, financial, and reputational. Each functional organization is subject to one or more of these types of risk, each of which may impact the company's bottom line. Companies use a number of tools, such as insurance, establishment of reserve funds, and investment policies (including options and futures), to address some of their risks.

The controller should ensure that the organization's internal controls properly address risk by conducting a risk assessment and analysis of the relevant risks that may impact the achievement of company objectives. Furthermore, economic, industry, regulatory, operating, and compliance impacts are always changing. A controller should establish the appropriate methodology to assess and react to different kinds of risk.

RISK MANAGEMENT PROCESS FLOW

RISK MANAGEMENT DEFINED

Risk management is a process for identifying, assessing, and prioritizing risks of different kinds. Once the risks are identified, the risk manager will create a plan to minimize or eliminate the impact of negative events. Risk management can also be defined as the process of assessing risk and acting in such a manner, or prescribing policies and procedures, so as to avoid or minimize loss associated with such risk. Risk management is not a regulatory requirement but is an important focus of all types of organizations.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines enterprise risk management (ERM) as follows:

Enterprise risk management is a process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

The Global Association of Risk Professionals (GARP) defines risk management in this way:

Risk management is a structured approach to monitoring, measuring, and managing exposures to reduce the potential impact of an uncertain event happening.

When developing a risk management plan, a controller should consider the factors that may create risk. These factors are:

Inadequate management reporting and monitoring

Inadequate financial performance metrics

Operational issues due to poor internal controls

Legal and regulatory violations

Incorrect financial reporting due to management overrides or fraudulent activities

Excessive bad debt and inventory write-offs

Internal and external fraud

Breaches of confidentiality

Lack of quality control

Lack of a business continuity plan

After considering the risk factors above, a controller should develop a risk policy that outlines the risk management framework of an organization in relation to its objective. Risk policies will vary across industries and companies based on the ability to absorb losses and the rate of return an organization seeks from operations.

CONTROLLER'S TOOL 5 – TYPES OF RISK

Introduction. Besides the types of risk identified in this book, there are other types of risk that controllers should consider when defining a risk management process for their companies. These types of risk are provided below.

Type of Risk

Operational Risk

. Operational risk is a potential risk of loss resulting from inadequate or failed internal processes, from people and systems, or from external events. The result of unmanaged operational risk is an operational failure.

Financial Risk

. Financial risk is sometimes referred to as treasury risk. Hedging attempts to reduce financial risk by matching a position with an opposite and offsetting position in a financial instrument that tracks or mirrors the value changes in the position.

Fraud Risk

. Fraud risk is a potential violation of the organization's ethics and compliance standards, business practice requirements, financial reporting integrity, and other objectives.

Market Risk

. Market risk deals with the different types of financial market risks, such as interest rate risk, equity risk, commodity risk, and currency risk.

Credit Risk

. Credit risk is the risk of loss due to nonpayment of a loan, bond, or other credit instrument.

Commodity Risk

. Commodity risk is a potential loss from an adverse change in commodity prices.

Currency Risk

. Currency risk management focuses on the fluctuations in currency values (see Financial Risk).

Project Risk

. Project risk is the risk associated with not completing a project within the expected timeline and budget.

Technology and Software Risks

. Technology and software risks are associated with implementation of new technology or software and the impact that the implementation may have on the organization.

CONTROLLER'S TOOL 6 – RISK MANAGEMENT FRAMEWORKS

Introduction. There are several risk management frameworks that a controller should consider when developing an internal controls structure to mitigate specific areas of risk across the company. The type of framework selected will depend upon company strategy and customer requirements. As the company works with the risk management team, it should consider the risk events that can be fatal to the company and jeopardize its survival.

Multiple studies have found that people overestimate their ability to influence events that, in fact, are heavily determined by chance. We tend to be overconfident about the accuracy of our forecasts and risk assessments and far too narrow in our assessment of the range of outcomes that may occur.1

Type of Risk Management Framework

Overview

ISO 31000:2018

https://www.iso.org/standard/65694.html

This updated standard now defines risk as the “effect of uncertainty on objectives,” with a focus on the effect of incomplete knowledge of events or circumstances on an organization's decision-making. This requires a change in the traditional understanding of risk, forcing organizations to tailor risk management to their needs and objectives – a key benefit of the standard. Jason Brown explains: “ISO 31000 provides a risk management framework that supports all activities, including decision-making across all levels of the organization. “The ISO 31000 framework and its processes should be integrated with management systems to ensure consistency and the effectiveness of management control across all areas of the organization.” This would include strategy and planning, organizational resilience, IT, corporate governance, HR, compliance, quality, health and safety, business continuity, crisis management, and security.

2

COSO Enterprise Risk Management –

Integrating with Strategy and Performance

(2017)

https://www.coso.org/Pages/default.aspx

“In keeping with its overall mission, the COSO board commissioned and published in 2004

Enterprise Risk Management – Integrated Framework

. Over the past decade, that publication has gained broad acceptance by organizations in their efforts to manage risk. “However, also through that period, the complexity of risk has changed, new risks have emerged, and both boards and executives have enhanced their awareness and oversight of enterprise risk management while asking for improved risk reporting. This update to the 2004 publication addresses the evolution of enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment. The updated document, titled

Enterprise Risk Management – Integrating with Strategy and Performance

, highlights the importance of considering risk in both the strategy-setting process and in driving performance.

3

”

National Institute of Standards and Technology (NIST) Risk Management Framework

https://www.nist.gov/system/files/documents/2018/03/28/vickie_nist_risk_management_framework_overview-hpc.pdf

The selection and specification of security controls for a system is accomplished as part of an organization-wide information security program that involves the management of organizational risk – that is, the risk to the organization or to individuals associated with the operation of a system. The management of organizational risk is a key element in the organization's information security program and provides an effective framework for selecting the appropriate security controls for a system – the security controls necessary to protect individuals and the operations and assets of the organization.

4

CONTROLLER'S TOOL 7 – CONSIDERATIONS FOR MANAGING RISK WITH AN ENTERPRISE RISK MANAGEMENT MODEL

Introduction. The following tool provides an approach to consider when implementing an ERM model. ERM aims to attain informed business decisions by evaluating total returns relative to total risks, which can be determined by asking these questions:

I. Internal Environment

What is the overall risk appetite of the organization?

How committed is the board of directors (BoD) to establishing a risk management philosophy?

Are there integrity, ethical values, and a commitment to competence in the organization?

Is the assignment of authority and responsibility over risks well managed? Who manages this process?

What is the organizational structure of the company and departments?

What HR standards related to risk management are currently in place?

II. Objective Setting

How well are strategic and related objectives defined?

How is the achievement of these objectives monitored?

What activities are on your risk management goal sheet for this year?

What does the company need to do well over the next year in order to succeed and reach its goals? What factors do you consider to be critical to your company's success in the next year?

What areas would you like to see moved to the next level of performance?

What could prevent you from achieving your goals (e.g. people, processes, funding, etc.)?

III. Event Identification

How do internal and external forces impact the risk profile?

What other event identification techniques are in place (e.g. self-assessments, SOX, report reviews, trend reporting, fraud hotline, etc.)?

How are deficiencies captured and reported?

How does the organization distinguish between risks and opportunities?

IV. Risk Assessment

What does management perceive to be the largest risks to the company, in terms of significance and likelihood?

What do managers perceive to be the biggest risks within their areas of control? Please provide examples.

Thinking of other areas within the company, how well does management receive information from shared services groups (e.g. IT, finance, HR)?

What additional information would management like to have accessible in order to better perform its responsibilities?

In management's opinion, what areas or processes are most susceptible to fraud?

Is management aware of any instances of fraud within the company? What/how/who?

V. Risk Response

How are risks monitored and reported within the organization?

How effectively are identified risks managed?

What is management doing specifically to manage identified risks (e.g. financial statement variance reporting, trend reporting, credit reporting, insurance policies, legal, BoD involvement and reporting)?

VI. Control Activity

What is management's assessment of the effectiveness of overall controls in preventing risks and carrying out risk activities within your organization?

How are the defined control activities tested?

What type of review process takes place for policies and procedures?

What type of review process takes place for IT application controls and the IT general control environment?

What components are included in the company's entity-level controls program?

VII. Information and Communication

How does the organization/department capture information and communicate related risk?

What communications barriers are present within the organization?

What ongoing monitoring activities are in place (e.g. compliance monitoring, Internal Audit (IA), risk management group, BoD monitoring, etc.)?

TABLE OF CONTROLS – RISK MANAGEMENT

Process: Risk Management

Governance and ownership

of the risk management process are clearly established.

Roles and responsibilities

for the risk management process are clearly defined.

Risk management processes

begin and end with clearly defined business objectives.

The risk management model

to be used is defined and communicated to executive management for approval and implementation.

A risk rating system

is defined in relation to organization's objectives and considers all types of risks applicable to the company. Risk rating scales are tied to the company's risk management model and establish risk tolerances and are determined based on the calculated or perceived severity of the consequences. Leading indicators are used to provide insight into potential risks using market, industry trends, and weather and world health impacts.

A risk portfolio

is developed to support decision-making. This portfolio is updated on an annual basis.

Action plans and remediation activities

are in place to address potential risks.

Risk-based internal controls

are prioritized based on mitigating risk. All companies, regardless of size, structure, nature, or industry encounter risks at all levels within their organizations. Risks affect each company's ability to survive, successfully compete within its industry, maintain financial strength and a positive public image, and maintain the overall quality of its products, services, and people. Since there is no practical way to reduce risk to zero, management should determine how much risk should be prudently accepted and strive to maintain risk at acceptable levels by considering the implementation of risk-based controls.

Risk assessment plans and schedules

are communicated to the audit committee, the BoD, and executive management. A schedule is in place to ensure that a risk assessment is conducted in a timely manner.

Significant risks

are communicated to executive management and the BoD when they are identified.

TABLE OF RISKS AND CONTROLS – RISK MANAGEMENT

Process: Risk Management

Process Risk

Recommended Policies

Internal Controls

KPIs

The value of a risk management process is limited.

The owner of a risk assessment must clearly communicate its purpose, process, and expected benefits. The right parties must be engaged to ensure relevant input, informed assessment, and meaningful and actionable results.

Risk Strategy

Risk Tolerance

Statement

Risk Management Policy

Risk Assessment Policy

Internal Controls Policy

Governance and Ownership

Roles and Responsibilities

Risk Management Processes

Risk Management Model

Risk Rating System

Risk Portfolio

Action Plans and Remediation Activities

Risk-Based Controls

Risk Assessment Plans and Schedules

Communication of Significant Risks

Number of Risks Identified per Period

Number of Risks Requiring Remediation

Number of Risks That Occurred More than Once

Predicted Risk Severity Compared to Actual Severity

Number of Risks That Were Not Identified

Cost of Risk Management

Number of Risks Mitigated

Results are difficult to use.

Failure to effectively organize and manage the volume and quality of assessment data makes interpreting that data a challenge. Tools, templates, and guidance are necessary to ensure consistency in data capture, assessment, and reporting.

Risk Strategy

Risk Tolerance

Statement

Risk Management Policy

Risk Assessment Policy

Internal Controls Policy

Risk Management Processes

Risk Management Model

Risk Rating System

Risk Portfolio

Action Plans and Remediation Activities

Risk-Based Controls

Risk Assessment Plans and Schedules

Number of Risks Identified per Period

Number of Risks Requiring Remediation

Number of Risks That Occurred More than Once

Predicted Risk Severity Compared to Actual Severity

Number of Risks That Were Not Identified

Number of Risks Mitigated

Results of the risk assessment are not acted upon.

Lack of clarity and accountability around objectives frequently leads to a failure to follow through on assessment findings.

Risk Assessment Policy

Internal Controls Policy

Roles and Responsibilities

Risk Management Processes

Risk Rating System

Risk Portfolio

Action Plans and Remediation Activities

Risk-Based Controls

Risk Assessment Plans and Schedules

Communication of Significant Risks

Number of Risks Identified per Period

Number of Risks Requiring Remediation

Number of Risks That Occurred More than Once

Predicted Risk Severity Compared to Actual Severity

Number of Risks That Were Not Identified

Number of Risks Mitigated

Risk is overcontrolled, resulting in excessive costs and stifled innovation.

Lack of an effective risk assessment process and defined risk tolerance could result in an organization overcontrolling a risk, which could place an excessive cost burden on the organization and/or stifle its ability to seize opportunities.

Risk Strategy

Risk Tolerance

Statement

Risk Management Policy

Risk Assessment Policy

Internal Controls Policy

Governance and Ownership

Roles and Responsibilities

Risk Management Processes

Risk Management Model

Risk Rating System

Risk Portfolio

Action Plans and Remediation Activities

Risk-Based Controls

Risk Assessment Plans and Schedules

Communication of Significant Risks

Cost of Risk Management

Risk assessments become stale, providing the same results every time.

Without their data capture, process, and reporting being refreshed from time to time, risk assessments may lose relevance.

Risk Management Policy

Risk Assessment Policy

Internal Controls Policy

Action Plans and Remediation Activities

Risk-Based Controls

Risk Assessment Plans and Schedules

Communication of Significant Risks

Number of Risks Identified per Period

Number of Risks Requiring Remediation

Number of Risks That Occurred More than Once

Predicted Risk Severity Compared to Actual Severity

Number of Risks That Were Not Identified

Cost of Risk Management

Number of Risks Mitigated

Risk assessment is added onto day-to-day responsibilities without being integrated into business processes.

While tools and templates are helpful to ensure consistency in data capture, assessment, and reporting, it is important that the risk assessment process be anchored and integrated into existing business processes.

Risk Management Policy

Risk Assessment Policy

Internal Controls Policy

Governance and Ownership

Roles and Responsibilities

Risk Management Processes

Risk Management Model

Risk Rating System

Risk Portfolio

Action Plans and Remediation Activities

Risk-Based Controls

Risk Assessment Plans and Schedules

Communication of Significant Risks

Number of Risks Identified per Period

Number of Risks Requiring Remediation

Number of Risks That Occurred More than Once

Predicted Risk Severity Compared to Actual Severity

Number of Risks That Were Not Identified

Cost of Risk Management

Number of Risks Mitigated

Too many different risk assessments are performed across the organization.

A shared approach should be defined for performing risk assessments, using common tools or templates, common data sets (e.g. risk categories, libraries of risks and controls, rating scales), and flexible hierarchies to enable streamlined data capture, an integrated assessment process, and flexible reporting.

Risk Management Policy

Risk Assessment Policy

Roles and Responsibilities

Risk Management Processes

Risk Management Model

Risk Rating System

Risk Portfolio

Action Plans and Remediation Activities

Risk-Based Controls

Risk Assessment Plans and Schedules

Communication of Significant Risks

Number of Risks Identified per Period

Number of Risks Requiring Remediation

Number of Risks That Occurred More than Once

Predicted Risk Severity Compared to Actual Severity

Number of Risks That Were Not Identified

Cost of Risk Management

Number of Risks Mitigated

Risk assessments are not structured to prevent the next big failure.

As risk assessment provides a means for facilitating the discussion around key risks and potential control failures, it helps reduce the risk of breakdowns, unanticipated losses, and other significant failures. Risk assessments need to invoke the right subject-matter experts and consider not only past experience but also forward-looking analysis.

Risk Strategy

Risk Tolerance

Statement

Risk Management Policy

Risk Assessment Policy

Internal Controls Policy

Governance and Ownership

Roles and Responsibilities

Risk Management Processes

Risk Management Model

Risk Rating System

Risk Portfolio

Action Plans and Remediation Activities

Risk-Based Controls

Risk Assessment Plans and Schedules

Communication of Significant Risks

Number of Risks Identified per Period

Number of Risks Requiring Remediation

Number of Risks That Occurred More than Once

Predicted Risk Severity Compared to Actual Severity

Number of Risks That Were Not Identified

Cost of Risk Management

Number of Risks Mitigated

Key principles are not put to work.

With organizations facing a fluid and seemingly endless array of risks and obligations, these key principles should be leveraged to provide the consistent platform necessary to effectively manage these risks in a cost-effective and sensible way.

Risk Strategy

Risk Tolerance

Statement

Risk Management Policy

Risk Assessment Policy

Internal Controls Policy

Risk Management Model

Risk Rating System

Risk Portfolio

Action Plans and Remediation Activities

Risk-Based Controls

Risk Assessment Plans and Schedules

Communication of Significant Risks

Number of Risks Identified per Period

Number of Risks Requiring Remediation

Number of Risks That Occurred More than Once

Predicted Risk Severity Compared to Actual Severity

Number of Risks That Were Not Identified

Cost of Risk Management