Control and Control Systems

Andrew Graham Queens University School of Policy Studies

Reprise

• This lecture moves us out of getting a

budget, establishing how to account for it towards to managing one

• From here, we look at: – Control systems – Cash management – Accounting and reporting • Continuous cycle: accounting for past

performance, managing current resources, planning and fighting for future resources

Public Sector Control and What You Never Want to Hear About Your Program



It ignored your Legislative Authority



It overspent its budget and you did not know about it



It broke your financial rules



It broke your own contracting rules



You broke the rules in selecting contractors



It was hidden from public and ordinary scrutiny



Money disappeared



It did not do what it was supposed to



It did other, really bad things instead



You failed to inform your Minister of the situation

Why Is Control Required?

The Role of Control Setting a Target Measuring Performance Making Corrections

All Controls are Built on Assumptions about People and Systems

• The degree of

trust the controller places in the organization or persons with authority and responsibility, and

• The assumptions about

ethical behaviour in the culture and legal framework of the organization.

Just Who is the Controller????

The Controller and the Controlled CONTROLLER CONTROL SUBJECT Operational Manager Divisional or Senior Manager Corporate Manager Internal Auditor External Auditor External Auditor Corporate Manager Corporate Manager Subordinate Units Operational Manager Divisional or Senior Manager Operational Manager Internal Auditor Corporate Manager Minister and/or Legislature Board of Directors Legislature Board of Directors External Auditor External Auditor

The Key is to “In Control” not “Under Control” – who is in control here and who is under control?

Just What is Control……….

• Control is the task of ensuring that

activities are providing the desired results.

• Controlling means setting a target, measuring performance, and taking corrective action as

required.

• As control expert Kenneth Merchant notes:

“The goal [of the control system] is to have no unpleasant surprises in the future.”

Just What is Control……….

• •

If managers could be sure that every plan they made and every task they assigned would be perfectly executed, they really would not need to “control.” Most plans are executed by people, however, and people vary widely in abilities, motivation, and even honesty.

Just What is Control……….

• •

In today’s fast-paced environment, who can be sure even the best plans might not become outdated? So, the people who execute the plans, the plans themselves, and the results originally desired must be monitored and controlled.

Just What is Control……….

Give public and private examples

.

• •

Control and accountability go hand in hand Part of accountability is not just to produce results, but to exercise due diligence in terms of process, respect for rules, monitoring (not just what you know, but how do you know)

Just What is Control……….

Management control systems consist of all organization structures, processes and subsystems designed to elicit behavior that achieves the strategic objectives of an organization at the highest level of performance with the least amount of unintended consequences and risk to the organization.

Systems Theory and Management Control By: Dr. Shahid Ansari: http://faculty.darden.virginia.edu/ansaris/Systems%20Theory%20and%20MCS TN.pdf

Just What is Control……….

•All actions taken to make an organization run effectively and accomplish its goals •Include management’s attitude, operating style and integrity and ethical values •How managers communicate •How managers check on staff •Assigning responsibility for decision-making and execution •Establishing measurement tools

A Key Relationship

ACCOUNTABILITY RISK PERFORMANCE MEASUREMENT

The Architecture of Control

• Control cannot occur unless the

organization knows what it has to do, have organized that work and can link it to achieving its strategic objectives.

• Control extends beyond control over

transactions and financial reporting, without excluding them.

• The objectives must be achieved at a

highest level of performance possible, i.e. they must seek to be as efficient as possible

The Architecture of Control

• Risk must be minimized to avoid any

chance of unintended consequences either in terms of outcomes or deviations from the rules governing the work.

• Structure refers to the formal task,

authority and responsibility assignments in an organization.

The Architecture of Control

• Processes are the activities through

which control is accomplished.

• Subsystems support the structures

and processes by providing the right incentives to guide behavior.

Management Control Systems

• • •

Beware the danger of terminology: different terms, same meanings MCS is defined a ‘set of policies and procedures designed to keep operations going according to plan” Useful and simple perspective

Management Control Systems

• • • •

MCS exists either formally but more often informally and empirically When you ask “What is our Management Control System” you may get an information technology response. When you ask “What is our control framework” you may often get a blank stare – they are the same thing Usually the responsibility of the administrative or financial staff: more focused in such areas Generally, the creation of an MCS takes some well known steps……..

The Traditional Management Control Process Identify Goals, Roles And Responsibilities Establish Standards Measure Performance Compare to Standards Take Corrective Action

Traditional Control Process

• The first step in the traditional

control process is to identify the areas the be controlled, based on a clear understanding of the tasks that are being performed .

Here is where the notion of

Responsibility Accounting

comes into play: “assignment of the responsibility for keeping to the plan and carrying out the elements of the management control system.” (Finkler)

Traditional Control Process

• The next step is to choose a yardstick

and to establish standards expressed in terms of money, time, quality, or quantity.

Traditional Control Process

• • •

The following steps are to measure actual performance and compare to

standards

The simplest way to compare actual performance standards is personal observation This method is time consuming; so, formal, impersonal reports are used also--budgets, quality control reports, and inventory control reports

Traditional Control Process

• If a discrepancy exists between

standards and actual performance, then the variance has to be identified and verified

• It may be necessary to take corrective

action

• A deviation from the standard merely

flags the problem; corrective action may or may not be required.

Expanding the Traditional Notions

Traditional Two Basic Control Options Diagnostic Systems Boundary Systems Interactive Systems Belief Systems Commitment Based Commitment-Fostering Systems

Diagnostic Controls

Management Control System Capital Budget Operating Budget Income Statement Balance Sheet Cash Budget

Diagnostic Controls - Tools

Financial Ratios Financial Responsibility Centres Enterprise Resource Planning Corporate Scorecards

Boundary Controls

Ethical Behaviour Strategies Codes of Conduct

Interactive Controls

Strategic Control Face-to-Face Interaction

Tools of Control: Managing and Reporting Variance

• Management Control Systems

maximize compliance with the organization's plans.

• Internal Control Systems

- protect and use resources efficiently and effectively.

Tools of Control: Managing and Reporting Variance Management Control Systems

: •Sets of policies and procedures designed to keep operations going according to plan - detect variations and allow for corrective action.

•Focus on

responsibility accounting

•Combine monitoring, motivation, and incentives.

•Require that performance be measured. •Need to focus on both viability (internal perspective) and effectiveness (external and internal perspective).

Tools of Control: Managing and Reporting Variance

 focus on efficient and effective use of resources and on the protection of the organization's resources  contain before-the-fact Accounting Controls and after-the-fact Administrative Controls,  the controls are coordinated to minimize avoidable losses, and are designed in a cost effective way.

Tools of Control: Managing and Reporting Variance

● ● Audit Trail: ability to trace each transaction back to its source – protects against misuse of funds, also ensures accountability for how funds spent Reliable Personnel: hiring the right people, professional qualifications, training and supervision

Tools of Control: Managing and Reporting Variance

● Separation of Functions: person who authorizes the expenditure should not be the person to process payment – notion of counter signatures – ensures checks and balances in the system – notion that a person should not be left to control themselves – introduces elements of a challenge function as well

Tools of Control: Managing and Reporting Variance



Proper Authorization



levels of authority and matrices of delegation distribute authority for spending and decision making in the organization



if these are unknown or operate in parallel with informal systems, audit is impossible, so to is control of expenditures

Tools of Control: Managing and Reporting Variance



Adequate Documentation



both in terms of legal requirements (legislative compliance and potential for fraud) and



reporting needs (accurate data) documentation is becoming more challenging because of computerization but, both theoretically and practically, easier

Tools of Control: Managing and Reporting Variance

Regular Reporting • frequency and distribution of financial

reports should be part of the control framework of the organization

• danger in too much information and

reporting, equal problem with too little

• Monthly versus quarterly financial reports:

driven by risk, intensity of management process, e.g. watching costs during downsizing, high risk times of peak expenditures may call for more reporting

Tools of Control: Managing and Reporting Variance

Regular Managerial Review • Different from reporting – calls for

an active review and decision

• Regular review during

management/executive committee meetings

• Need to demonstrate stewardship

by non-financial managers

Tools of Control: Managing and Reporting Variance Proper Procedures

• “By the book” procedures create

compliance requirements

• Make sure you know that

1) there is actually a book and not just someone making rules up and 2) consequence of non-compliance and 3) wiggle room when you need it

Tools of Control: Managing and Reporting Variance

– Adequate Determination of Risk and Risk

Management Strategies

– Physical Safeguards: should be part of the

control framework

– Bonding and Rotation of Duties: all of these

procedures are designed to ensure against theft and having only one person with their hand on key financial processes

– Independent Check: role and use of internal or

external auditors

Example of a Performance Report for Machinery Department Direct labour Supplies Repairs Overhead Budget $2,107 $3,826 $ 402 $ 500 Actual $2,480 $4,200 $ 150 $ 500 Variance $373 over $374 over $252 under $ 0 Explanation Overtime work Wasted material Total $6,835 $7,330 $495 over

Risk Management and Control

• All organizations face and manage risks • Various types of risk – Performance failures: not meeting goals – Financial risks: funding, fraud, loss potential – Unforeseen risks • In order to establish adequate control, you

have to establish risk tolerances

• Highly contentious in the public sector –

why?

Risk and Risk Management

• Risks are perceived as any thing or event that could stand in the way of the organization achieving its objectives. • Risk management is not about being ‘risk averse’. Risk management is not aimed at avoiding risks. Its focus is on identifying, evaluating, controlling and “mastering” risks. • Risk management also means taking advantage of opportunities and taking risks based on an informed decision and analysis of the outcomes.

Assessing Risk IMPACT Significant Moderate P OTENTIAL R ISK M ANAGEMENT A CTIONS

Considerable management required Must manage and monitor risks Extensive management essential Risks may be worth accepting with monitoring Management effort worthwhile Management effort required

Minor

Accept risks Accept, but monitor risks Manage and monitor risks

L OW M EDIUM H IGH LIKELIHOOD

Risk Response Matrix

Likelihood

Almost certain 5 Likely 4 Possible 3 Unlikely 2 Rare 1

Legend

C Critical risk: H High risk: M Moderate risk: L Low risk: Insignificant 1 M M L L L Minor 2 M M M L L

Impact

Moderate Manage by routine procedures 3 H H M M M Major 4 C C H H M CAO involvement essential, inform committee of Council Senior management involvement essential, inform CAO Extreme 5 C C H H M Management mitigation & monitoring required, inform senior management

Assessing Risk

Risk Analysis and Management Toolkit Risk Tolerances Risk Tolerances

TYPCIAL RISK TOLERANCE GRID

• Setting tolerances involves a mix of

qualitative and quantitative measures

•Not always straightforward •It takes experimentation and time •Issue of how public they are is important •Equally important is how politically sensitive

they are: is there a tolerable murder rate? Wrong tolerance!

5 Worst Case 4 Severe 3 Major 2 Moderate 1 Minor

Risk Analysis and Management Toolkit Risk Tolerances WHEN DO YOU ACT AND HOW?

Processing Compliance – welfare applications Rate of inaccuracy exceeds 2% in two quarters Rate of inaccuracy exceeds 2%, found in post audit in one quarter only Rate of inaccuracy less than 2% only found in post-audits Rate of inaccuracy less than 2% of total transactions – 75% found in pre-

audits.

Inaccuracy less than 2% based on pre and post audit

SEVERITY RISES

What to Avoid when Using Risk Management Tools to Manage • The Chick Little Syndrome – “The sky is falling! The sky is falling” – a major problem in many

organizations

• Excessive formality – much of risk

management is intuitive and cultural

• Giving the media headlines – chronic

misunderstanding of risk in the media – too much paper

• Assuming that this kind of work can be kept

“secret” – be prepared to explain and communicate

Risk Management Maturity Continuum Organizational culture to systematically build and improve risk Risk Management Stage Description Initial

Focus on risk identification with ad hoc risk management activities based on individuals, not the organization

Repeatable

Risk management processes are established for certain key areas; processes are reliable for risk management activities to be repeated over time

Defined

Risk management policies, processes and standards are defined and formalized across the organization

Integrated Risk Management Managed

Risks are measured and managed proactively; risks are aggregated on an organization wide basis

Optimizing

The organization is focused on the continuous improvement of risk management

Risk Management = survival ! IRM = an intelligence led business process

( Deloitte’s Risk Management Maturity Continuum.)

What to Avoid when Using Risk Management Tools to Manage Denial

“…in all my experience, I have never been in an accident of any sort worth speaking about. I have seen but one vessel in distress in all my years at sea. I never saw a wreck and have never been wrecked, nor was I ever in any predicament that threatened to end in disaster of any sort.” Captain Edward Smith, New York times, 1907 some years before he perished as master of the Titanic

What and Who to Control Individual OR Before Action

Ex Ante

OR Organizatio n After Action

Ex Post

Facilitative Controls

• Assigning responsibility for various

information gathering tasks to various parts of the organizations, such as the financial officer, the financial analysis group or a performance monitoring group.

• Defining the reports that the

organization wishes to receive and analyze on a regular basis.

Facilitative Controls

• Creating reports to be understood by

senior managers or Board members and management. Overly complex or simplistic reports will result in poor communication of financial data.

Facilitative Controls

• Designing systems to ensure that data such

as supplier invoices and accounts receivable are recorded accurately and on a timely basis.

• Communicating financial performance

information, along with and clearly connected to operational information and comparisons to plans and budgets so that it can be used for making decisions.

Protective Controls



Proper authorization of transactions (prior authorization of major expenditures)



Adequate segregation of duties



Establishment of a finance oversight committee

Protective Controls



Proper controls over petty cash, vouchers, discretionary funds or highly liquid assets



Designing of appropriate forms



controls to safeguard assets



Controls to verify financial records (monthly reviews and annual audits).



Controls to verify financial records (monthly reviews and annual audits)

MANAGEMENT CONTROL SYSTEMS INTERNAL CONTROL SYSTEMS RISK LANDSCAPE VARIANCE

Variance Analysis

• Variance analysis investigates differences (variances)

between planned and actual results to help managers:

– - prepare budgets for the coming year, – - control results in the current year, and – - evaluate the performance of operating units. • Variance analysis focuses on material differences to

help managers correct problems and capitalize on opportunities

Variance Analysis

The budgeted and actual costs and the resulting month and Y-T-D variances for the Hospital for Ordinary Surgery illustrate an unfavorable cost variance.

This Month

Actual $9,200,000

This Year

Actual $25,476,000 Budget $8,800,000 Budget $25,150,000 Variance $400,000 U Variance $326,000 U

Department and Line Item Variances

Variances at most levels of an organization represent aggregations of variances from other levels. For example: total organizational expense variances represent the sum of departmental variances, while departmental variances are made up of line item variances.

Radiology Department Salary Supplies Total Actual $400,000 400,000 $800,000 Budget $395,000 205,000 $600,000 Variance $ 5,000 U 195,000 U $200,000 U

Suppose the supply variance was $50,000 F and the salary variance was $50,000 U. What would the total variance be? Should it be investigated?

Flexible Budget Variance Analysis

 Flexible Variance Analysis allows managers to identify what portion of a total variance is due to: - differences between the budgeted and actual volume of some output (Volume Variance), - differences between the budgeted and actual price (or rate) of each unit of input or output (Price or Rate Variance), and - differences between the budgeted and actual quantities of the resources used per unit of output (Quantity or Use

Variance).

Volume, Price, and Quantity Examples

Volume Quantity Price School Cost Example Total Cost of Textbooks Number of third grade students Number of textbooks per third grade student Cost per textbook per third grade student Hospital Revenue Example Total Oncology Patient Revenue Number of oncology patients Days of stay per oncology patient Price per day of stay per oncology patient

Variance Analysis Cautions

 Aggregation can hide meaningful variances and lead managers to misinterpret the condition of the organization.

Exception Reports should be prepared for all material variances that warrant management's attention.

 Fixed costs should not result in volume variances, since they are not expected to change with volume.

Variance Analysis Cautions



Expense and Revenue variances often have to be analyzed together.



For example, an unfavorable expense volume variance may be good for the organization if it is accompanied by an even larger favorable revenue volume variance.

Behavioural Displacement Gamesmanship

The Negative Side of Controls

Operating Delays Attitude Problems

The Costs of Control

• Controls not costless • Control costs can also be transferred • Limits to managerial responsiveness

The Costs of Control

• Amount of preoccupation with

process over service or results

• Excessive paper burden • Poor assessment of risk and excessive

caution

New Challenges in Control • Extended governance • Third party delivery

New Challenges in Control • Cross control systems within

government and across governments

• Lack of agreement on adequate

controls

• Poor understanding of risk and risk

management