Testing internal controls is an essential skill required for an internal auditor, but most of us miss a significant aspect of control testing. The benefit of the control must outweigh the potential loss from the risk it mitigates. Control testing generally includes two phases: the test of design and the test of effectiveness. Yet, when you consider the design of a control, do you also evaluate the cost of the control?
What Is the Cost of a Control?
Every internal control has a cost to the organization. The control process has to be designed, implemented, operated, and then tested — sometimes both internally and externally. For the design of an internal control to be deemed effective, the control cost should not outweigh the potential benefits of the control or the risk being mitigated.
For instance, a retail chain with 850 store locations implemented a control to log every time a door sensor alarm was set off in order to mitigate the risk of losses due to theft.
With an average of six entrances per store, they were keeping 5,100 of these daily logs (850 Stores * 6 Doors per Store = 5,100 Logs) and they found it took about 10 minutes a day to complete each log (5,100 Logs * 365 Days * 10 Minutes = 310,250 Hours). Therefore in the course of a year, operating that control cost over $3 million dollars (310,250 Hours * $12/hour = $3,723,000) — which does not include the additional cost for testing.
For the design of the control to be effective, reduced theft should outweigh the cost of the logs. This control was not designed effectively since it had no impact on losses due to theft. In a proper design evaluation, the cost and appropriateness should have been reviewed.
How to Calculate the Cost of a Control?
Calculating the cost of a control requires us to capture, or estimate, all the cost factors that go into the control process, which starts with designing the control and ends with control testing. One way to calculate the cost is to capture estimated costs by each category. Again, we can use system access controls as an example.
Controls are often designed by management with the assistance of other groups like an enterprise risk management (ERM) team. For example, designing a system access control may include a system administrator, a member of the ERM team, and potentially robotic process automation (RPA) specialist to design automation. Calculating the costs should include the hours spent by all members of management and IT in the control design.
Implementing a control process usually involves meetings, training, and a pilot with testing. A new control can take multiple teams several weeks or months to complete. In our system access control example, implementing the control, especially with automation, will take at least several weeks. The automation must be coded and tested before being released into production. The hours spent by each team member should be tracked, or at least estimated, to assess the overall cost.
Operating a new control may include a learning curve. For example, in an access control, the automation may produce an exception report based on terminations that require follow-up by a system administrator to remove access for all terminated employees. However, the control may not capture internal movement, such as promotions or movement across departments, that would lead to access modification or removal. As a result, the control may need to be changed, or it may evolve. Additionally, the control operator may change throughout the year, which would add a further learning curve to account for. Control operation is often the most costly aspect since it is recurring. Automated controls are less expensive than manual controls, but all controls have an operating cost.
The control should be documented within a process narrative, flowchart or walkthrough. Some controls, like SOX controls, are often documented more thoroughly, but all critical controls should be documented. The example access control should be documented to include the automation logic, the exception reporting, and the expected actions from the system administrator. Documentation costs include the initial effort plus any ongoing documentation updates by management and the control or audit teams.
Control testing may take several forms. Management testing, internal audit testing, and external audit testing all incur costs. Understanding the frequency of the control will shed light on the costs. In the access control example, if we assume quarterly testing, the test by management may take several hours to complete and capture documentation. The internal audit team might review once a year in a test that takes several hours. The external auditors may vary from quarterly to annual reviews. The auditors’ testwork, both internal and external, also requires additional time from management spent in annual walkthroughs or recurring meetings with the auditors as well as time spent gathering the appropriate audit evidence for them. For the complete picture, internal and external audit testing costs should be included in the assessment.
Can You Reduce the Cost of Your Controls?
The cost of internal controls can be reduced through standardization and automation. Control standardization allows your organization to apply a general control design across multiple processes. In our example above, the design for an access control can be replicated across multiple systems to reduce design and testing costs. Standardized controls can then be automated for even more significant savings.