Control and Control Systems Andrew Graham Queens University School of Policy Studies.

transcript

Control and Control and Control SystemsControl Systems

Andrew GrahamAndrew GrahamQueens UniversityQueens University

School of School of PolicyPolicy Studies Studies

RepriseReprise

• This lecture moves us out of getting a budget, establishing how to account for it towards to managing one

• From here, we look at:– Control systems– Cash management– Accounting and reporting

• Continuous cycle: accounting for past performance, managing current resources, planning and fighting for future resources

It ignored your Legislative AuthorityIt overspent its budget and you did not know about itIt broke your financial rulesIt broke your own contracting rulesYou broke the rules in selecting contractorsIt was hidden from public and ordinary scrutinyMoney disappearedIt did not do what it was supposed to It did other, really bad things insteadYou failed to inform your Minister of the situation

Public Sector Control and What You Never Public Sector Control and What You Never Want to Hear About Your ProgramWant to Hear About Your Program

MeasuringMeasuringPerformancePerformance

Setting Setting a Targeta Target

MakingMakingCorrectionsCorrections

Why Is ControlWhy Is ControlRequired?Required?The Role ofThe Role of

ControlControl

All Controls are Built on Assumptions about All Controls are Built on Assumptions about People and SystemsPeople and Systems

• The degree of trusttrust the controller places in the organization or persons with authority and responsibility, and

• The assumptions about ethicalethical behaviourbehaviour in the culture and legal framework of the organization.

Just Who is the Just Who is the Controller????Controller????

The Controller and the ControlledThe Controller and the Controlled

CONTROLLERCONTROLLER CONTROL SUBJECTCONTROL SUBJECT

Operational ManagerOperational Manager Subordinate UnitsSubordinate Units

Divisional or Senior Divisional or Senior ManagerManager

Operational ManagerOperational Manager

Corporate ManagerCorporate Manager Divisional or Senior Divisional or Senior ManagerManager

Internal AuditorInternal Auditor Operational ManagerOperational Manager

External AuditorExternal Auditor Internal AuditorInternal Auditor

External AuditorExternal Auditor Corporate ManagerCorporate Manager

Corporate ManagerCorporate Manager Minister and/or Minister and/or LegislatureLegislature

Corporate ManagerCorporate Manager Board of DirectorsBoard of Directors

LegislatureLegislature External AuditorExternal Auditor

Board of DirectorsBoard of Directors External AuditorExternal Auditor

The Key is to “In Control” not “Under The Key is to “In Control” not “Under Control” – who is in control here and Control” – who is in control here and who is under control?who is under control?

Just What is Control……….Just What is Control……….

• Control is the task of ensuring that activities are providing the desired results.

• Controlling means setting a target, measuring performance, and taking corrective action as required.

• As control expert Kenneth Merchant notes: “The goal [of the control system] is to have no unpleasant surprises in the future.”

• If managers could be sure that every plan they made and every task they assigned would be perfectly executed, they really would not need to “control.”

• Most plans are executed by people, however, and people vary widely in abilities, motivation, and even honesty.

• In today’s fast-paced environment, who can be sure even the best plans might not become outdated?

• So, the people who execute the plans, the plans themselves, and the results originally desired must be monitored and controlled.

• Control and accountability go hand in hand

• Part of accountability is not just to produce results, but to exercise due diligence in terms of process, respect for rules, monitoring (not just what you know, but how do you know)

Give public

and private

examples.

Management control systems consist of all organization structures, processes and

subsystems designed to elicit behavior that achieves the strategic objectives of an organization at the highest level of performance with the least amount of unintended consequences and risk to the

organization.Systems Theory and Management Control By: Dr. Shahid Ansari: http://faculty.darden.virginia.edu/ansaris/Systems%20Theory%20and%20MCS-TN.pdf

•All actions taken to make an organization run effectively and accomplish its goals

•Include management’s attitude, operating style and integrity and ethical values

•How managers communicate

•How managers check on staff

•Assigning responsibility for decision-making and execution

•Establishing measurement tools

ACCOUNTABILITYACCOUNTABILITY

RISKRISKPERFORMANCEPERFORMANCEMEASUREMENTMEASUREMENT

A Key RelationshipA Key Relationship

The Architecture of ControlThe Architecture of Control

• Control cannot occur unless the organization knows what it has to do, have organized that work and can link it to achieving its strategic objectives.

• Control extends beyond control over transactions and financial reporting, without excluding them.

• The objectives must be achieved at a highest level of performance possible, i.e. they must seek to be as efficient as possible

• Risk must be minimized to avoid any chance of unintended consequences either in terms of outcomes or deviations from the rules governing the work.

• Structure refers to the formal task, authority and responsibility assignments in an organization.

• Processes are the activities through which control is accomplished.

• Subsystems support the structures and processes by providing the right incentives to guide behavior.

Management Control SystemsManagement Control Systems

• Beware the danger of terminology: different terms, same meanings

• MCS is defined a ‘set of policies and procedures designed to keep operations going according to plan”

• Useful and simple perspective

Management Control SystemsManagement Control Systems

• MCS exists either formally but more often informally and empirically

• When you ask “What is our Management Control System” you may get an information technology response. When you ask “What is our control framework” you may often get a blank stare – they are the same thing

• Usually the responsibility of the administrative or financial staff: more focused in such areas

• Generally, the creation of an MCS takes some well known steps……..

The TraditionalThe Traditional

ManagementManagement

Control ProcessControl Process

Identify Goals, Roles Identify Goals, Roles And ResponsibilitiesAnd Responsibilities

Measure PerformanceMeasure Performance

Compare to StandardsCompare to Standards

Take Corrective ActionTake Corrective Action

Establish StandardsEstablish Standards

Traditional Control ProcessTraditional Control Process

• The first step in the traditional control process is to identify the areas the be controlled, based on a clear understanding of the tasks that are being performed.

Here is where the notion of Responsibility Accounting comes into play: “assignment of the responsibility for keeping to the plan and carrying out the elements of the management control system.” (Finkler)

• The next step is to choose a yardstick and to establish standards expressed in terms of money, time, quality, or quantity.

• The following steps are to measure actual performance and compare to standards

• The simplest way to compare actual performance standards is personal observation

• This method is time consuming; so, formal, impersonal reports are used also--budgets, quality control reports, and inventory control reports

• If a discrepancy exists between standards and actual performance, then the variance has to be identified and verified

• It may be necessary to take corrective action

• A deviation from the standard merely flags the problem; corrective action may or may not be required.

Two BasicControlOptions

TraditionalTraditional

Commitment-Based

Belief SystemsBelief Systems

Commitment-FosteringSystems

Diagnostic SystemsDiagnostic Systems

Boundary SystemsBoundary Systems

Interactive SystemsInteractive Systems

Expanding Expanding the the Traditional Traditional NotionsNotions

Diagnostic ControlsDiagnostic Controls

Management Control SystemManagement Control System

CapitalBudgetCapitalBudget

OperatingBudget

IncomeStatement

BalanceSheet

CashBudget

Diagnostic Controls - ToolsDiagnostic Controls - Tools

Financial RatiosFinancial RatiosFinancialFinancial

ResponsibilityResponsibilityCentresCentres

CorporateCorporateScorecardsScorecards

EnterpriseEnterpriseResource PlanningResource Planning

BoundaryBoundaryControlsControls

Codes ofCodes ofConductConduct

EthicalEthicalBehaviourBehaviour

StrategiesStrategies

InteractiveInteractiveControlsControls

StrategicStrategic

ControlControl

Face-to-FaceFace-to-Face

InteractionInteraction

Tools of Control: Managing and Tools of Control: Managing and Reporting VarianceReporting Variance

• Management Control Systems - maximize compliance with the organization's plans.

• Internal Control Systems - protect and use resources efficiently and effectively.

Management Control Systems:

•Sets of policies and procedures designed to keep operations going according to plan - detect variations and allow for corrective action.•Focus on responsibility accounting•Combine monitoring, motivation, and incentives.•Require that performance be measured. •Need to focus on both viability (internal perspective) and effectiveness (external and internal perspective).

Internal Control Systems: focus on efficient and effective use of resources and on the protection of the organization's resources contain before-the-fact Accounting Controls and after-the-fact Administrative Controls,the controls are coordinated to minimize avoidable losses, and are designed in a cost effective way.

●Audit Trail: ability to trace each transaction back to its source – protects against misuse of funds, also ensures accountability for how funds spent●Reliable Personnel: hiring the right people, professional qualifications, training and supervision

● Separation of Functions: person who authorizes the expenditure should not be the person to process payment – notion of counter signatures – ensures checks and balances in the system – notion that a person should not be left to control themselves – introduces elements of a challenge function as well

Proper Authorizationlevels of authority and matrices of delegation distribute authority for spending and decision making in the organization

if these are unknown or operate in parallel with informal systems, audit is impossible, so to is control of expenditures

Adequate Documentation both in terms of legal requirements (legislative compliance and potential for fraud) and

reporting needs (accurate data) documentation is becoming more challenging because of computerization but, both theoretically and practically, easier

Regular Reporting • frequency and distribution of financial

reports should be part of the control framework of the organization

• danger in too much information and reporting, equal problem with too little

•Monthly versus quarterly financial reports: driven by risk, intensity of management process, e.g. watching costs during downsizing, high risk times of peak expenditures may call for more reporting

Regular Managerial Review•Different from reporting – calls for an active review and decision

•Regular review during management/executive committee meetings

•Need to demonstrate stewardship by non-financial managers

Proper Procedures•“By the book” procedures create compliance requirements

•Make sure you know that 1) there is actually a book and not just someone making rules up and

2) consequence of non-compliance and

3) wiggle room when you need it

– Adequate Determination of Risk and Risk Management Strategies

– Physical Safeguards: should be part of the control framework

– Bonding and Rotation of Duties: all of these procedures are designed to ensure against theft and having only one person with their hand on key financial processes

– Independent Check: role and use of internal or external auditors

Example of a Performance Report Example of a Performance Report for Machinery Departmentfor Machinery Department

Direct labour

Supplies

Repairs

Overhead

Budget

$2,107

$3,826

$6,835

Actual

$2,480

$4,200

$7,330

Variance

$373 over

$374 over

$252 under

$495 over

Explanation

Overtime work

Wasted material

Risk Management and ControlRisk Management and Control

• All organizations face and manage risks• Various types of risk

– Performance failures: not meeting goals– Financial risks: funding, fraud, loss

potential– Unforeseen risks

• In order to establish adequate control, you have to establish risk tolerances

• Highly contentious in the public sector – why?

Risk and Risk ManagementRisk and Risk Management

• Risks are perceived as any thing or event that could stand in the way of the organization achieving its objectives.

• Risk management is not about being ‘risk averse’. Risk management is not aimed at avoiding risks. Its focus is on identifying, evaluating, controlling and “mastering” risks.

• Risk management also means taking advantage of opportunities and taking risks based on an informed decision and analysis of the outcomes.

Assessing RiskAssessing Risk

IMPACT POTENTIAL RISK MANAGEMENT ACTIONS

Significant Considerable management

required

Must manage and monitor risks

Extensive management

essential

Moderate

Risks may be worth accepting with

monitoring

Management effort worthwhile

Management effort required

Minor Accept risks

Accept, but monitor

risks Manage and monitor risks

LOW MEDIUM HIGH

LIKELIHOOD

Risk Response MatrixRisk Response Matrix

Legend C Critical risk: CAO involvement essential, inform committee of Council H High risk: Senior management involvement essential, inform CAO M Moderate risk: Management mitigation & monitoring required, inform senior management L Low risk: Manage by routine procedures

Impact Likelihood Insignificant

1 Minor

2 Moderate

3 Major

4 Extreme

5 Almost certain

Likely

Possible

Unlikely

Assessing RiskAssessing Risk

Risk Analysis and Management ToolkitRisk Analysis and Management ToolkitRisk TolerancesRisk Tolerances

Risk Tolerances• Setting tolerances involves a mix of qualitative and quantitative measures

•Not always straightforward

•It takes experimentation and time

•Issue of how public they are is important

•Equally important is how politically sensitive they are: is there a tolerable murder rate? Wrong tolerance!

5Worst Case

4Severe

3Major

2Moderate

1Minor

TYPCIAL RISK TOLERANCE

Risk Analysis and Management ToolkitRisk Analysis and Management ToolkitRisk TolerancesRisk Tolerances

Processing Compliance – welfare applications

Rate of inaccuracy exceeds 2% in two quarters

Rate of inaccuracy exceeds 2%, found in post-audit in one quarter only

Rate of inaccuracy less than 2% - only found in post-audits

Rate of inaccuracy less than 2% of total transactions – 75% found in pre-audits.

Inaccuracy less than 2% based on pre and post audit

SEVERITY RISES

WHEN DO YOU ACT AND HOW?

What to Avoid when Using Risk Management What to Avoid when Using Risk Management Tools to ManageTools to Manage

• The Chick Little Syndrome – “The sky is falling! The sky is falling” – a major problem in many organizations

• Excessive formality – much of risk management is intuitive and cultural

• Giving the media headlines – chronic misunderstanding of risk in the media – too much paper

• Assuming that this kind of work can be kept “secret” – be prepared to explain and communicate

Focus on risk identification with ad hoc risk management activities based on

individuals, not the organization Risk management processes are established for certain key areas;

processes are reliable for risk management activities to be repeated over time

Risk management policies, processes and standards are defined and

formalized across the organization Risks are measured and managed proactively; risks are aggregated

on an organization - wide basis The organization is focused

on the continuous improvement of risk management

Description

Initial Repeatable Defined Managed Optimizing

Organizational culture to systematically build and improve risk management capabilities

Risk Management Integrated Risk Management

Risk Management Maturity Continuum

Risk Management = survival !

IRM = an intelligence led business process

(Deloitte’s Risk Management Maturity Continuum.)

What to Avoid when Using Risk Management What to Avoid when Using Risk Management Tools to ManageTools to Manage

DenialDenial

“…in all my experience, I have never been in an accident of any sort worth speaking about. I have seen but one vessel in distress in all my years at sea. I never saw a wreck and have never been wrecked, nor was I ever in any predicament that

threatened to end in disaster of any sort.”

Captain Edward Smith, New York times, 1907 some years before he perished as master of the Titanic

What and Who to ControlWhat and Who to Control

Individual OROR Organization

After ActionEx Post

ORORBefore Action

Ex Ante

Facilitative ControlsFacilitative Controls

• Assigning responsibility for various information gathering tasks to various parts of the organizations, such as the financial officer, the financial analysis group or a performance monitoring group.

• Defining the reports that the organization wishes to receive and analyze on a regular basis.

• Creating reports to be understood by senior managers or Board members and management. Overly complex or simplistic reports will result in poor communication of financial data.

• Designing systems to ensure that data such as supplier invoices and accounts receivable are recorded accurately and on a timely basis.

• Communicating financial performance information, along with and clearly connected to operational information and comparisons to plans and budgets so that it can be used for making decisions.

Protective ControlsProtective Controls

Proper authorization of transactions (prior authorization of major expenditures)

Adequate segregation of duties Establishment of a finance

oversight committee

Protective ControlsProtective Controls

Proper controls over petty cash, vouchers, discretionary funds or highly liquid assets

Designing of appropriate forms controls to safeguard assets Controls to verify financial records

(monthly reviews and annual audits).Controls to verify financial records

(monthly reviews and annual audits)

MANAGEMENT CONTROL SYSTEMS

INTERNAL CONTROL SYSTEMS

RISK LANDSCAPE

VARIANCE

Variance AnalysisVariance Analysis

• Variance analysis investigates differences (variances)

between planned and actual results to help managers: – - prepare budgets for the coming year,– - control results in the current year, and– - evaluate the performance of operating

units.

• Variance analysis focuses on material differences to help managers correct problems and capitalize on opportunities

Variance AnalysisVariance AnalysisThe budgeted and actual costs and the resulting month and Y-T-D variances for the Hospital for Ordinary Surgery illustrate an unfavorable cost variance.

This Month

Actual Budget Variance

$9,200,000 $8,800,000 $400,000 U

This Year

Actual Budget Variance

$25,476,000 $25,150,000 $326,000 U

Department and Line Item Department and Line Item VariancesVariances

Variances at most levels of an organization represent aggregations of variances from other levels. For example: total organizational expense variances represent the sum of departmental variances, while departmental variances are made up of line item variances.

Suppose the supply variance was $50,000 F and the salary variance was $50,000 U. What would the total variance be? Should it be investigated?

RadiologyDepartment Actual

Budget

Variance

Salary $400,000 $395,000 $ 5,000 U

Supplies 400,000 205,000 195,000 U

Total $800,000 $600,000 $200,000 U

Flexible Budget Variance Flexible Budget Variance AnalysisAnalysis

Flexible Variance Analysis allows managers to identify what portion of a total variance is due to:

- differences between the budgeted and actual volume of

some output (Volume Variance),

- differences between the budgeted and actual price (or rate)

of each unit of input or output (Price or Rate Variance), and

- differences between the budgeted and actual quantities of the resources used per unit of output (Quantity or Use Variance).

Volume, Price, and Quantity Volume, Price, and Quantity ExamplesExamples

School Cost Example

Total Cost of Textbooks

Hospital Revenue Example Total Oncology Patient

Revenue

Volume Number of third grade

students

Number of oncology

patients

Quantity Number of textbooks

per third grade student

Days of stay per oncology

patient

Price Cost per textbook per

third grade student

Price per day of stay per oncology patient

Variance Analysis CautionsVariance Analysis Cautions

Aggregation can hide meaningful variances and lead managers to misinterpret the condition of the organization.Exception Reports should be prepared for all material variances that warrant management's attention.

Fixed costs should not result in volume variances, since they are not expected to change with volume.

VarianceVariance Analysis CautionsAnalysis Cautions

Expense and Revenue variances often have to be analyzed together.

For example, an unfavorable expense-volume variance may be good for the organization if it is accompanied by an even larger favorable revenue volume variance.

GamesmanshipGamesmanshipBehaviouralBehaviouralDisplacementDisplacement

AttitudeAttitudeProblemsProblems

Operating Operating DelaysDelays

The Negative Side of ControlsThe Negative Side of ControlsThe Negative Side of ControlsThe Negative Side of Controls

The Costs of ControlThe Costs of Control

• Controls not costless• Control costs can also be

transferred• Limits to managerial

responsiveness

The Costs of ControlThe Costs of Control

• Amount of preoccupation with process over service or results

• Excessive paper burden• Poor assessment of risk and

excessive caution

New Challenges in ControlNew Challenges in Control

• Extended governance• Third party delivery

New Challenges in ControlNew Challenges in Control

• Cross control systems within government and across governments

• Lack of agreement on adequate controls

• Poor understanding of risk and risk management

Control and Control Systems Andrew Graham Queens University School of Policy Studies.

Documents