Working In Uncertainty

A new focus for Turnbull compliance

by Matthew Leitch, first published 15 May 2003.


Why rethink?

Which is more important: to have good internal controls or to know their strength? Both are helpful, but ultimately having good controls is what companies, investors, and regulators want most. But judging by the focus of regulation and compliance in the area of internal controls you would think that evaluation matters most.

The way most listed UK companies comply with the ‘Turnbull guidance’ on internal controls involves too much ineffective box ticking. Most people who take part know this but despite great progress over the past decade there is still a long way to go. What is needed is an approach that satisfies investors and regulators by bringing better internal control, but also satisfies directors by involving less work in achieving and proving compliance.

This paper presents an approach that offers better internal control, but also simplifies the task for senior management and redirects resources from evaluation of controls towards creating better, more efficient, more competitive controls.

Typical Turnbull compliance schemes

The Combined Code requires companies to evaluate the effectiveness of their controls. The Turnbull guidance explains how to do that and is influenced, as are the requirements in most countries, by the COSO framework. The COSO framework makes internal control risk-based and emphasises the importance of a top level monitoring activity that monitors risks and revises the internal control system.

Long before the Turnbull report was published its predecessors had set similar requirements and promoted similar ideas. In the early 1990s companies started drawing up risk-control maps or matrices showing their perception of risks and how their controls covered them.

These risk maps were often at two levels, as suggested by COSO: entity/business unit level, and process level.

The next big innovation was control self assessment (CSA), in which managers at various levels either got together in workshops, or filled in forms, where they thought about the risks in their area of responsibility, their controls, and made some kind of statement about how well the risks were covered. This was designed to gather much more assurance about controls effectiveness than could efficiently be gathered by conventional internal audit reviews alone. Various software packages (web-based now, inevitably) are marketed as efficient solutions to the Turnbull compliance problem.

Over the last few years leading companies have steadily increased the number of people sucked into CSA and similar activities, extending the risk and control analyses down to greater and greater detail at lower levels in their organisations.

Despite the popularity of CSA conventional internal audit reports are still a major source of assurance to Boards.

Problems with typical schemes

Overall, the approach to Turnbull compliance usually envisioned reflects an external auditor's view of the world. (Not surprising as the big firms do so much to help regulators. The COSO framework was originally written by Coopers & Lybrand, the audit firm.)

The usual approach is long on evaluation of internal controls but short on design and implementation. It is long on post hoc reactions to weaknesses discovered and short on anticipation. There are lists of risks and controls but no overall internal control system design. Risk is the one consideration, and economics, strategic reality, and cultural fit are not considered at all. The ideas about risk assessment and quantification are astoundingly crude and the logic of the methods commonly used is so badly flawed that the ratings must be considered bogus. The evidence gathering process, even in control self assessment, is geared towards amassing documents with signatures on them. Finally, nearly everyone who is employed as an expert in internal control is an auditor.

All classic audit thinking.

Official internal control requirements from listing authorities tend to focus on passive evaluation and the typical compliance approach is the natural result of people, often auditors, reading the words and thinking ‘OK, so what is it saying we have to do?’

A new focus on design

Evaluation of controls effectiveness is just one aspect of the complete process for developing and operating a good system of internal control. The implications of this are profound:

  • When it comes to internal controls, the job of top management is to direct resources appropriately towards the activities that need to be done including design, development, testing, implementation, and operation of controls as well as evaluation.

  • Top management should study the factors that indicate resources are needed and not focus on risks alone.

  • Only for certain very important and expensive controls will top management think about specific controls.

  • Companies need to have sufficient skilled resources to carry out the whole process from design to evaluation.

  • Resources need to be rebalanced towards design and implementation and away from evaluation.

The points are expanded below to show how companies can use their resources more efficiently and still achieve Turnbull compliance.

Directing resources

Risk-control mappings are a distraction from the real task, which is to direct resources and action.

Companies are continually assaulted by change, current and anticipated. They need to adjust their control systems to cope, and this involves recognising and usually anticipating the factors that drive control change. The resources that can be directed to effect that change include specialist internal control designers (some of them IT specialists), line management time, money spent on consultants, and internal auditors.

Evaluating the effectiveness of existing controls is still important as inadequate performance is a reason for allocating resources to improvement. However, it is just one factor of many.

The factors to monitor

Resources need to be directed towards internal control changes when controls need to be strengthened, made more efficient, revised for cultural fit, or lightened due to reducing risks.

Predicting the need for internal controls work is surprisingly easy once you focus on the right clues. For example, suppose a large group acquires a medium sized company that has been in financial distress for a long time, changed hands three times in as many years, and before that grew very quickly. Unless a miracle has happened controls will be abysmal. It is obvious that a combined effort from specialist designers and internal auditors will be needed and they should go in as soon as possible.

The information to consider includes:

  • Plans for new systems or processes

  • Anticipated processing or business volume changes

  • Acquisitions and disposals anticipated/completed

  • Past lack of attention to internal controls

  • Downsizing and expansion

  • Outsourcing plans

  • Poor performance of existing controls

  • Uncertainty and changes in amount and type of uncertainty

One very effective way to analyse the impact of changes in areas like this is to consider their impact for risks, economics, time to implement controls, and cultural fit. Clearly controls need to cover risks, but it is also important to implement the kind of controls that will be efficient, that can be implemented in the time available, and that will reinforce rather than weaken the culture of the company.

If there are implications in any of these areas then it may be that resources need to be directed towards effecting change to internal controls. It may also be possible to make recommendations about the types of control mechanism where most work should be done.

Control types and specific controls

Typically it will be enough for the top management team to do no more than identify that more or less work on controls is needed for a particular process, system, department, or business unit (depending on the size of the organisation and the significance of the need).

It is possible to go a little further and identify what types of control are likely to need most work. Is it computerised controls? Or training? Or management information? And so on. It is useful to identify the type of control mechanism that needs most work because this allows controls projects to be identified and scoped. In contrast, it is not possible to identify projects directly from control objectives or risks.

With very few exceptions the top team do not need to debate individual controls.

As responsibility for controls work is delegated down, the level of detail considered increases, so that eventually the thinking gets down to identifying every control individually.

Redistributing effort

Design is more time consuming and technically demanding so, overall, most companies should have more people capable of designing and building internal controls than they have for evaluating those controls.

At the moment the reverse is usually true. The internal controls experts are nearly all auditors, though there are signs that this is beginning to change. Leading companies are beginning to employ people as ‘internal control manager’ or ‘assurance manager’ to make controls better rather than writing more reports about how good or bad they are. There are also some industry-specific examples of new thinking. Most telecoms companies now have a ‘revenue assurance’ team whose job is to make billing as complete and accurate as they can, working with the network and billing teams as internal controls design and development specialists.

Design requires different skills so training and selection changes are likely to be needed. System and process experts usually need more skill with controls, though they often have the design ability needed. Auditors have the controls knowledge but need help to acquire the design ability.

Crucially, the resources needed for evaluating controls effectiveness need to be reduced. This can be done as follows:

  • Take comfort from the quality of anticipation and design. If controls development is working well and usually done in good time to meet new demands there should be less concern about ineffective controls.

  • Use design documentation in evaluation. Controls design uses documentation that auditors love. Their job is almost done for them.

  • Have good controls. Control weaknesses absorb a lot of evaluation effort, so having better controls reduces evaluation work.

  • Get assurance from direct indicators of controls effectiveness, designed into the control system. Large processes and other sources of risk should be monitored using controls effectiveness indicators such as error rates and backlog statistics. Well designed systems of internal control include and use such statistics. (This is not possible for risks that crystallise infrequently. For these there is no alternative but to judge effectiveness from whether the controls appear effective in relation to the perceived risks.)

  • Review the value of CSA work. If a manager was responsible for a risk that was being managed badly would he say? People know they are expected to say everything is fine. Would you bet your career on the assurance from CSA? It may be better to rely on the process more as a design process.

Consistency with the Combined Code, Turnbull guidance, and Sarbanes-Oxley Act 2002

Whatever approach is taken by a UK listed company it needs to fulfill the requirements of the UK's ‘Combined Code of the Committee on Corporate Governance’, as interpreted in ‘Internal control: guidance for directors on the Combined Code’ (i.e. the Turnbull Guidance). If the company also has a listing in the USA and is, therefore, registered with the SEC it also needs to comply with the USA's Sarbanes-Oxley Act of 2002, which has some interesting requirements about internal controls in sections 302 and 404.

Here is an analysis of compliance with a conventional and a design-focused approach. Repeated requirements and requirements where there is no difference between old and new styles have not been shown. Overall, the new focus on action rather than audit promises better compliance, despite its reduced emphasis and resources for controls evaluation.

Requirement Old focus (audit) New focus (action)
Relevant requirements of the Combined Code

Principle D.2 ‘Internal control: The board should maintain a sound system of internal control to safeguard shareholders' investment and the company's assets.’

Assumed to happen as a result of repeated evaluation of recommendations for improving perceived weaknesses. Increasingly, though, CSA is also seen as a design process.

Maintaining a sound system is done by anticipating the need for changes and directing appropriate resources to do appropriate work in good time. Evaluation confirms this has been done or points out improvements needed.

Provision D.2.1 ‘The directors should, at least annually, conduct a review of the group's system of internal control and should report to shareholders that they have done so. The review should cover all controls, including financial, operational and compliance controls and risk management.’

This is the major focus for internal controls specialists in the company. Done by internal audit work, CSA, and similar confirmations by staff.

This is one part of the anticipate-design-develop-implement-operate-evaluate-refine cycle. Also uses direct statistics on controls effectiveness.

Additional ideas from the Turnbull guidance

Para 9. ‘The guidance is based on the adoption by a company's board of a risk-based approach to establishing a sound system of internal control and reviewing its effectiveness.’ [In fairness, other paragraphs mention efficiency and cost-benefit analysis but the emphasis is less with far less guidance given on how to consider these factors.]

Exclusively risk-based.

Risk is a key driver but efficiency, time to implement, and cultural fit can also trigger decisions to revise controls.

Para 9 continued. ‘This should be incorporated by the company within its normal management and governance processes. It should not be treated as a separate exercise undertaken to meet regulatory requirements.

Considered normal management and governance, but actions mirror regulatory requirements.

Considered normal management and governance, but actions reflect what is best for company performance.

From para 13. ‘A company's objectives, its internal organisation and the environment in which it operates are continually evolving and, as a result, the risks it faces are continually changing. A sound system of internal control therefore depends on a thorough and regular evaluation of the nature and extent of the risks to which the company is exposed.’

Focus is on current risks i.e. things that might go wrong now.

Focus is on building controls in time to meet anticipated risks and other demands.

Para 17. ‘In determining its policies with regard to internal control, and thereby assessing what constitutes a sound system of internal control in the particular circumstances of the company, the board's deliberations should include consideration of the following factors: 1) the nature and extent of the risks facing the company; 2) the extent and categories of risk which it regards as acceptable for the company to bear; 3) the likelihood of the risks concerned materialising; 4) the company's ability to reduce the incidence and impact on the business of risks that do materialise; and 5) the costs of operating particular controls relative to the benefit thereby obtained in managing the related risks.’

Usually interpreted as meaning that you should rate ‘risks’ independently for their likelihood of occurrence, and impact should they occur. The impact ratings are frequently illogical. The problem is that individual risks cannot be analysed at board level, but must be collected into large groups.

No independent ratings of likelihood and impact, but the factors listed by Turnbull need to be considered, among others.

Para 18. ‘It is the role of management to implement board policies on risk and control. In fulfilling its responsibilities, management should identify and evaluate the risks faced by the company for consideration by the board and design, operate and monitor a suitable system of internal control which implements the policies adopted by the board.’

Weakly reflected in conventional approaches to compliance. The main focus for internal control specialists is to review whether line managers have done this and point out where they have failed and what they should do.

The main focus for internal control specialists is to actively participate in controls design and implementation.

Para 19. ‘All employees have some responsibility for internal control as part of their accountability for achieving objectives. They, collectively, should have the necessary knowledge, skills, information and authority to establish, operate and monitor the system of internal control. This will require an understanding of the company, its objectives, the industries and markets in which it operates, and the risks it faces.’

Everyone has some responsibility but no specific actions results from this requirement.

Everyone has some responsibility but it is recognised that skill in internal controls and design is also needed and that not everyone has it, potentially leading to ineffective or inefficient controls. Therefore, training is helpful for some, and specialists need to be available to help general managers to establish important controls.’

From para 22. ‘The system of internal control should: . . . include procedures for reporting immediately to appropriate levels of management any significant control failings or weaknesses that are identified together with details of corrective action being undertaken."

Via internal audit and line management.

Via internal audit and line management. Use of controls effectiveness statistics enhances this.

Para 27. ‘Effective monitoring on a continuous basis is an essential component of a sound system of internal control. The board cannot, however, rely solely on the embedded monitoring processes within the company to discharge its responsibilities. It should regularly receive and review reports on internal control. In addition, the board should undertake an annual assessment for the purposes of making its public statement on internal control to ensure that it has considered all significant aspects of internal control for the company for the year under review and up to the date of approval of the annual report and accounts.’

Compliance as already described.

Similar, but continuous monitoring is made more effective to ease the burden of the annual assessment.

From para 33. ‘The board's annual assessment should, in particular, consider: . . . the scope and quality of management's ongoing monitoring of risks and of the system of internal control, and, where applicable, the work of its internal audit function and other providers of assurance.’

Compliance does not require extra action.

Relies on this point for some of the reduction in evaluation effort because continuous monitoring is enhanced.

Para 34. ‘Should the board become aware at any time of a significant failing or weakness in internal control, it should determine how the failing or weakness arose and re-assess the effectiveness of management's ongoing processes for designing, operating and monitoring the system of internal control.’

This has not been happening in most cases. Companies routinely have failed controls but rarely recognise that lack of skill and attention in controls design needs to be corrected.

The new focus is a response to past failings and includes continued review of the company's performance through the whole internal controls cycle.

Para 45. ‘When undertaking its assessment of the need for an internal audit function, the board should also consider whether there are any trends or current factors relevant to the company's activities, markets or other aspects of its external environment, that have increased, or are expected to increase, the risks faced by the company. Such an increase in risk may also arise from internal factors such as organisational restructuring or from changes in reporting processes or underlying information systems. Other matters to be taken into account may include adverse trends evident from the monitoring of internal control systems or an increased incidence of unexpected occurrences.’

Considering changes and trends that might require difference resources to deal with internal controls is a rare and perfunctory activity.

Considering changes and trends that might require different resources is a key task for top management and the board.

Sarbanes-Oxley Act (only applies to companies listed in the USA)

Sec 302 (a)(4)(B) the signing officers ‘have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers within those entities, particularly during the period in which the periodic reports are being prepared;’

Conventional Turnbull compliance emphasises setting policies and monitoring effectiveness.

New focus involves the signing officers in design in an appropriate way i.e. authorising allocation of appropriate resources to internal controls.

Sec 302 (a) (6) the signing officers also certify that ‘the signing officers have indicated in their report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.’

New requirement not dealt with in existing approach.

Easily met due to ongoing anticipation and monitoring of changes affecting controls effectiveness.


Putting evaluation in its proper place, oddly, makes it easier to do.

Shift resources away from evaluating internal controls and towards making them better. Done correctly the cost of evaluation can be reduced and the performance of controls improved. Your controls will manage risk better, more cheaply, and in ways that promote the culture you want for your organisation. The top team can forget about complicated and messy risk-control workshops and focus on the simpler and more familiar activity of directing resources to meet current and anticipated challenges.

If you have any ideas, questions, or concerns please feel free to contact me at I normally reply within a couple of days.

Further reading

Words © 2003 Matthew Leitch. First published 15 May 2003.