The idea of controls is as pervasive as business itself. A control is a check at some or multiple points within a process to ensure that the system is working correctly. In this way, controls are a form of risk management. We usually talk about control owners in accounting (controller) and quality assurance.
A control owner is a role responsible for the implementation and supervision of control check points within a process or system. Control owners rarely apply the controls themselves, a job better for the control owner’s team. An example of a control owner is a business analyst who ensures QA testers review an application. In fact, the term control owner is often used as a synonym for business analyst.
Control Owner Job Description: What do They Do?
On a day-to-day basis, a control owner’s job is to make sure controls are in place. The image that comes to mind when we think of control owner is often that of a supervisor wearing a construction hat and walking across catwalks with sparks flying around him/her.
Rest assured, the reality is much different than that, especially in an office setting. A control owner spends his/her time in a number of ways regardless of the industry. In general, we can refer to this work as control assessment.
Control assessment
- Reviewing high risk items
- Performing regular checks on measurement tools
- Discussing with team members to discover any at-risk items
- Reading industry magazines and staying informed of new technologies
- Implementing new technologies where applicable
- Running tagged tests through the controlled system
- Devising and implementing new controls where applicable
- Traveling to industry events to network and identify partnerships
But this list doesn’t give us concrete footing. Let’s look at an example in a IT company, where the role of a control owner often aims to assure the quality of a software product or functionality.
Quality assurance
Control owners in IT companies show up in quality assurance (QA). Quality assurance is the name of a team’s or team member’s role in the development process. Their job is to review the product created by development teams in order to identify any bugs to fix. Seems simple, right?
The process gets a little more complicated when you must test EVERY element of a digital product. Unlike traditional products (say, frying pans for example), digital products are dynamic. They are ever-changing with the needs of the end user.
In fact, try it. Open up your favorite app on your phone right now. Go to the menu button and look at the various links. I’m sure there is a least one button you hardly ever click on (let’s just say its terms and conditions). It may seem irrelevant to you, but other users may be more inclined to click on this link.
If the production team has done its job right, then you won’t even realize the app is complex and information-rich. All of the pages you use will be bug-free, and all the pages others use will be bug free. You won’t see the complexity, but make no mistake that it is there.
Following the logic, control owner‘s job is to ensure that the members on the quality assurance team are checking all of the right things across digital products. In this context, we often call control owners by the business analyst title. They collect requirements by speaking with the management or with a client for the product, and they must assure that those requirements are put in place.
Often times there is a lead quality assurance role to help the business analyst manage this step.
Controls assurance in risk management framework
A risk management framework is a structure that identifies threats to the business and how to minimize them. Within this framework is the concept of control assurance. The more controls can be assured, the higher the chance that risk-mitigation techniques succeed. To give you an idea of its scale, the risk management framework was originally developed by the U.S. Department of Commerce’s National Institute of Standards and Technology.
Control owners, thus, become a critical role in any organization’s efforts to fight against potential threats. Whatever the process is to protect the company, good control owners will make sure this is carried out the way it is supposed to be.
Control owner in accounting
When we talk about control in an organization, perhaps the most common use is in reference to the “group controller.” This is the person responsible for producing the correct financial statements at the end of any period. It’s a tough job in which the controller must align with the entire accounting department to ensure the right information comes out.
It’s a great example of controls, so take a closer look at each of these steps. It help to conceptualize the role that checkpoints and controls play in a department.
| Accounting step | Control |
|---|---|
| Receive invoices from financial operations team | Cross check that total # of invoices sent is the same as total received |
| Encode invoice data into accounting database | Provide review page to ensure data is correct |
| Break down entries into a trial balance | Review breakdown procedure after each consolidation |
| Review trial balance | Pick a sample set of accounts within the trial balance and review their validity against invoices |
| Build financial statements from trial balance | Review key accounts against invoices again in each of the financial statements |
Control owner vs. beneficial owner
Control owner in a systems context is not to be confused with control owner in a judicial context. When it comes to legal ownership of assets, we often hear the term “beneficiary” or “beneficial owner.” This distinction simply refers to ownership “in reality” vs ownership “on paper.”
The Panama Papers of 2016 revealed a number of documents with famous beneficial owners of questionable assets, although on paper the owners were people without a vested interest–oftentimes people who didn’t even know they were owners!
Beneficial owners are often contrasted with control owners (in their legal sense). Control owners in legal context are owners who can have a minority ownership but operational control. Without getting into too much detail, the point here to remember is that the legal and business definitions of “control owner” are different.
Control owner vs. process owner
In a sentence, control owners are one step higher in the hierarchy than process owners. Control owners are responsible for an entire set of controls but do not implement them, whereas process owners implement the controls and sometimes supervise the implementation.
In smaller organizations, it may be rarer to see true control owners due to the additional staff cost. Larger organizations will insist on them, however, as the additional layer of review helps mitigate risk.
Coming back to the example of quality assurance, we can see that the business analyst is the true control owner while the head of quality assurance is more of a process owner. Even in IT companies, business analysts become part of the organization when the company has more money and can afford to mitigate risks.
Control owner vs. control performer
If we go one step further down in the hierarchy, we find control performers, or control “operators.” These are the guys who actual perform the control measures. In our example of quality control, QA testers are control performers. They dig in to the application, website, or functionality to really understand it.
In our example of accounting, control performers include the accountants themselves, as well as the controller at the group level. Accountants cross-check each other at an operational level. Then, once all is ready, the group controller performs a final check. In this context, the group controller is both a process owner and a control performer!
Here’s the hierarchy of control assessment broken down one more:
- Control owner – responsible for all controls in a system, supervises
- Process owner – responsible for controls in a small system, supervises and implements
- Control performer – responsible for one control, implements
Risk owner
The idea of a “risk owner” is becoming more and more prevalent in organizations today. While every person on the senior leadership team should be distinctly aware of risks to the business, it often requires a specific role to monitor and contorol them.
A risk owner is responsible for supervising risk for an entire organization rather than an individual department. This person reports directly to the executive suite or is a part of it.
Conclusion
We’ve looked at a number of tasks and positions related to control owners. To summarize, a control owner is a mid-level position in the implementation of controls of an organization. There are positions above, such as risk owner, as well as positions below, such as process owner and control performer.
While often the title given to someone in the control ownership position is “control owner,” organizations may refer to it differently depending on the industry. As we saw, in accounting, a control owner is called “group controller.” Likewise, in software development, business analysts most often occupy the role of control ownership.
On a day-to-day basis, control owners will review risk items, talk with his/her team about current controls and statuses, and envision new ways of implementing technology and restructuring control models. The ultimate goals for any control owner is that his/her work mitigates threats to the process, the business, and the organization as a whole.
