THE INTERNAL CONTROL STRUCTURE OF ORGANIZATIONS (STUDY OBJECTIVE 7)

All organizations face risks in both day-to-day operations and long-term management. Some risks may be beyond the control of management. For example, management would be unable to reduce the risk of an earthquake occurring, which could interrupt operations or destroy buildings and equipment. However, managers can undertake steps to lessen the negative impact of an earthquake. For example, they can ensure that buildings are designed to be resistant to earthquake damage. In fact, management has the ability and responsibility to take action to reduce risks or to lessen the impact of nearly all risks that the organization faces. These processes are called controls.

Accountants have a long history of being the professionals within the organization who help design and implement controls to lessen risks that have an impact on the financial standing of the organization. Accountants are usually experts in controls that can reduce risks in the following broad categories:

  1. The risk that assets will be stolen or misused
  2. The risk of errors in accounting data or information
  3. The risk of fraudulent activity by employees, managers, customers, or vendors
  4. The risks inherent in IT systems, such as
    1. Erroneous input of data
    2. Erroneous processing of data
    3. Computer fraud
    4. Computer security breaches
    5. Hardware or software failure
    6. Natural disasters that can interrupt computer system operations

Although management has the ultimate responsibility to establish a control environment to mitigate these risks to the extent to which it can reasonably do so, accountants are heavily involved in assisting management in the creation, implementation, and ongoing monitoring of the control environment. Management should ensure that the following types of control structures exist:

  1. Enterprise risk management (summarized in the next subsection)
  2. Code of ethics (Chapter 3)
  3. COSO accounting internal control structure (Chapter 3)
  4. IT system control structure (Chapter 4)
  5. Corporate governance structure (Chapter 5)
  6. IT governance structure (Chapter 6)

ENTERPRISE RISK MANAGEMENT

In 2004, the Committee of Sponsoring Organizations (COSO)1 of the Treadway Commission issued a comprehensive report on enterprise risk management that is still widely used in today's business environment. The purpose of the report, and the many related thought papers that have been issued, is to assist managers in meeting the challenge of managing risk in their organizations. A proper response to risk that all organizations face is to establish formal processes and procedures to manage risk. Enterprise risk management (ERM) is defined as

...a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.2

This definition has several critical components. First, notice that ERM is put into place by top management and the board of directors. This emphasizes that ERM is the responsibility of management. Second, ERM is an ongoing process. Therefore, it is not something that occurs once and is forgotten—it is the continuous assessment of risks, determination of acceptable levels of risk, and management of risks to that acceptable level. Finally, ERM must involve not only management, but personnel across the enterprise.

ERM requires that management set policies and procedures related to the following:3

  • Internal Environment—The internal environment encompasses the tone of an organization and sets the basis for how risk is viewed and addressed by an entity's people, including risk management philosophy and risk appetite, integrity and ethical values, and the operational environment.
  • Objective Setting—Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity's mission and are consistent with its risk appetite.
  • Event Identification—Internal and external events affecting achievement of an entity's objectives must be identified, with distinction made between risks and opportunities. Opportunities are channeled back to management's strategy or objective-setting processes.
  • Risk Assessment—Risks are analyzed by likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on both an inherent and a residual basis, meaning that the likelihood of errors is considered both before and after the application of controls.
  • Risk Response—Management selects risk responses—avoiding, accepting, reducing, or sharing risk—by developing a set of actions to align risks with the entity's risk tolerances and risk appetite.
  • Control Activities—Policies and procedures are established and implemented to help ensure that the risk responses are effectively carried out.
  • Information and Communication—Relevant information is identified, captured, and communicated in a form and a time frame that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.
  • Monitoring—The entirety of enterprise risk management is monitored and modified as necessary. Monitoring is accomplished through ongoing management activities (including internal auditing), separate evaluations (such as those performed by external auditors), or both.

To achieve the objective of managing risk, management should establish control structures that include at least accounting internal controls, IT controls, corporate governance, and IT governance. These control structures are briefly sketched next and are described in more detail in later chapters.

THE REAL WORLD

On April 20, 2010, an explosion aboard the Deep Water Horizon drilling platform forced millions of gallons of oil to spill into the Gulf of Mexico, wreaking havoc on marine life and upsetting the coastal economies. This event and the related problems have been disastrous for BP plc, the company most frequently blamed for this tragedy.

Although you may think this is an extreme example, it illustrates how critical it is for companies to manage risks. Risks lie in nearly every aspect of every business, and the task of identifying and mitigating them is a daily challenge. Certainly, any oil company would include an explosion, oil spill, or oil leak to be among its most serious risks, so how could it be that this risk was not prevented? In the case of BP and the other responsible companies, there were evidently breakdowns in the monitoring of controls surrounding this location.

You may also wonder how this is relevant to accounting information systems. Although many people are familiar with the BP oil spill, most have probably never considered the accounting implications of this disaster. Yet years after its occurrence, BP was still struggling to account for the damages owed for environmental clean-up and legal claims, and its audit firm was still using cautionary language in the audit opinion accompanying BP's financial statements.

A CODE OF ETHICS

A company's developing and adhering to a code of ethics should reduce opportunities for managers or employees to conduct fraud. This will only be true, however, if top management emphasizes this code of ethics and disciplines or discharges those who violate it. Managers who emphasize and model ethical behavior are more likely to encourage ethical behavior in their employees.

COSO ACCOUNTING INTERNAL CONTROL STRUCTURE

In addition to its ERM guidance, COSO is well known for its “Internal Controls—Integrated Framework,” which explains what has become the standard accepted by the accounting and business community as the definition and description of internal control. According to this framework, there are five interrelated components of internal control: the control environment, risk assessment, control activities, information and communication, and monitoring. Notice that to achieve ERM, an organization must include these five components of internal control in its enterprise risk management processes. (These five components are described in detail in Chapter 3.)

IT CONTROLS

Threats and risks that interrupt or stop computer operations can be severely damaging to the organization. Not only can they halt or disrupt normal operations; they can lead to incorrect or incomplete accounting information. In addition, computer processing of accounting data leads to the risks of erroneous accounting data due to flawed or incomplete input or processing of data, computer fraud, and computer security breaches. An organization must institute controls to limit these risks in IT systems.

IT controls can be divided into two categories, general controls and application controls. General controls apply overall to the IT accounting system; they are not restricted to any particular accounting application. An example of a general control is the use of passwords to allow only authorized users to log into an IT-based accounting system. Without regard to processing data in any specific application, passwords should be employed in the IT system. Application controls are used specifically in accounting applications to control inputs, processing, and output. Application controls are intended to ensure that inputs are accurate and complete, processing is accurate and complete, and outputs are properly distributed, controlled, and disposed of. (General and application controls in IT systems are described in Chapter 4.)

CORPORATE GOVERNANCE

Corporate governance is a relatively new concept that has evolved over recent years. It is generally recognized as involving many diverse aspects of business; thus, many definitions of corporate governance exist to cover each different aspect of interest. For instance, when economists define corporate governance, they recognize factors affecting the supply and demand of corporate leaders and tend to emphasize the importance of motivating leaders through the use of incentive programs. On the other hand, financiers tend to emphasize the role of corporate leaders to provide a good rate of return, while accountants focus on the responsibility of corporate leaders to provide effective internal controls and accurate records.

If forced to provide a single definition, accountants would characterize corporate governance as an elaborate system of checks and balances whereby a company's leadership is held accountable for building shareholder value and creating confidence in the financial reporting processes. This system of checks and balances includes several corporate functions that are interrelated within the corporate governance system, including management oversight, internal controls and compliance, financial stewardship, and ethical conduct.

Corporate governance has been tremendously affected by the Sarbanes–Oxley Act of 2002. The purpose of the Act was to improve financial reporting and reinforce the importance of corporate ethics. The legislation was enacted in an effort to curb the corruption and accounting blunders that had been discovered in connection with the bankruptcies of such corporate giants as Enron Corp. and WorldCom Inc. The Sarbanes–Oxley Act places a huge responsibility on top management to establish and maintain internal controls. (Corporate governance and the Sarbanes–Oxley Act are described in detail in Chapter 5.)

IT GOVERNANCE

The proper management, control, and use of IT systems are known as IT governance. The IT Governance Institute defines IT governance as

the leadership, organizational structure, and processes that ensure that the enterprise achieve(s) its goals by adding value while balancing risk versus return over IT and its processes. IT governance provides the structure that links IT processes, IT resources, and information to enterprise strategies and objectives.4

In summary, the board of directors and top-level, executive managers must take responsibility to ensure that the organization uses processes that align IT systems to the strategies and objectives of the organization. IT systems should be chosen and implemented to support the attainment of strategies and objectives. To fulfill the management obligations that are inherent in IT governance, management must focus on the following aspects:

  • Aligning IT strategy with the business strategy
  • Cascading strategy and goals down into the enterprise
  • Providing organizational structures that facilitate the implementation of strategies and goals
  • Insisting that an IT control framework be adopted and implemented

(IT governance is further described in Chapter 6.)

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.222.68.81