In the past Internal Control was part of the functions of Internal Audit and Accounting Managers. Today, CEO and Financial controllers have to confirm that the appropriate internal control is in place. In the beginning of this millennium corporate business world witnessed multi-million business scandals from big houses like Enron, Andersen, Quest, Tyco, Global Crossing. Since then the need of proper internal control framework for pubic limited companies is increased. When corporate houses are growing faster, with huge operation across globe, demands the need of robust control system in place to promote ethical business practice. .Managing business process with internal control mechanism helps in brings improvement in process and facilitate for quicker response time. Internal control software from Oracle, SAP and many other players are gaining importance. Post Sarbanes-Oxley act, in US there is a huge demand for these applications.
Many authors and authorities have defined internal control in their own way. One of the widely accepted meaning of internal control is, according to The committee of Sponsoring Organisations of Tradeway Commission(Popularly known as COSO), Internal control is one of the main tool to curb the risks associated with unwanted business acts. Internal control is broadly defined as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
o Effectiveness and efficiency of operations.
o Reliability of financial reporting.
o Compliance with applicable laws and regulations.
According to Turnbull, An effective internal control must in include the policies, processes, tasks behaviours and other aspects of a company that taken together to facilitate efficient operation, ensure the quality of internal and external reporting, Safeguarding the assets from inappropriate use, ensure compliance with law and regulation. Thus, internal control should be embedded with company’s policy and it should form a part of culture. To implement responsive internal control environment following points need to be considered.
1) Senior Management must accept higher degree of responsibility for internal control
2) Proper Delegation of power should be defined.
3) Clear training program on monitoring internal control system
4) Periodic review of internal control system and taking necessary action to avoid system deficiencies
5) Proper alert mechanism to tackle exceptional business processes.
Responsive internal control system helps in achieving business objective, increased market capitalization, effective utilization of corporate resources, fewer unforeseen threats associated with fraud, and effective management of change. But on the flip side, excessive internal control system may forced to increased bureaucracy, complexity, cycle time and no value addition in processes. This may result in reduced productivity. But to avoid the risks such fraud, public scandal, poor business direction, noncompliance with community standard existence of structured internal control system is necessary. In order to accomplish balance between risks and control, Internal control system should be proactive, value added, cost effective and addresses exposure to risk but it should not seen as burden on processes and it should aim at minimizing potential losses arising out of unwanted events.
Mitusbishi Coporation has build a effective internal control system to ensure business activities are conducted properly and conformity with laws and its Articles of incorporation. President defines basic management polices and sets of management goals. At the same time, he formulates the management plans and regularly follows up on progress in achieving target efficiently. Organization chain of command is clearly defined and delegation of authority is properly planned to accomplish targets. These staff must submit reports regularly. To incorporate statutory compliance requirement. Mitsubishi Corporation has established a cross organizational framework headed by Chief Compliance Officer. It also established a alert system, which tracks major non compliance activities in business process. To handle risk associated with business processes, MC has designated categories of risk and established sections responsible for each category. This resulted in law complied financial reporting and carrying out proper business in Group in Management,
Internal Control System Frameworks
Committee of Sponsoring Organizations of the Treadway Commission(COSO) is a US based organization of private sector corporate groups and established in 1985. Its major objective is to identify the factors that cause fraudulent financial reporting and make necessary recommendation to reduce its incidence. American Institute of Certified Public Accountant(AICPA), American Accounting Association(AAA), Financial Executives Institute(FEI), The Institute of Internal Auditors(IIA) and The Institute of Management Accountant(IMA) collectively formed and funded the COSO.
According to COSO Control Environment, Risk assessment, Control Activities Information and Communication, and Monitor are the five interrelated components for an effective internal control system.
Control Environment: Control Environment is a foundation of COSO framework. It includes the integrity, ethical values and competence of the entity’s people; management’s philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors
Risk assessment: Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives and thus risk assessment is the identification and analysis of relevant risks to achievement of assigned objectives. Risk assessment is a prerequisite for determining how the risks should be managed.
Control activities: Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity’s objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.
Information and communication: Information systems play a key role in internal control systems as they produce reports, including operational, financial and compliance-related information, that make it possible to run and control the business. In a broader sense, effective communication must ensure information flows down, across and up the organization. Effective communication should also be ensured with external parties, such as customers, suppliers, regulators and shareholders.
Monitoring: Internal control systems need to be monitored–a process that assesses the quality of the system’s performance over time. This is accomplished through ongoing monitoring activities or separate evaluations. Internal control deficiencies detected through these monitoring activities should be reported upstream and corrective actions should be taken to ensure continuous improvement of the system.
The Control Objectives for Information and related Technology (COBIT) laid down the set of generally accepted guidelines for measures, indicators, processes and best practices to assist managers, auditors, and IT users for developing IT governance and Control in a company with which benefit of Information Technology can be maximized. COBIT framework is designed by Information Systems Audit and Control Association(ICASA), and the IT Governance Institute(ITGI) in 1992.
COBIT 4.1 has 34 high level processes that cover 210 control objectives categorized in four domains: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring and Evaluation.
The Planning and Organization domain covers the use of information & technology and how best it can be used in a company to help achieve the company’s goals and objectives. It also highlights the organizational and infrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT.
The Acquire and Implement domain covers identifying IT requirements, acquiring the technology, and implementing it within the company’s current business processes. This domain also addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components.
The Delivery and Support domain focuses on the delivery aspects of the information technology. It covers areas such as the execution of the applications within the IT system and its results, as well as, the support processes that enable the effective and efficient execution of these IT systems. These support processes include security issues and training.
The Monitoring and Evaluation domain deals with a company’s strategy in assessing the needs of the company and whether or not the current IT system still meets the objectives for which it was designed and the controls necessary to comply with regulatory requirements. Monitoring also covers the issue of an independent assessment of the effectiveness of IT system in its ability to meet business objectives and the company’s control processes by internal and external auditors.
The following table lists the high level control objectives for the COBIT structure
Sarbanes-Oxley act (SOX)
After the massive fraudulent financial reporting by publicly listed companies, American constitution enacted the SOX Act on July 30, 2002. Key focus objective of the act is to provide confidence and trust to investors and public in the Post Enron era. Act laid out the specific corporate responsibility for financial reporting, internal controls and audit committee standards. It also established criminal penalties for non compliance.
Section 302 requires the CEO and CFO on a quarterly basis to sign off on financial statement fairness and internal control effectiveness. They also must report any significant changes in internal controls since their last evaluation.
Section 404 requires a separate management report on internal control effectiveness and audit by the organization’s external financial statement auditor. It becomes effective for most large companies for their entire reporting year ending December 31, 2004 and has a 12/31/2005 effective date for other companies.
Section 906 is related to Sections 302 and 404, and requires that CEOs and CFOs ensure all financial reporting (including annual and periodic reports) fairly presents, in all material respects, the financial condition and results of operations of the issuer. It also provides for significant criminal penalties for non-compliance.
Section 201 prohibits a registered public accounting firm from performing both audit and non-audit services.
Section 301 requires an audit committee to establish “whistleblower” procedures to allow the confidential and anonymous submission of concerns regarding questionable accounting or auditing matters.
Section 409 requires disclosure to the public on a rapid and current basis additional information concerning material changes in the financial condition or operations of the issuer (Form 8-K).
SOX recommended both COSO or COBIT framework for effective internal control in business. COBIT is also a COSO compliant and acceptable IT framework. COSO’s target audience is management at large, COBIT intended for management, users and IT auditors. Both COSO and COBIT view control as an entity-wide process, but COBIT specifically focuses on IT control. A sound system of internal control therefore provides reasonable, but not absolute, assurance that a company will not be hindered in achieving its business objectives, or in the orderly and legitimate conduct of its business, by circumstances which may reasonably be foreseen. Thus, Internal Control should be the part of organizational DNA.