When it comes to internal control over ERP systems, managers have to consider at least two factors: (a) physical protection of the system and (b) information security. The former is, relatively speaking, a simple matter: policies regarding food and drink around system assets, locked doors, sprinklers or other fire suppression mechanisms and the like are simple, effective ways to safeguard the equipment. Here we learn about how internal controls can help an organization.
Before the Enterprise Risk Management framework we looked at in a previous article, COSO (1992) also took a critical look at internal control. According to that document, internal control is: A process, effected by an entity’s board of directors, management and other personnel. This process is designed to provide reasonable assurance regarding the achievement of objectives in effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.
Even prior to the COSO definition, however, accountants and auditors had begun thinking and writing about internal control. The AICPA discussed four fundamental purposes of internal control:
- Ensuring financial statement reliability
- Encouraging adherence to management policies
- Promoting operating efficiency
- Safeguarding assets
Internal controls are critically important in any type of organization. In fact, many of the corporate scandals of the late 20th century might have been avoided or detected much earlier if stronger, more effective internal controls had been in place.
Nevertheless, internal controls are not a panacea. They are designed to provide reasonable assurance—not absolute assurance. That’s why internal controls should be designed and implemented holistically, rather than on a piece-meal basis. Internal controls can be categorized based on their broad purposes (preventive, detective, corrective), based on their nature (physical controls, technical controls, administrative controls) or based on their scope vis-à-vis information technology (general controls, application controls).
All internal controls are subject to a cost / benefit constraint. Managers and others charged with designing and implementing internal controls must ensure that the benefit of fulfilling one or more of the four purposes outweighs the cost of implementing a specific control.
Prior to their work on enterprise risk management, COSO developed an integrated framework to help organizations design and implement effective internal controls. Its five parts are: control environment, risk assessment, control activities, information & communication, and monitoring. Maassen (2010) offered the following description of the COSO framework’s elements:
- Control Environment — This component focuses on the risk management culture within organizations. Relevant questions include: are people throughout the organization aware of the importance of risk management and do they understand the risk profile of the organization? Do management and the board of directors set the tone at the top? Is risk awareness and mitigation embedded in the values of the organization, the integrity and competence of staff? Is risk management it part of management’s philosophy and operating style and the way management assigns authority and responsibility?
- Risk Assessment — Each organization is faced with external and internal risks that may affect the goals of the organization. Risk assessments identify relevant risks to the objectives and determines how the organization can manage the risks.
- Control Activities — These refer to the internal control system of the organization, including policies and procedures that define approval processes, authorization levels, security of assets and the segregation of duties, etc.
- Information and Communication — This component refers to an organization’s information and communication systems, including the production of operational and financial reports.
- Monitoring — This component is often confused with the “control activities” component. While control activities define an organization’s internal control system, the monitoring component focuses on the monitoring of these systems, such as direct supervision and evaluation.
COSO has also published several follow up documents related to internal control, including:
- Internal control issues in derivative usage (1996)
- Internal control over financial reporting—guidance for smaller public companies (2006)
- Guidance on monitoring internal control systems (2009)
And, in late 2010, COSO announced plans to modernize and update the internal control framework.
Let’s take a look at a specific case through the lens of the COSO framework. This case is based on a real organization I encountered in the late 1980s, although the names have been changed to preserve anonymity.
Alphabet Soup Consulting (ASC) employs a staff of 50 consultants and is managed by a three-person board of directors: Robbie (president), Vicki (vice president), and Richard (treasurer). The company’s bylaws specify that checks over $500 require the signatures of two directors to be valid. However, if an invoice over $500 is due and Robbie or Vicki cannot be reached, Richard frequently writes two (or more) smaller checks to cover the total amount. For example, if an invoice totals $900, Richard might write three checks for $300 each or two checks for $450 each. Richard feels justified in his actions because of increased efficiency.
The internal environment was weak at ASC. Although Richard was a CPA, neither Robbie nor Vicki had any background or training in accounting. And, Richard’s practice had been primarily devoted to tax preparation. As we discussed in the article on enterprise risk management, the “tone at the top” is critically important for maintaining strong internal control.
Regarding risk assessment, the biggest concern for ASC from this case clearly was embezzlement. Like many small businesses, operating liquidity was an ongoing issue as well. The three directors had worked together in other capacities for a couple years; they didn’t want to appear distrustful of one another, which led to the lax attitude about internal control
Although the two-signature provision was a good attempt at control activities, the organizational culture allowed Richard to circumvent it whenever he felt it necessary. As Richard was also in charge of keeping the company’s books and reconciling the bank statement, the other two directors were often “in the dark” about the company’s finances.
ASC had no effective plan for the other two framework components: information & communication and monitoring. While Richard’s consistent breach of internal controls may not have contributed directly to the problem, ASC closed its doors after only a few years of operations.
When it comes to internal control over ERP systems, managers have to consider at least two factors: (a) physical protection of the system and (b) information security. The former is, relatively speaking, a simple matter: policies regarding food and drink around system assets, locked doors, sprinklers or other fire suppression mechanisms and the like are simple, effective ways to safeguard the equipment.
Information security, on the other hand, is a more complex matter. Information security is defined as the “protection of data in a system against unauthorized disclosure, modification, or destruction, and protection of the computer system itself against unauthorized use, modification, or denial of service.” (Hurt, 2010)
Confidentiality exists when data are held in confidence and are protected from unauthorized disclosure. Data integrity exists when data stored in an information system are the same as those in the source documents or have been correctly processed from source data and have not been exposed to accidental or malicious alternation or destruction. Availability is achieved when the required data can be obtained within the required time frame.
The Information Systems Audit and Control Association (ISACA) published a framework titled Control Objectives for Information and Related Technology (CoBIT) to provide additional guidance regarding, among other topics, internal controls for information technology. CoBIT looks at internal control from three points of view: business objectives, information technology resources, and information technology processes. It is organized into four domains of knowledge based on tasks common to most IT projects: plan and organize, acquire and implement, deliver and support, and monitor and evaluate.
The CoBIT framework links together many other topics we have discussed and will discuss in this article series. It has sections devoted to:
- Business processes (Article 2 in this series)
- Process maturity (Article 3 in this series)
- Enterprise risk management (Article 6 in this series)
- Systems development (Article 12 in this series)
In discussing the broad purpose of CoBIT, ISACA offered the following comments (ISACA, 2010):
The purpose of COBIT is to provide management and business process owners with an information technology (IT) governance model that helps in delivering value from IT and understanding and managing the risks associated with IT. COBIT helps bridge the gaps amongst business requirements, control needs and technical issues. It is a control model to meet the needs of IT governance and ensure the integrity of information and information systems.
This article has provided a very brief introduction to internal control and its relationship to ERP systems. Please consult the resources below to learn more.
- Hurt, R. L. Accounting Information Systems: Basic Concepts and Current Issues (2nd edition). McGraw-Hill / Irwin, 2010. www.mhhe.com/hurt2e.
- Internal Control—Integrated Framework. COSO, 1992.
- ISACA. Control Objectives for Information and Related Technology. Retrieved 6 December 2010 from www.isaca.org.
- Maassen, G. www.developmentwork.net. Retrieved 6 December 2010.