Accounting Systems & Controls
Accounting systems are comprised of hardware, software applications, and the people who design and administer the system as a whole. An accounting system has three distinct components: analysis, design and implementation. These components generally incorporate databases, user applications and the designers and end-users of the entire system. This essay looks closely at the role that an organization's internal controls have in an accounting system. Internal controls function as the administrative and procedural framework of an accounting system and can be thought of as a sub-system within the overall accounting system. The elements of an internal controls system are: The control environment, risk assessment, control activities, information and communication and monitoring of the controls. Internal controls are very much in the spotlight at organizations as a result of implementation of the Sarbanes-Oxley Act of 2002. Much scrutiny has been placed on internal controls that monitor financial transactions. The Sarbanes-Oxley Act has been blamed for adding complexity and cost to overall corporate governance. The costs of implementation and compliance have steadily risen since 2002 and many companies continue to struggle with SEC guidelines for administering Sarbanes-Oxley directives. A chief accounting officer at General Motors Corp. was quoted as saying of the Act, "The real cost isn't the incremental dollars, it is having people that should be focused on the business [being instead] focused on complying with the details of the rules." This essay discusses trends in the cost of compliance as well as SEC efforts to clarify the guidelines for companies. Today, many companies are turning their attention to implementing an internal control framework that supports an overall risk management strategy within an organization. The benefits of implementing strong internal controls are not just a benefit or a requirement of public companies. Today, private companies are implementing accounting systems and internal controls as a means to improve operations, accountability and efficiency. Lastly, this essay reviews a number of trends and best practices for internal controls for enterprise risk a means to illicit further discussion and research.
Keywords Accounting Controls; Accounting System; Assurance; Chief Audit Executive (CAE); Committee of Sponsoring Organizations of the Treadway Commission COSO; Control Environment; Corporate Compliance; External Audit; Internal Controls; Private Company; Public Company; Public Company Accounting Oversight Board (PCAOB); Risk-based Audit; Sarbanes-Oxley (Sarbox or SOX or SOA); Securities and Exchange Commission (SEC); The American Institute of Certified Public Accountants (AICPA)
Merriam-Webster's dictionary defines a "system" as a regularly interacting or interdependent group of items forming a unified whole. A "control" is defined as a device or mechanism used to regulate or guide the operation of a machine, apparatus, or system. It is important to define the individual terms within the topic of "accounting systems and controls" to clarify the scope of what is meant by it.
An accounting system consists of the following three components: Analysis, design and implementation. These three components define the accounting system framework and should provide businesses with a uniform way in which to use their data and financial information. Accounting systems are, in-part, comprised of the hardware, software and applications that allow for storage of important organizational information-both financial and non-financial. For purposes of clarification, this essay concentrates on discussing "internal controls" as they impact accounting systems and not the electronic storage of financial data.
Internal controls can be thought of as a sub-system within the accounting system ("Internal controls," 2007). Internal controls offer guidance, practices and procedures that the accounting system needs to operate within an organization. Internal controls are designed to protect against fraud and abuse, ensure accuracy and timeliness of information, and ensure that an organization is in compliance with regulatory guidelines (Internal controls," 2007). Internal accounting controls are a series of procedures and practices designed to promote management practices — both financial and general. Internal controls can be further outlined as being designed to insure the following within an organization ("Developing an internal accounting control system," 2007):
- Financial information is reliable and that managers and boards have assurance that financial data is accurate.
- Company assets and records (information) are protected from fraud.
- Policies are followed by employees, stakeholders.
- All applicable regulations are met by the organization.
Five Key Elements of Internal Controls
The elements of an internal controls system are generally accepted as having the following five elements ("Internal controls," 2007).
- Control Environment — This refers to the general attitude of management or others who administer the internal controls of an organization. A high level of commitment to ethical values and good business practices should be exhibited at the executive, management and board level to instill employees with a similar attitude to implementing effective controls. The control environment may include background checks for key employees, technical competence of staff and thorough written procedures to support the controls.
- Risk Assessment — Identifies areas of potential risk in an organization and asks the following questions: What assets are at risk? What can go wrong? Who is in a position of risk? The role of the controls administrator is to identify methods to control risk and analyze associated costs.
- Control Activities — Refers to activities that provide a "reasonable" level of assurance that the goals and objectives of the organization or a business unit will be met. Absolute assurance is not possible because of a number of factors including: Prohibitive costs, human error and management's ability to over-ride controls.
- Information and Communication Systems — Communication lets employees know what is expected of them and how to accomplish given objectives. Clear communication also identifies who has responsibility for a given task and provides needed clarity for employees. Information systems include data repositories as well as the reports that monitor progress related to operational, financial and compliance objectives. Information provides a means to monitor progress toward specific accomplishments and provides administration with the information to make decisions.
- Monitoring — This step involves checking on the internal control system and making certain that it operates as expected. The focus of monitoring should always be on areas of highest risk. It is the role of the controls administrator to change internal controls to reflect any changes in operational circumstances as they may occur.
History of Internal Controls
Internal Controls are probably most often thought of within the context of corporate compliance and specifically as a means to comply with section 404 of Sarbanes-Oxley (SOX) legislation that was passed in 2002. SOX Section 404 falls under the heading "Management Assessment of Internal Controls." Section 404 states, "Issuers are required to publish information in their annual reports concerning the scope and adequacy of the internal control structure and procedures for financial reporting. This statement shall also assess the effectiveness of such internal controls and procedures" (Sarbanes-Oxley Act Section 404," 2004).
Donald C. Langevoort (2006) states the following regarding SOX section 404:
"Today, the vocal criticism is largely reserved for just one piece of the legislation: The internal controls requirement found in section 404, which in some circles has become almost synonymous with SOX itself. Doubts about the balance of costs and benefits and whether the result will be increased de-listings and going to private transactions to avoid 404's burdens have made this the portion of the Act that has encountered the most political resistance" (p. 950).
Given the amount of ink that has been devoted to SOX legislation and in particular section 404 over the past five years, one might think that the subject of internal controls and corporate transparency issues didn't exist before this decade's now famous accounting scandals. However, corporate scandals have been around for a long time and will likely continue despite the best intentions and government intervention.
From a historical perspective, one should consider the following quote:
"Concern about the adequacy of internal controls-and corporate accountability generally-was one of the most important issues in securities regulation in the 1970s. Because a handful of large corporations had funded the break-in of the Democratic headquarters, the Watergate scandal led directly to questions about the legitimacy of corporate managers' opaque dominion over corporate assets, especially as it related to foreign and domestic bribery and illegal political campaign contributions" (Langevoort, 2006, p. 951).
In another citation, Langevoort points outs the following:
"Revisiting section 3.4.2 of Clark's Corporate Law'* ("Duty of Care as Responsibility for Systems") reminds us, however, that the internal controls story actually goes back many decades, and that many of the strategic issues that are at the heart of section 404 have long been contentious"(2006, p. 950).
By now it should be clear that internal controls are not a new concept for corporations. Depending upon the size and complexity of an organization, the implementation of internal controls to mitigate financial and operational risk may vary, but few businesses operating today can afford not to implement a base-level of checks and balances -particularly for publicly-traded companies. Public companies must satisfy not only regulatory requirements but also meet stakeholder expectations when setting up and monitoring internal controls. The most visible "testing" of internal controls remains the auditing of a company's financial statements. With increasing frequency, internal controls are put in place to mitigate risk throughout all functional areas of an organization and as such, financial audits are being replaced by enterprise risk audits.
"The primary stakeholders of internal audit — the board of directors, audit committees and senior executive management — have come to recognize the valuable role that internal audits should perform and have set their expectations accordingly" (Gregory, 2007, ¶4).
Similarly, executive managers have set their expectations higher; they look to internal audits for a reliable appraisal of the system of internal control — for which they are responsible — and, most importantly, they want advice as to how internal control should be improved (Gregory, 2007, ¶7).
Good corporate governance relies on risk management to identify the problems faced by the organization and on internal controls to achieve that organization's objectives. Internal auditors, apart from supporting the organization and enabling it to identify and monitor the upcoming risks, must also understand and monitor the functioning of the internal controls system, which is the key to implementing the corporate governance principles (Florin & Carmen, 2013).
Clarification of Internal Controls
(Specific to Sarbanes-Oxley Section 404)
In 2005, the Securities and Exchange Commission (SEC) issued the "Statement on Management's Report on Internal Control Over Financial Reporting." This statement was written to address many of the questions that had surfaced by corporate management teams and auditors in the first few years of SOX 404 compliance. Adrian P. Fitzsimons and Gerard A. Lange noted the following in their article about the SEC statement.
"The SEC staff noted in the statement that the establishment and maintenance of internal accounting controls has been required of public companies since the enactment of the Foreign Corrupt Practices Act of 1977 (FCPA). The significance of Section 404 of the SOA is that it re-emphasizes the important relationship between the maintenance of effective internal control over financial reporting and the preparation of reliable financial statements" (2006, p. 42).
The SEC statement pointed out some of the high level issues and concerns that had been brought to their attention regarding SOA 404 compliance. The SEC noted that in many cases, "significant costs" had been incurred by companies — the SEC noted that some of...
(The entire section is 5871 words.)