COSO Committee of Sponsoring Organizations of the Treadway Commission
Committee of Sponsoring Organizations of the Treadway Commission
The characteristics of smaller entities tend to provide significant challenges for cost-effective internal control. Often managers of smaller entities view control as an administrative burden to be added to existing business processes, rather than recognize the business need for and benefit of effective internal control that is integrated within these processes.
Among the challenges are:
-
Obtaining sufficient resources to achieve adequate segregation of duties
-
Balancing management's ability to dominate activities, with significant opportunities for improper management override of processes in order to appear that business performance goals have been met
-
Recruiting individuals with requisite expertise to serve effectively on the board of directors and committees
-
Recruiting and retaining personnel with sufficient experience and skill in operations, reporting, compliance, and other disciplines
-
Taking critical management attention from running the business in order to provide sufficient focus on internal control
-
Controlling information technology and maintaining appropriate general and application controls over computer information systems with limited technical resources
Despite resource constraints, smaller entities usually can meet these challenges and succeed in attaining effective internal control in a reasonably cost-effective manner.
Many smaller entities have limited numbers of employees performing various functions, which sometimes results in inadequate segregation of duties. There are, however, actions that management can take to compensate for this circumstance. Following are some types of controls that can be implemented:
-
Review Reports of Detailed Transactions—Managers review on a regular and timely basis system reports of the detailed transactions.
-
Review Selected Transactions—Managers select transactions for review of supporting documents.
-
Periodically Observe Assets—Managers periodically conduct counts of physical inventory, equipment, and other assets and compare them with the accounting records.
-
Check Reconciliations—Managers from time to time review reconciliations of account balances such as cash, accounts payable, and accounts receivable, or perform them independently.
Segregation of duties is not an end in itself, but rather a means of mitigating a risk inherent in processing. When developing or assessing controls that address risks in an entity with limited ability to segregate duties, management should consider whether other controls satisfactorily address these risks and are applied conscientiously enough to reduce risk.
Many smaller entities are dominated by the founder or a leader who exercises a great deal of discretion and provides personal direction to other personnel. This positioning may be key to enabling the entity to meet its growth and other objectives, and can also contribute significantly to effective internal control. With this leader's in-depth knowledge of different facets of the entity—its operations, processes, policies and procedures, contractual commitments, and business risks—he or she is positioned to know what to expect in reports generated by the system and to follow up as needed. Such concentration of knowledge and authority, however, comes with a downside: the leader typically is able to override controls.
There are a few basic but important things that can help to mitigate the risk of management override:
-
Maintain a corporate culture where integrity and ethical values are held in high esteem, embedded throughout the organization, and practiced on an everyday basis. This can be supported and reinforced by recruiting, compensating, and promoting individuals where these values are appropriately reflected in behavior.
-
Implement a whistle-blower program, where personnel feel comfortable reporting any improprieties, regardless of the level at which they may be committed. Importantly, they may be able to maintain anonymity and confidence that reported matters will be investigated thoroughly and acted upon, appropriately and without reprisals. It is important that where circumstances warrant matters can be reported directly to the board or audit committee.
-
Position an effective internal audit function to detect instances of wrongdoing and breakdowns at the entity and subunit levels. Ready access to relevant information and ability to communicate directly with senior management and the board or audit committee are key factors.
-
Attract and retain qualified board members that take their responsibilities seriously to perform the critical role of preventing or detecting instances of management override.
Such practices mitigate the risk of impropriety and promote accountability of leadership, while gaining the unique advantages of cost-effective internal control in a smaller entity environment.
The discussion above highlights the need for a board of directors with requisite expertise to perform its oversight responsibilities well. With appropriate knowledge, attention, and communication, the board is positioned to provide an effective means of offsetting the effects of improper management override. In smaller entities, the board of directors typically has in-depth knowledge of what usually are relatively straightforward business operations, and it communicates more closely with a broader range of personnel.
Many smaller entities, however, find it very difficult to attract independent directors with the desired skills and experience. Typical challenges to finding suitable directors include inadequate knowledge of the entity and its people, the entity's limited ability to provide compensation commensurate with board responsibilities, a sense that the chief executive might be unaccustomed or unwilling to appropriately share governance responsibilities, or concerns about potential personal liability.
Some entities address such concerns of desired board candidates and expand their search of valued or required expertise such as financial and accounting expertise. In this way, they can shape the board to not only appropriately monitor senior management, but also to provide value-added advice.
Many smaller entities do not have the extensive technical resources necessary to select, develop, and deploy software applications in a controlled manner. Thus, these entities consider alternatives to meet their needs of business processes and internal control.
Many smaller entities use software developed and maintained by others. These packages still require controlled implementation and operation, but many of the risks associated with systems developed in-house are reduced. For example, typically there is less need for program change controls, inasmuch as changes are done exclusively by the developer, and generally the personnel in a smaller entity don't have the technical expertise to attempt to make unauthorized program modifications.
Commercially developed software packages can bring additional advantages. Such packages may provide embedded facility for controlling which employees can access or modify specified data, perform checks on data processing completeness and accuracy, and maintain related documentation.
Monitoring activities routinely performed by managers running a business can provide information on the presence and functioning of other components and relevant principles. Management of many smaller entities regularly perform such activities, but have not always taken sufficient credit for their contribution to the effectiveness of internal control. These activities, usually performed manually and sometimes supported by computer software, should be fully considered in designing, implementing, and conducting internal control and assessing the effectiveness of internal control.
| Generated November 9, 2014 22:46:48 |