Tyco, WorldCom, and Enron are examples companies that failed because of improper internal controls. Internal control systems are useful to organizations because they identify and correct accounting frauds or errors. However, internal controls are useless if risks associated with an organization’s routine decisions are not monitored. Enterprise risk management (ERM) focuses on risks to an organization’s operations and ensures that controls are in place to eliminate, mitigate, or compensate for those risks (Louwers, Ramsay, Sinason, & Strawser). Additionally, ERM identifies and assesses risks to management’s objectives by evaluating internal control components; control environment, risk assessment, control procedures, monitoring, and information and communication.
An effective control environment primarily defines organizational structure, commitment to competence, assignment of authority and responsibility, and internal audit functions. Control environments are important any type of risk approach because it establishes organizational tone, the foundation of organizational internal control, and its response to risk (Louwers et al).
Risk assessment is the process used to estimate the likelihood and impact of risks on management’s objectives. Risk assessment generally includes risk-response. After potential risks are identified, they become part of an organization’s risk portfolio. Risk response is then used to evaluate correlations and total impact and make changes to optimize the risk portfolio (McCarthy, Flynn, and Brownstein).
Control procedures are actions taken by management to eliminate, mitigate, and compensate for risks (Louwers et al.). The most frequently used control procedures are performance reviews, segregation of duties, physical controls, and information-processing controls. Performance reviews gives management the opportunity to perform periodic evaluations of the organization’s objectives and ensure they are being met. Segregation of duties separates tasks such as authorization to execute transactions, recording transactions, and periodic reconciliation of existing assets to current amounts to reduce the risk of an individual creating and concealing errors, frauds, and misstatements within the organization (Louwers et al.). Organizations have physical controls in place to prevent access to documents, inventory, and specific areas by unauthorized individuals. Information-processing controls create audit trails and are in place to ensure financial statement transactions are processed correctly.
Monitoring is an ongoing assessment of the quality of an organization’s internal controls. Examples of monitoring controls may include analyzing customer or vendor billing complaints, supervising the accuracy of transaction processing, and comparing recorded amounts to assets and liabilities (Louwers et al.). Monitoring activities are similar to control activities. Unlike control activities, monitoring activities are more in-depth because they include identifying weaknesses in other controls. Although monitoring includes management related tasks, audit committees are generally assigned these tasks.
Information and Communication
Information and communication are necessary for management to complete an organization’s objectives. Information systems are effective when they consistently provide timely, current, accurate, and accessible information related to an organization’s external sources. Communication is the means of relaying information to internal and external sources through report production and distribution (Louwers et al.).
Insurance and portfolio approaches are good tools because they give organizations the opportunity to align their investments within their tolerated risk range and save costs on investments that are immaterial and relevant to their investment objectives. However, these approaches do not provide for periodic and timely evaluations that lead up these approaches or ensure that the organization’s objectives are consistently met. To ensure all of an organization’s objectives are met and properly handled, implementation of a system that will complement an effective internal control system and the insurance and portfolio approaches in necessary.