- Describe a business process you have experienced (either as an external or internal participant) and what your role was.
- The Sabanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
- In your own words, how would you define a control environment?
- Describe a real life example of a company’s profitability-driven controls. What are the differences between a compliance-driven vs. a profitability driven control?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Deepali Kochhar says
Answer to Q 1: :
INFORMATION SECURITY EXCEPTION BUSINESS PROCESS
Purpose: Method to obtain an exception to compliance with a security policy or standard
Scope: Organization’s security policy and standards
Description: Exception may be granted by the Information security team of the organization for a non-compliance with a standard resulting from:
• Implementing a solution which cause minimal risk to the organization
• Implementing a solution with equivalent protection
• Inability to implement a standard due to some limitation
Process
• Requester will submit the exception form with the description through data governance portal
• Form is received by information security team
• Exception is assigned to a Security Analyst in the team
• Security Analyst will gather all the necessary information
• Security Analyst will contact the requester if more information needed
• Make a decision on the level of risk it can cause to the organization
• If RISK: LOW-> APPROVE, copy the manager in the decision
• IF RISK: MEDIUM OR HIGH-> Call a meeting with the team and the manager, discuss the details such as what all risk it may cause if the exception is approved and what are the alternatives to this.
• Manager will make a decision on whether to deny, approve or suggest an alternative to the exception
• Notify the requester
• Requester may appeal against the denial by submitting additional documents or requesting a meeting to discuss the decision.
MY ROLE:
I was an internal participant of the above business process. I worked as a Security Analyst in the team. Exceptions were assigned to me directly. I use to review the details, request additional information from the requester if needed and decide on whether to approve the exception or additional reviews are needed. I was responsible for calling a meeting with the manager based on the level of risk it may cause.
Example:
• Requester will submit the form with all the details such as what kind of data it is, reason for migration, duration for which data will remain on the new server, penetration testing report of the server on which data needs to be migrated.
• Exception is received by the Information security team and is assigned to an Analyst.
• Analyst will review all the details such as the type of data and how crucial is it. For example, if it is a PHI (Patient health information) data, it needs high level of protection.
• Penetration test reports of the server will determine the level of vulnerability of the server based on which it will be decided whether the data is safe or not.
• Based on these fact the Analyst will take a decision on the level of risk and will approve the exception or pass it to the manager for further reviews.
Deepali Kochhar says
Answer to Q 3:
An environment which is in compliance with the defined set of standards and policy is considered as a control environment. Such environment is built in an organization to:
• Ensure reliability in the processes and operations
• To take preventive actions against any kind of fraud such as financial, security, data breach etc.
• To make sure that everyone in the organization have common set of principles to follow so as to maintain a uniformity
• Assignment of authority and responsibility
• Generate trust and reliability in its clients with respect to all the business operations shared between the organization and the client as well as to provide them reliable reporting
Example of control environment:
IT Auditing:
To check whether Information Technology controls:
• Ensure data integrity
• Safeguard IT Infrastructure
• Are aligned with the business objectives and goals
Haozhu Huang says
I agree with Kochhar about control environment.
Actually, after i ready your answer, I more think about what is the requirements of the control environment. Perhaps, if company need to control environment, CPA should pay more attention to the management under the supervision of integrity and ethical culture, and try to prevent or detect the fraud the right and wrong control.
Yulun Song says
I agree with your comments and I think your explanation and examples explained control environment well.
In addition, I would say that risk management within an organization is so important for the business. Some risks can be accepted, some can be transferred and some can be mitigated, but never ignore the risks(learned from Risk Management class during undergraduate).
Organizations should plan and manage risks before they real happen. Mostly the costs to manage risk are not high, but if the risk real happens, the costs will be extremely high to fix to problem.
Based on our major, IT auditing and cyber security, it is a reminder for all of us: never ignore risks.
Seunghyun (Daniel) Min says
Rightly said, Yulun.
Risks are the last things that a company wants to ignore it. A risk can be defined as a measure of threat, which means a risk can also be described as potential losses or a damage to an organization. You hit it right on the head as it is crucial to set up the right risk management plan within the organization. One of the best options to mitigate risks is using the Frameworks. They are well-designed lists/documents that elaborate each step of the required actions with a compliance to reduce risks.
Jaspreet K. Badesha says
I agree, compliance driven controls are more controls to keep information safe and profitability driven controls are put in place so the company has the ability to make as much profit as possible by following certain rules. For example, a hospital has to protect its patient information and educate their staff on certain policies such as HIPPA. However, a profitability control may be to have two patients in one room to help reduce certain costs for the hospital and they will still get the same revenue and more profit.
Joshua Tarlow says
I agree that HIPAA is a compliance control for a hospital because it does protect health data and is a legal requirement. It might also be possible to consider HIPAA with profits. If a hospital suffers a data breach because HIPAA requirements were ignored, then reputation and financial losses could be significant. Reputation is one of the most important risks for any organization and hospitals need patients/customers to trust their them with their healthcare data. Financials losses can typically be absorbed through insurance and retention, but damage to a reputation can last far longer.
Mansi Paun says
You’ve explained the controlled environment really well, Deepali. I’d like to add that within Safeguarding IT Infrastructure, the below activities are extremely critical to gauge the level of Control within the organization :
1) Tracking and maintaining Issues and Risks
2) Timely Server patching activities
3) Accurate On and Offboarding process for personnel.
4) Timely verification of “Continued Business Need” for access to various IT systems.
Annamarie Filippone says
Question: Describe a business process you have experienced (either as an external or internal participant) and what your role was.
One business process that I have experienced as an internal participant was billing and collections, while interning in the accounting/finance department of a major transportation company. The process went as follows:
1. Customer, such as another transportation company, requests a price quote for a particular good or service from us (renting out train cars, for example).
2. Our company provides price quote.
3. If customer approves, a contract is created and signed by both parties.
4. Good or service is provided.
5. Invoice is created in SAP and sent to customer, and they are expected to pay within 30 days.
6. If payment is not received within 30 days, a collections notice is sent as reminder.
7. Collection notices are sent out on periodic basis from then on, until payment is received and the transaction is marked complete within SAP.
I had several roles within this process. First, I created invoices in SAP to be sent to customers, after receiving the sales information from my co-worker. I was also responsible for sending collection notices to customers flagged as very late (90 days or more without paying).
Fred Zajac says
Annamarie,
I am familiar with the business process you have experienced. The one thing I would like to mention is how a net 30 vs. immediate payment makes the business process much harder for the internal staff. Finding a solution to assist the cumbersome business processes, or “Working Smarter, not Harder” makes the added burden more manageable.
Many business work on a net 30 or longer billing cycle, which adds another level to the billing process, consumes time, and opens up the risk of bad debit.
Prior to moving back into the technology industry, I was running a small U.S. Veteran staffing business full-time. We helped business recruit and retain U.S. Veterans. The billing cycle included a pro-rated 90 day invoice.
The terms were:
-100% money back for the first 30 days if the placement doesn’t work out
-66% back for 31-60
-33% back for 61-90
Company is invoiced on the day of termination or the 90th day of employment.
This left a LONG time for things to happen and more difficult to manage. Using an SAP system helps automate the process. As a small company, we didn’t have the resources to purchase an automated billing system. There is something to be said about solutions that automate or reduce the problems that may arise from any “business process”.
Seunghyun (Daniel) Min says
Annamarie,
I appreciate sharing your experience!. I also had an experience similar to yours regarding sending/receiving invoices through an automated system. The one I used was, however, nothing close to SAP system, though. I used the in-house developed system while I was working for a grocery store. The system only comprised simple functions (creating sales reports, billing and receiving invoices, for example). But one thing I was the most impressed with the system was (like you mentioned 30 days payment period) it automatically pushed out a notification to customers, whoever we were filling out invoices to, before and after the 30 days payment period. Thanks to the notification, it was much easier for us to collect the payment. Additionally, we were able to extract an Excel data file from the system, so we could look over data of which payments were overdue.
Fred Zajac says
My role as a business development executive gave me exposure to the business process of “generating revenue” for the company. The Revenue Generation Cycle moves through multiple business functions and involves, “A series of logically related activities… to produce a… result.” (class powerpoint).
The cycle begins with the research and development function producing a product that will sustain a competitive advantage over the competition. The marketing / sales function will target a specific audience by producing a marketing campaign. The supply chain manufacture the expected demand produced by the marketing campaign. The warehouse will house and distribute the finished goods to the customers. Finally, he Finance function will process the invoices and collect payments.
A more direct experience would be inside the Marketing / Sales function. Inside the Marketing / Sales function is another process called the Sales Cycle. A “Sales Cycle” starts from marketing research conducted by the company. The initial research is usually referred to as a “Cold” lead. The cold lead is then passed to an inside sales representative who will conduct a qualify or reject the lead. Rejected leads are kept and labeled for future campaigns, but the qualified leads will be passed to an account executive. The qualified leads are usually referred to as, “Suspect”. The account executive will transition the Suspect into Prospect by conducting a screening process to determine if the good/service can produce business value for both parties. If the answer is yes, the sales manager approves the deal and it moves out of the Marketing / Sales function.
Priya Prasad Pataskar says
1. Describe a business process you have experienced (either as an external or internal participant) and what your role was?
As an internal auditor I was also responsible for audit scheduling and initiating audit process.
Function : Information and Data Security
Process : Audit Scheduling and Initiating process
Aim : The aim of the process was to prepare audit schedule and gather information from stakeholders to kick start the audit
Timeline: At the beginning of financial year my team would have to release the audit schedule and hence we started the below process a month prior
to the plan release date. I was the core team member and performed below activities.
The process is as follows:
1. Reviewing the Company Audit Plan for the financial year
2. Mapping company audit plan to client audit plan requirement
3. Preparing the schedule on basis of the mapping
4. Publishing first draft of schedule to stakeholders
5. Collating data from the responses of the stakeholders
6. Making changes in the first draft schedule on basis of data collected from step 5
7. Sending the updated schedule to management for approval
8. Post approval, releasing final schedule to stake holders
9. Collating internal and external compliance requirements to make list of documents required for audit from the auditee’s side
10. Initiating audit and sending the preparatory lists to the stake holders
11. Commence the opening meeting to set the audit agenda
Paul Linkchorst says
Hi Priya,
I have had a very similar experience as you. While I was only an intern for a year performing Internal Audit work, I did participate in some scheduling and audit planning. To take this one step further, I am going to identify how the audit process worked once the opening meeting has been held. It will be interesting to see if my experiences were similar to yours.
Process: Audit Testing
1. Commence the opening meeting to set the audit agenda
2. Review written procedures to identify if they align with procedures discussed in opening meeting
3. Requests documentation/evidence necessary to test
4. Review documentation and ask any questions that are still unanswered
5. Compile testing findings
6. Conclude findings in audit report
7. Meet with auditee to discuss conclusion and provide report
Priya Prasad Pataskar says
Hi Paul. Yes the audit steps did go the way you mentioned. Step 3 surprisingly took the longest time. Understanding of what documentation is requested is very necessary. Auditees spend time in collecting all the data and presenting it, and they do it form Auditee perspective. It might not be the same as what auditor expects. Spending more time in opening meeting and writing down all requirements clearly before the opening meeting always helped.
Paul Linkchorst says
Priya,
In my experiences this seems to be the most frustrating thing about being an auditor. I’ve seen multiple methods to combat this which includes assigning a designated auditee to feed all the documentation requests through to providing an example of last years requested documentation. It frustrates both the auditor and the auditee if both can’t align what needs to be tested early on. You are most certainly right in that communication early on is key to reducing this frustration.
Seunghyun (Daniel) Min says
Priya and Paul,
I really thank you both sharing your experiences and explaining steps of the audit process. I’ve also heard that it is absolutely labor intensive to collect right evidence/documentation for auditees.
As I have a none of an experience in internal auditing, could you tell me how long it took to complete an auditing process? I can assume a time could vary depending on the case; however, I just want to have a sense of an average time in general. Thanks!
Paul Linkchorst says
Sure thing Daniel. I think it really depends on the type of audit that is being performed. From your standard Internal Audit, which is to say that Internal Audit is performing a non-compliance audit for their own understanding of a process, that would usually take like 2-3 months depending on the size of the department and complexity of the process in audit. For SOX control testing, that can have a pretty significant range depending on the Internal Audit department’s capabilities. This is normally done by external auditors but can be performed by Internal Auditors if the external auditors can place reliance on the testing. Due to this, testing can range from hours to months. My experience was that SOX testing took a couple of months around the end/beginning of the year, but the work was spread out among eight auditors,
Hope this helps!
Paul Linkchorst says
Priya,
I have had a very similar experience as you. While I was only an intern for a year performing Internal Audit work, I did participate in some scheduling and audit planning. To take this one step further, I am going to identify how the audit process worked once the opening meeting has been held. It will be interesting to see if my experiences were similar to yours.
Process: Audit Testing
1. Commence the opening meeting to set the audit agenda
2. Review written procedures to identify if they align with procedures discussed in opening meeting
3. Requests documentation/evidence necessary to test
4. Review documentation and ask any questions that are still unanswered
5. Compile testing findings
6. Conclude findings in audit report
7. Meet with auditee to discuss conclusion and provide report
Priya Prasad Pataskar says
3. In your own words, how would you define a control environment?
Control environment is established by defining set of policies and procedures by the governing body (board of directors/ senior management) of the organization. The control environment establishes the culture, practices and behavior in the organization.
Ex. To list a few examples of control mechanisms, we can state that a company ‘X’ has a control environment if below policies are implemented
1. The management conducts meetings at regular intervals to plan policies to be implemented. They also take effort to create awareness about those policies among the employees
2. All employees undergo the background check process
3. No visitor is allowed in the facility unless accompanied with an escort
4. Control in physical environment ex. Access protected doors, electronic surveillance
5. Control in logical environment ex. Authorization and authentication for software applications
6. Controls around information ex. Backup of data is taken once a week.
It is necessary that the implementation of controls must be verified and validated. Monitoring the controls will help maintain the code of the organization.
Brou Marie Joelle Alexandra Adje says
Well explained Priya. Control environment is all about making an organization secure. I would add to this that control environment also relies on integrity, ethical values and also skills and employees competences. Another example of control mechanisms could be training session for employees. The control environment is other to be efficient should be understood.
Fred Zajac says
Priya,
You list great examples in your post and immediately though of the co-location (data center) my organization uses. We are housed in two separate data centers. One in Philadelphia (Equinix) and one in Newark, DE (HostMySite). Both are managed independently and have multiple levels of redundancy, but the one thing that impressed me was the controlled environment.
Since many of our customers are regulated by HIPAA and SOX, the security requirements for data is at the forefront of both regulating organizations.
Now, we use both services in our sales pitch by saying, “Do you know where the competition is storing your data?” Are you sure it isn’t at there office location, or at the owners house. What would happen if a disgruntled employee decided to compromise your system, or worse a fire destroys their Network Operation Center (NOC) at the main office. You and your company would be without your hosted system.
Annamarie Filippone says
Question: The Sarbanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction?
Laws like SOX were an appropriate reaction, especially given how much harm resulted from high-profile control failures. Enron, for example, cost people billions of dollars in total, from lost shareholder value to the loss of retirement funds for employees, due to the misuse of mark-to-marketing accounting. If the company signed a long-term contract to provide power to a plant still under construction, they immediately recorded the estimated profits (even if the actual number ended up being much different).
It is clear that this was blatant misleading of shareholders, and the fall of companies such as Enron and WorldCom made it clear that such practices must be stopped. Regulations like SOX help prevent accounting fraud by requiring management to confirm the accuracy of financial disclosures, as well as establish internal controls within the organization and report on their efficiency.
Priya Prasad Pataskar says
I agree with your point Annamarie.
Laws like SOX are not only sufficient but also prove beneficial for the management to establish control over the happenings in the company. SOX mandates to exhibit clarity with the shareholders and thus helps in building trust.
Brou Marie Joelle Alexandra Adje says
I agree with Annamarie in the sense that laws like SOX are “appropriate reaction” to the control failures encountered in the past. These laws not only protect shareholders, by obligating companies to disclose financial information, but also raise awareness on the importance of internal controls in the market.
Indeed, organizations have to regularly test the effectiveness of their internal controls, which allow them to manage risks. However the main question here is to know if they are in fact sufficient to fight corporate fraud. I think there is always a way around the system, so no they are not sufficient reaction to the high profile control failures.
Deepali Kochhar says
I agree with Annamarie and Priya that SOX has been beneficial to the management to establish controls over the processes.
But we cannot ignore the cases such as Lehman Brother case and Bear Stearns Cos. Case which occurred after the implementation of the law where the senior management of the organizations were left uncharged in spite of their wrong doings. Therefore, I also agree with Brou point that SOX is not a sufficient reaction to control failures.
Binu Anna Eapen says
I Agree with Alexandra that SOX just forms the basic platform for providing control and is not sufficient in itself to prevent fraud. But without it, it would be a open field for more fraudulence. It always helps to learn from the past and to prevent it, instead of regretting later.
Mansi Paun says
In my opinion, while the Sarbanes-Oxley Act helped in making the Executive Management accountable for the lapses in control measures and in turn reducing instances of Fraud in the Finance industry, it certainly isn’t sufficient or there wouldn’t have been other cases of fraud after the law came in effect.
Did it achieve the goal of reduction in fraudulent practices – Absolutely. Is it sufficient by itself to entirely keep check on fraud ? Definitely No. There remains a lot of room for improvement.
Sarbanes-Oxley has essentially made it impossible for the smaller firms to do business due to higher operational costs. This obviously is in favor of the bigger businesses and quite unfair to the smaller players in the market.
Abhay V Kshirsagar says
Mansi,
I addition to the higher costs incurred by the smaller companies, I think it also demoralizes the risk taking attitude among the public companies in America. But having said that, I believe that since the repercussions related to Enron, Worldcom, etc. were significantly large and protecting the investors became a task of utmost importance, SOX bill was an appropriate reaction.
Mansi Paun says
I agree, Abhay. My point was just that. Formation of SOX regulations was certainly called for (to tackle dipping shareholder trust in the US markets). But it seems more like a short-sighted, hasty stop gap arrangement to rebuild investor trust as opposed to well thought loop-hole-free regulations that would hold the right people accountable and not just the Senior Management by the threat of jail time.
Brou Marie Joelle Alexandra Adje says
I absolutely agree with Mansi that SOX laws are in favor of bigger firm, which is very unfair. Small businesses shouldn’t be required a lot of internat control. The reason being that they have a simple organizational structure. In fact, they usually do not have as many business models and department as a big firms like Apple, for example, would have. Additionally all the big scandals that led to the creation of these laws occurred in big firms and were costly to shareholders. However, small firms do not have the same type of shareholders as big firms. Take the example of a small firm created by family members. These people have no interest in cheating themselves. Therefore, they do no need SOX laws per say. I’d say these laws are discriminatory in a way. The goal was supposed to “fix” the industry, secure organizations, and create favorable environment for investors. Unfortunately, it seems like it is also pushing away small businesses.
Jaspreet K. Badesha says
I agree, these laws are a sufficient reaction to the high profile control failures. These laws help place internal controls into companies to help protect their investors and to make the market a safer place. This makes senior management accountable for what goes on in their company. Without these laws it would make it unsafe for not only investors but all of the employees who would lose their jobs like they did in Enron. The more people you hold accountable for actions the less likely a firm or person is to fraud.
Magaly Perez says
I agree with Annamaire and Pryia. Laws and regulations like SOX are not only adequate but needed. SOX not only aids management by establishing rules and set standards for compliance, but also creates a cohesiveness of protection amongst the organization, shareholders and general public.
Regulations are an appropriate response. They hold senior management liable for their actions and inevitably prevent fraud within the organization.
Joshua Tarlow says
It is true that SOX places more burden on corporations, it was a necessary reaction to the corporate scandals. While most companies are not defrauding their investors, it only takes on large enough company to collapse to reverberate through the economy. If a company the size of Met Life or AIG were to fail, the global economy could fall into a recession. Additionally, it is important for people to have trust and confidence in the market for it function properly. Scandals such as Enron undermined confidence, and many lost trust in large corporations and regulatory organizations. Increased regulatory oversight is essential for regain the public confidence and trust, even though it may disproportionately effect smaller companies.
Annamarie Filippone says
Question: In your own words, how would you define a control environment?
A control environment comes from the perceived attitude and actions of upper management regarding the importance of the internal control system within an organization. This environment is reflected in a variety of ways within an organization, including the organizational structure, culture, and business procedures.
The attitude of upper management will trickle down through the organization and be perpetuated at all levels, so it is crucial that management recognizes the importance of the internal control system. A lax or even annoyed attitude toward the ICS will result in a weak control environment overall, while a proactive and positive attitude regarding the ICS will create a stronger control environment for the organization.
Sean Patrick Walsh says
In your sentence, “A control environment comes from the perceived attitude and actions of upper management…,” how high up the chain do you mean? I completely agree with you that fostering a company culture of the importance and significance of ICS is key to its success. In your opinion, does the CEO’s attitude hold more weight in the program’s success or do the “front-line” leaders have more impact?
Jaspreet K. Badesha says
I think it can go up to the C suite or the Board. I believe if the boards attitude influences the C Suite and then downwards. Therefore, i believe it starts all the way at the top.
Annamarie Filippone says
I would say that cooperation from both the C-suite and “front-line” leaders is necessary to establish a strong control environment. While the C-suite can set the tone for the entire organization by including a strong internal control system as a company value, lower level employees will look to the “front-line” leaders to see how this general idea is implemented in their everyday work.
Sean Patrick Walsh says
I totally agree and only brought it up from personal experience in the military. What is put out by “the brass” in D.C, and what is said by your Commanding Officer, can be totally lost by the time it gets down to whoever is directly in charge of you and your colleagues. I believe they are both important, but figuring out how to get them both aligned can be a challenge in some environments.
Wenlin Zhou says
I agree with your thoughts, however, I think the environment should include more aspects. For example, many companies have high values and seek to promote honesty and integrity among their employees on a day-to-day basis. What’s more, competence is the knowledge and skills necessary to accomplish tasks that define the individual’s job.
Fangzhou Hou says
I do agree your points, but I think the upper management should also take the responsibility to enhance the level of ICS. If the decision makers in an organization underestimate the significance of the Iternal Control System, the internal control environment will become weaker. For example, if the upper management didn’t realize the importance of data backup or disaster recover plan, the information assets of organization may suffer huge lose in unethical hacking.
Annamarie Filippone says
Question: Describe a real life example of a company’s profitability-driven controls. What are the differences between a compliance-driven vs. a profitability-driven control?
An example of a profitability-driven control within an organization is price comparison prior to vendor selection. Many cost-conscious organizations, such as Walmart, will complete a thorough comparison of potential vendors before selecting one. There are no legal regulations that require an organization to choose the lowest-priced vendor for goods or services ordered, therefore this is not compliance-driven. However, selecting a lower-priced vendor will reduce costs and increase profitability, thus making it profitability-driven.
Compliance-driven controls are focused on adhering to legal regulations applicable to the organization, while profitability-driven controls are focused on maintaining earnings from business activities. However these two are not mutually exclusive, since compliance (or lack thereof) to legal regulations can have an effect on profitability.
Priya Prasad Pataskar says
Great post Annamarie!
I also think having compliance driven controls helps increase profitability in some cases.
There would be a huge one time cost to establish compliance controls and may take time to be implemented. However, in the longer run the well established control will help the company against fraudulent data, law suits, miscommunication in turn saving the money the business could have lost in future.
Said Ouedraogo says
I agree with you guys. As a compliance driven control helps increase profitability in some case, it can also drive a company out of business. Considering the example in your post Priya where a company chooses to use raw material of grade B instead of raw material of grade A. What if grade A is the standard and the company can’t afford it?
Compliance driven controls can be a huge burden for some companies in difficult financials situation.
Priya Prasad Pataskar says
What you say is right Said, If grade A is too costly the investment cost is going to increase. However if the standard recommends to use grade A must be with logical reasons. In longer term grade B material will incur more costs to company in terms of return of goods as users were not satisfied, poor quality or it might lower the brand value.
According to the research conducted by Lord & Benoit, they talk about section 404 of SOX. Critics believe incurred control costs are huge. But their research on 2000 plus companies proves the increase in average share value of the companies that exhibit compliance to section 404.
[Lord & Benoit Report (2006):] The research showed that over the two year period there was a:
– 27.67% increase in the average share prices for companies that had effective controls
– 25.74% increase in average stock prices for companies that had ineffective 404 controls in year one but effective 404 controls in year two (0.6% increase in year one and 25.14% increase in year two).
– 5.75% decrease in average stock prices of companies that reported ineffective 404 controls in both years (9.85% decrease in year one partially offset by a 4.11% increase in year two)
Yu Ming Keung says
I agree with you Annamarie. The Wal-Mart example really shows how profitability-driven controls works in corporation. Since Wal-Mart business strategy is “everyday low price”. If walmart doesn’t select the vendors with the lowest costs, It cannot afford to offer the lowest prices of its merchandise to its customers.
A company can achieve profitability driven controls while achieving compliance-driven controls? Based on the wal-mart example, obviously it is profit-driven, but it recently has invested heavily on its customer service lines, improving grocery items such as Organic food, and lastly the online stores. If a company can achieve compliance-driven controls, it can have a positive effect on the profit because both controls are not mutually exclusive.
Wenlin Zhou says
I agree with you. Walmart focus on the ” low price everyday “strategy, so Walmart would chose the lower price supplier, and then customers was able to buy cheaper product, this is a Walmart’s profit-driven. What’s more, the Walmart chose the vender and supplier was also obey the law. Compliance-driven controls are focused on obeying the law. Therefore, If the company make the correct strategy, the relationship between compliance-driven controls and profit-driven will be not mutual.
Said Ouedraogo says
In fact, while choosing the cheapest supplier Walmart must make sure that this supplier meets the standards. In this case compliance-driven controls and profitability-driven controls are not mutually exclusive to the extent that Walmart is looking to make profits but also looking for the supplier who meets the most to standards.
Yang Li Kang says
Walmart actually looks for suppliers who meet their own standard. I believe I read in a case study from Harvard Business Review that Walmart is such a huge player in the retail industry that suppliers cannot afford to lose their business partnership. They are almost forced to sell their products at a low price to Walmart or risk losing their sales to another supplier who is willing to sell it to Walmart for that low price. It is alarming how Walmart have become the standard that most suppliers have to adhere to, price wise.
Said Ouedraogo says
Yes in fact, Walmart has power over their suppliers. They force them to meet the requirement of their standards. But, those standards are also what Walmart needs to meet in order to operate in legal regulations.
Ming Hu says
As you said, there are no legal regulations that require an organization to choose the lowest-priced vendor, but there are regulations that such selection or transaction must be in compliance with, such as the selection should be legal or satisfies certain standards, so that is still compliance-driven. Only if certain conditions are fulfilled, you may choose the lowest-priced vendor, This is what I disagree with you, but I agree with you that compliance-driven and profitability-driven is not mutually exclusive.
Sean Patrick Walsh says
Question #2 The Sabanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
Sarbanes-Oxley initiated many new and needed changes for corporations. These changes were called for to rebuild the trust between the public and businesses regarding the integrity of financial reporting. SOX required a separation of duties and responsibilities for corporate personnel to spread decision-making ability to prevent the ease of collusion. CEO’s going forward would be required to sign and certify their 10K’s and 10Q’s, and face criminal prosecution for any purposely misleading statements. Also, to prevent a conflict of interest for outside auditing companies, SOX set limits and restrictions on the types of services and products an auditing business could offer a company they are auditing.
In my opinion, I believe the changes instituted by SOX were greatly needed and not an overreaction. Many of the changes seem to be common sense solutions that the businesses should have realized the need for without the passage of a law requiring the changes. Although, some people may be firm believers in “caveat emptor,” the boards of the businesses failed to be the “voice for the small investor” which exhibited the need for the regulations to be created too.
Binu Anna Eapen says
Yes. SOX was more like the right thing to do approach. And keeping a standard helps who are coming up in the market or the ones already existing to keep a check on the policies so as not to cheat others and to keep it fair.
Said Ouedraogo says
I do agree with you, but I just think SOX is not enough because corporate fraud still exist. We still have inside trading and people like Bernard Madoff who will always take advantage of the system. Also, SOX laws really focus on management and high hierarchy employees. What about the accounting assistant at the bottom of the pyramid? The point is that corporate fraud is not just a management ‘thing’, and we will need more strict laws.
Sean Patrick Walsh says
Bernie Madoff ran a private investment firm, whereas SOX’s requirements are more for publicly traded corporations. So Madoff had much more control over the corruption that he was a part of. If the financial collapse had never taken place in 2008/2009, I wonder if we’d have even known about what he was doing.
I think the requirements and regulations placed on the auditing firms has definitely helped prevent a lot of the collusion and corruption that spurred the need for SOX. Without the incentives that were there for the auditors previously, and since the auditing leads have to be regularly cycled, there is a much lower likelihood of collusion from the auditors and their firms.
Said Ouedraogo says
Yes you are right, as a private investment firm his firm was not required to be audited by firms registered with PCAOB created under SOX; which allowed him to “fabricate his books”. That’s why I am saying that laws like SOX should be more strict and applicable to firms other than publicly traded corporations.
Magaly Perez says
I completely agree with Sean. Piggybacking off of what Sean stated, SOX’s set standards and regulations prevent a lot of corruption. SOX requires audit boards to institute procedures in which they review auditing, internal control irregularities, and accounting, to overall ensure protection.
Priya Prasad Pataskar says
I believe, if the management has to sign on agreeing that they are responsible for the financial accounting that is happening within their company, it mandates the management to have adequate internal control and also maintain that control.
To maintain this type of control, a framework is established by management and there is an audit team to ensure that all employees are following the defined policies.
Fangzhou Hou says
I do agree with your opinion that the SOX was needed. The section 302 and 404 requires the management of an organization take the responsibility in confirming the effectiveness and weakness of the internal control for financial reporting in an ICS report, and according to the section 404, an external auditor must also submit a confirmation. In this case, the independence of auditing ensures the reliability of reports.
I also believe that these laws enhance the weight of the ICS of an organization, and the disclose of ICS report can also help those “small investors”who barely know the industry understanding the performance of the organization.
Vu Do says
I agree with you Sean, SOX was needed to build the trust for the integrity of financial reporting. After companies like Enron and WorldCom, there had to be measures put in place to prevent anything like that from happening again. The public needs to know that they can trust what is being reported on companies financial sheets. SOX being there will help kind their mind at ease for now.
Fangzhou Hou says
Yes, I agree with you opinion. You mentioned that the upper management now are required to sign on the 10K’s and 10Q’s, which is a good example to explain the management needs to take responsibility in confirming the financial reports under the requirement of the SOX. According to the Section 404 of SOX, management now also needs to confirm the effectiveness and weakness of control environment in an Internal Control Report, and I think this can help small investors who have barely knowledge about the organization better understand the industry.
Fred Zajac says
Sean,
I agree with you and most of the replies. SOX puts management responsible for the reporting and actions of the company. You mention common sense and others have mentioned fraud still existing with strict SOX regulations, that burden small businesses.
In my opinion, common sense isn’t the standard when business leaders are responsible for stock prices. This is why fraud still exists, unknowingly in organizations. I am not implying all business are corrupt, but merely agreeing that fraud still exists and rules must be changed to adapt to a changing environment. This will unfortunately increase the cost of doing business under SOX regulations but it’s better than having your retirement fund invested in another Enron or MCI / WorldCom.
Priya Prasad Pataskar says
Question: Describe a real life example of a company’s profitability-driven controls. What are the differences between a compliance-driven vs. a profitability-driven control?
Compliance driven controls are those regulatory decisions that are taken in order to follow set of procedures and standards. They help establish controlled environment.
ex. A company implements SOX compliance controls.
Profitability driven controls aim at increasing the business revenue and lessen the cost factor to benefit the financials of company.
ex. Company chooses to use raw material of grade B instead of raw material of grade A.
Binu Anna Eapen says
Question: Describe a business process you have experienced (either as an external or internal participant) and what your role was.
Role: End of Lease portfolio owner. Managing the laptop replacement for entire Hyderabad region with over 2000 laptop changes per quarter. Assigning the technicians in respective block (walk up) and making sure the resources are provided and coordinating with asset team and business for the change of laptop. Monitor and verify if all the necessary changes are made and if there are any exceptions.
End of Laptop Change process:
• A mail is communicated to all employees whose laptop lease would expire 6 months prior informing that the lease would expire on this day(xx/xx/xxxx) and they would receive a survey after 3 months to choose a laptop model of their preference.
• Three months prior to the date of change another mail is sent asking for their choice of laptop and giving them a deadline (a period of 30 days) to reply by.
• Another mail is sent 3 days prior to the deadline reminding the user. If a survey is not received in time a default model is chosen for the user.
• Once the inputs are received this information is send to the procuring (Asset management team) to procure the laptops from the respective vendors.
• One month in advance the machines are received and images are deployed.
• One week before the laptop change another mail is sent to the user to submit the laptop on a particular date(xx/xx/xxxx) and to take the necessary backup incase needed and also mentions the good practices.
• On the date of submission, the user walks into the nearest available IT walk up and submits the laptop for change with the adapter.
• The technician then checks the configuration, runs various tools to copy data and install applications and ensures that the data is intact and informs the user to pick up the new laptop.
• Follow- ups are send to those who has not submitted the laptop and check for alternatives.
• A survey is then send to each user to check if they are happy with the laptop and also to see that everything is working fine as previous.
• The machines are then wiped after the retention period and then sent to Asset management team to return to the vendor.
Abhay V Kshirsagar says
Binu,
I was just wondering, was this laptop change a part of a control policy to make sure all the users always have
updated hardware? Because a vendor lease can always be extended. So, I was just wondering the reason behind this process unless there are any hardware issues with the machine.
Said Ouedraogo says
Describe a business process you have experienced (either as an external or internal participant) and what your role was.
I was an inventory accounting assistant for Total, an oil and energy company. My job was to process gas transportation suppliers’ invoices and entered them in SAP for payment. Those suppliers transport gas from one warehouse to another or to a specific gas station. First, the supplier has to pass the bidding process, and then receive an instruction ticket whit the location and quantity to transport. Upon arrival to the warehouse or the gas station, the supplier presents the ticket to the warehouse manager who will put the info in SAP. Then, the supplier sends us an invoice. I verify the invoice to see if it has the correct cost center, account number, PO number…and then give it to my supervisor for signature. Then, I enter the invoice in SAP for payment. Another department has already created the client account and PO number in SAP, so all I have to do is to put the quantity transported and the total amount of the invoice, the cost center in which the supplier is being paid from etc.…And finally, I write down the transaction number on the invoice and pass it to the accounting department who will make the payment and generate a receipt.
Edward N Beaver says
Said, your job was a step in the broader Procurement or Procure to Pay process we discussed in class. You handled tasks in what I described as the ‘Invoice Verification’ step. It’s interesting to see how in your description, how interconnected your task was with with others in the process. We’ll learn more about this process and how interconnected the steps are over the next few weeks.
Sean Patrick Walsh says
Did you ever receive paperwork for an order not in the system? I imagine that data can get lost for a number of reasons. Was there a policy in place for you to follow to make corrections, or did you have to escalate to somebody with a higher level of authority?
Said Ouedraogo says
I did receive from time to time some orders that were not in the system. In that case I just have to call the warehouse or the gas station where the gas was delivered and ask them to verify the order number and the ticket. If they received the product and the ticket they will have to do an entry in the system, otherwise I pass the invoice to my supervisor who will call the department in charge with contracting suppliers to see if they ever issued that order.
Abhay V Kshirsagar says
Question: Describe a business process you have experienced (either as an external or internal participant) and what your role was.
Background: During my bachelor’s degree in MIS, I was working as a Technology Analyst intern at EMSI Inc., which is a leading manufacturer’s representative and it served the international market. Their product lines consisted of electrical raceways to customized instrumentation.
Business Process:
1) Customer sends a request to buy items to the sales team.
2) Sales Quotation is provided by the sales team to the customer.
3) A credit check request is generated for the Accounting department.
4) If the customer’s credit is satisfying then customer order is documented and sent to Supply Chain & logistics department or else the request is forwarded to the manager for authorization.
5) In the latter case, manager decides whether to approve, deny or propose different suitable conditions.
6) Order is scheduled for delivery.
7) Order is shipped to the customer and invoice is created and sent to the customer.
8) Customer sends the payment that is collected by and recorded by Accounting department in general ledger.
My Role:
One of my responsibilities was around data integrity. The customer information was usually input by either customer or a sales team and due to many customizations made to the NetSuite ERP, there was a specific way (rule) to input the information to ensure the data isn’t corrupted when it passes through different business functions.
Additionally, I was also involved with the IT team for the ERP & CRM customization to improve the experience of the different business functions for different business processes.
Wenlin Zhou says
Question: In your own words, how would you define a control environment?
The control environment is the internal control of the environment. It stands for the upper manager’s attitude and awareness in the organization in order to reduce the risk of the entity. This environment includes many aspects such as business structure, corporate culture, values, operating style, human resource policies and procedures.
The upper manager should take positive attitude to control environment. The control environment is that how a company is operated by its management, reflecting such matters as their philosophy and operating style.
Jaspreet K. Badesha says
I agree, a control environment is the tone of a company. This includes the firm’s attitude, susceptibility to change or problems, its leadership, etc.
Yu Ming Keung says
Great post Zhou, the attitude of the upper management is crucial to directly affect how a company is operated. And how to achieve a positive control environment is very important, I think that business governance has to be transparent and clear to follow for its lower-level. Employees should be provided with ongoing training,support and mentor programs from the senior management to gain more understanding of the business policies, culture, operating style within the organization so that lower level employees can carry out their proper responsibility effectively.
Binu Anna Eapen says
4. Describe a real life example of a company’s profitability-driven controls. What are the differences between a compliance-driven vs. a profitability driven control?
Profitability controls can be achieved by meeting customer demand, achieving high sales, controlling costs by reducing or limiting excessive spending. So for example, if a project requires a certain software which is licensed like Adobe Acrobat used for editing documents and the license cost is too high and the similar features are available with Nitro Pro 9 which is slightly cheaper, then the project can get the cheaper software as it is not affecting the business objective.
Profitability driven controls are in the interest of the company’s profit based on the objectives of the firm where as compliance driven controls are bound by the legal policies or by the compliance standards set by the firm. A good firm should be able to achieve profitability and still remain compliant to the policies.
Deepali Kochhar says
I totally agree with your point Binu that compliance driven and Profitability driven should not be kept mutually exclusive.
Your example illustrates the same in a very good way. I would just like to add a little description to the same example to show how profitability and compliance driven can be kept mutually inclusive..
While selecting the cheaper version of the software it is also important to check if that software which is being selected is not leading to any kind of violation or non compliance and is not leading to any kind of vulnerabilities to the system.
Yu Ming Keung says
Binu,
Your Adobe Acrobat vs. Nitro Pro 9 example shows a company may want to achieve profit maximization by using cheaper software because these both software can achieve the same objective. However, if a company wants to continue in the long run, I think it better choose Adobe Acrobat because it can function better and it support most computer systems, even tablets and smartphones. It’s also in conformity with other business partners in terms of software consistency.
In one word, by using cheaper software, it can achieve profit maximization in the short run because it saves money. but in order to achieve profit maximization in the long run, it would have to choose the more expensive software such as Adobe Acrobat.
Binu Anna Eapen says
I agree with you Yu Ming that Adobe may be a better software in itself. But we need to consider what the objective of the business is. If it does not care about the additional functionalities and is not really concerned about the availability and only need few of the features which are also available in Nitro Pro 9 and if it is still compliant to the companies policy, one can consider the later.
Magaly Perez says
Yu Ming,
You make a strong case, the longevity of a company sometimes outweighs the profitability. For this specific example, the use of Nitro Pro 9 hinders the company’s ability to assimilate on all platforms. Subsequently, by saving some money in the beginning by purchasing the cheaper software to increase ones profit, they take a larger hit in the long run, due to the software’s inability to be versatile.
Overall, most would think maximizing profitability and saving money would be the number one priority. However, one must take into account the loss of business that can occur due to their choice.
Yet, I completely understand what Binu means. Smaller businesses and companies may just want Nitro due to its affordability and its features for personal use, yet larger companies might need to the insurance of functionality and stability of Acrobat. Overall, the objectives and size of a businesses must be taken into account, when considering compliance-driven vs. profitability driven controls.
Vu Do says
Agreed, for a profit-driven control the company would buy lower cost software which will maximize the profitability of the company. I like how you explained the example with the Adobe Arcobat and Nitro Pro 9. If both software function the same and both can be use on the project, why go with the higher cost. Each project has a limit for the amount of money that can go into it and having lower cost software will open up more money to go towards other resources for the project.
Said Ouedraogo says
Yes true, but sometimes buying the cheapest software is not strategically the right thing to do. Here, we are comparing Nitro Pro 9 and Adobe Acrobat. In the long run, it will be wise for a company to choose Adobe Acrobat even if the company is small and does not need Acrobat features for the moment. In fact, the company aims to grow in the future and will be needing those Acrobat features.
Joshua Tarlow says
I definitely agree that purchasing the cheapest software is not always the best decision. Price should always be considered when comparing competing products, but should not be the sole determining factor. I have only used Adobe Acrobat so I can’t comment on the difference between them other than price. But in my experience having the right software can be crucial and beneficial. Similar to many other strategic decisions, an appropriate balance needs to be achieved between price and functionality. There is always a point at which something becomes prohibitively expensive, and it is in important to identify where that is. It is about determining the extra value that is gained from additional cost and if it is worth it.
Mansi Paun says
My response to Q1 (Describe a business process you have experienced (either as an external or internal participant) and what your role was.)
I was involved in Service Delivery Account Management as a Transition Project Manager and over saw the end-to-end Project Management process for the Transition. At a broad level, the process can be broken down into the below steps:
1. Initiation and Planning
a. Defining Project Team
b. Identifying and validating requirements
c. Identifying and Mitigating Risks (runs throughout the Project duration)
d. Dividing Project deliverables into smaller individually managed tasks
e. Estimation of Effort, Duration etc.
f. Creating Project Schedule based on effort, product, activities etc.
2. Executing and Controlling
a. Knowledge Transfer
b. Shadowing
c. Change Management
d. Financial Management
e. Project Control and Execution
f. Project Management Review
g. Go-Live
h. Documentation (Signing off of Compliance Task matrix, Statement of Work, Global Risk Review, Issues and Risks )
3. Project Closing
a. Documentation Acceptance Signing off between Client and Org.
b. Business Acceptance Gate approvals
My role as the Transition PM was to Transition technology operations for multiple service lines for a US based Client. I served as the single point of contact for the Cross-Geo and Client Executive Management and handled Escalation and Communication management facets of Project as well.
Yulun Song says
Good sharing! You were on the management side and your experience includes detailed planning, management controls and finalizing project! in the real word, i recognized that a detailed planning before doing the tasks is more important, and even the internal management control for all part of works is also important.
Thank you for sharing!
Haozhu Huang says
The environment control is achieved based on the organization`s policy, procedures and efficacy. The control environment is a way to achieve the internal control. It will direct impact on the enterprise internal control implementation and enforcement of business objectives, which direct influence the whole strategic target. On the other hand, control environment will help to provide the basic rules and framework built, it will influence the employee awareness, including staff ethics, integrity, the management style and the mode of the development of organization.
Haozhu Huang says
this is question 4: In your own words, how would you define a control environment?
Deepali Kochhar says
Answer to Q2.
An example of profitability driven control is a bank tending to keep its interest rates low for the following reasons:
• When economic activities weaken, monetary policy makers can push the interest rate targets below the economy’s natural rate so as to lower the cost of borrowing. This help spurs business spending on goods. Example: home sales increase when mortgage rates are low than when they are high.
• Low interest rate will also help the banks in improving the balance sheets and bank’s capacity to lend.
• This helps raise the industry’s net interest margin(NIM) and boosts its earnings and capital.
However, it will have following disadvantages:
• Lower interest rates encourage borrowing and higher debt as it provides higher incentives to spend rather than save.
• If Short-term interest rates are low relative to long-term rates, banks and other financial institutions may over-invest in long-term assets and if the interest rates rise unexpectedly, the value of those assets will fall leading to losses for the bank.
Since there are no legal regulations that is being followed while lowering or increasing the interest rates and for this reason no standards and compliance is followed.
Compliance driven approach will focus on implementing particular standards and controls within an organization whereas profitability driven approach will focus on achieving good monitory profits. In the above example compliance driven approach will focus on defining standard interest rate risk policies and procedures. This will in some way safeguard the organization from loses which they might face by following just profitability driven approach. So both should follow each other and should not be exclusive of each other.
Deepali Kochhar says
This response is for Question 4. Apologies for the typo.
Haozhu Huang says
I agree with your thought, I believe that compliance means conforming to a rule and profitability means company more attention to increase the revenue and decrease the cost. The interests rate example is a very good example to show that both profitability and compliance is not exclusive but support each other.
Brou Marie Joelle Alexandra Adje says
But compliance can lead to a lack of profitability as well. what if a company is required to have a certain amount of software and hardware but with their revenue this requirement end up being very costly? This would obviously impact the overall profitability. we all know that information security is costly, Sox laws also are costly but mandatory. these can limit the revenue growth of an organization.
Ming Hu says
That’s where divisions exist. To a specific organization, in compliance with certain provisions or standards may be very costly just like you described above. But from an overall aspect, compliance focuses on ensuring that the whole industry is on right track which may lead to increasing profitability of industry as a whole rather than reduces one specific organization’s profitability, even it really did in real life. Just like the existence of traffic regulations may cost your extra time on your trip, but it maintains safety and orderliness of traffic conditions as a whole.
Brou Marie Joelle Alexandra Adje says
True. I was only focusing on an organization specifically not the industry as a whole. Thanks for your comment.
Yang Li Kang says
As Ming Hu commented, all company within the industry will have to comply to the same laws. This places them on an even playing field. It is then up to the companies reduce cost elsewhere in order to increase profitability. Companies who does this well will rise to the top in terms of profitability.
Fred Zajac says
Deepali,
Your example of compliance vs. profitability controls was a great way to sum up both controls in one industry. The banking industry must maintain compliance controls set by the federal reserve, this restricts the real profit of the bank but also protects the consumer from profitability controls prior to the compliance controls.
I believe compliancy controls will always follow profitability controls in a Market economy.
Fangzhou Hou says
Question: In your own words, how would you define a control environment?
The control environment includes the factors that have important influence in establishing a policy or project to minimize the potential risks of an organization. It also stands for the understanding, attitude, and action about the internal control of upper management. The control environment ensures the efficiency of implement of the internal control.
The upper management should take the responsibility to prevent the potential risks damage the benefit of the organization. For example, if the upper management of a company underestimate the significance of internal control, the organization may not have any implement in data backup and disaster recovery, which is a huge risk for the company’s information assets. If the servers damaged by the natural disaster or hacking, the company may lose all information of contracts, orders, and projects without backup servers.
Deepali Kochhar says
Good example to show how important it is to establish a control environment. Researches show that not implementing the data backup and disaster recovery can lead to downtime in data center and can cost an average of $505,500 per incident.
Brou Marie Joelle Alexandra Adje says
Question: In your own words, how would you define a control environment?
Control environment can refer to an organization culture in which there is an emphasis on internal control and compliance to rules and regulations. That is an organization in which management and employees have a preventive attitude toward risk, such as elaborated policies and/or risk management measures.
Brou Marie Joelle Alexandra Adje says
Describe a business process you have experienced (either as an external or internal participant) and what your role was.
While working in an Auto commercial insurance company the main business process I was part of was the auto policy renewal process. Below are the simple steps:
1-At renewal period, policy clerks gather the data (loss exposures) from customers through filled out questionnaires
2-Policy clerks submit data to the underwriting assistant who compare the data from previous policy period and check for accuracy
3-The underwriting assistant submits the data to the Underwriters who verify again the information, evaluate the exposure and provide a quote based on the renewal rates.
4- The Underwriters share their proposal with the customer’s agent
5- the agent proposes the new quote to the customers who make a final decision
6- if they renew, they send a check for their premium and a signed disclosure form to the policy clerks who inform the underwriting assistant of renewal.
7- the underwriting assistants then send out Id cards and certificate as well as new policy to the customer.
If they don’t renew the renewal process ends at step 6.
As an underwriting assistant my role was to check the accuracy of the data received by the policy clerk (step 2), issue and send out certificates and ID cards.
Yulun Song says
Based on your work experience, it looks that gathering data from customers is really important for renewal the auto insurance. cuz you have to compare the previous data and the data you gathered from the questionnaires that they filled out.
My concern is that what if that there is a tiny possibility that the company loses any data, how do you check for the policy date and how to renewal?
Another concern based on my experience, my auto insurance policy costs differently every 6 month. What if the customers do not want to renew because of the increase of the renewal price?
Thank you again for sharing your experience!!:)
Brou Marie Joelle Alexandra Adje says
Yulun,
Indeed, gathering data is a crucial step because underwriters rely on this information to accurately price the account. I’m not sure I’m answering your question right but, should previous policy year data be lost, I believe, the insurance company would have to treat every business they had before as new business. However, I’d think that clients have also copies of their policies so it shouldn’t be a problem for them to share the information with their insurance company. Chances that an insurance company loses all their data are very minimal because given the nature of their business they have major risk control prevention in place and tons of data backup.
Also, customers are free to switch insurance companies if they are not satisfied with their rate. Renewal with a specific insurance company is not mandatory. However, if a customer want to cancel coverage during current policy period, they may be subject to cancellation fee. I’d say talk to your insurance company first and evaluate your options. Hope that helps.
Yulun Song says
Thank you again for you shares! You answered all my questions! Based on your work experience, I recognized that data protection is so important for any business. Just like what we talked about the insurance policy, if the company lost it, plus the client lost it, we have to treat them as new customers because of the data lose, which will make customers unhappy because they become new customers to the company again and possibly they may switch to another insurance company.
Seunghyun (Daniel) Min says
1. Describe a business process you have experienced (either as an external or internal participant) and what your role was.
Business process: IMPLEMENTATION OF IN-HOUSE DEVELOPED PROCUREMENT SYSTEM
In my past job, H MART, which is an American grocery store specialized in Asian products, I had a chance to experience implementing new procurement system to branch stores. At that time, H MART”s stores were not systematized in their ordering and receiving sector. Everything was conducted in paperwork. As the company was growing, CEO envisioned to digitalize their procurement system. The IT team developed their own program in-house. My role was UAT (User Acceptance Testing). Testings I had conducted are as following:
a. Compared the system’s ordering and receiving procedures with our old way to handle ordering and receiving.
b. Tested saving invoices and searching invoices.
c. Tested the system to find possible bugs or glitches
d. Tested the integrity of the system.
e. Tested authorization(gradual access) and authentification(who can access) of the system.
f. etc.
It took so many hours for me to exercise all the criteria of testing. But I admit it was one of my very first time testing an operational program, and interesting to see how technology could make the same job so much easier.
Yulun Song says
Thank you for sharing, Daniel! I have been there lots of times cuz I think it sells multiple diverse products and special snacks there. I think for nowadays, there are a lot of companies that are switching from a paper-work-station to a computer-work-station. And now, you have already had the chance working in the old system supermarket, it is a really good opportunities for you to have the imagination to change these kinds of companies.
Just like in another class (MIS 5202) we talked about the Stars Ambulance case, which saying there are lots of problems and challenges to switch or change, or add-value to a system which is already there. Management team does not like changes. So, as being a major in ITACS, I think we are in the role to make changes in there future!
Cheers!
Deepali Kochhar says
Answer to Q 2.
Sarbanes-Oxley act was implemented in the year 2002 following the major corporate and accounting scandals including Enron and WorldCom. Since then, there have been many question marks on whether the law is a sufficient reaction to the failures or are they just an overreaction.
There have been cases in past 14 years since this law has been implemented which proves the inefficiency of SOX.
Some of the examples which I would like to highlight to prove my point are:
The SEC says it has brought civil false-certification charges against more than 200 parties, including executives at companies involved in the crisis like Fannie Mae, Freddie Mac and Countrywide. But the SEC hasn’t used false certification against executives from any of the major banks suspected of misleading the public about their finances during the crisis.
Richard Fuld, former CEO of Lehman Brothers Holdings Inc. A bankruptcy examiner’s report on Lehman’s 2008 collapse said there was enough evidence to support claims that Mr. Fuld failed to ensure the firm’s quarterly reports were accurate, because he knew or should have known Lehman had cut its balance sheet through questionable transactions. But the government hasn’t charged Mr. Fuld with false certification or other wrongdoing.
In one more such case, there haven’t been any charges against James Cayne, Bear Stearns Cos. ex-CEO, which spiraled into a liquidity crisis that led to a 2008 forced sale to J.P. Morgan Chase & Co. Mr. Cayne and other Bear executives recently agreed to a $275 million settlement of shareholder litigation accusing them of misleading investors about the firm’s finances—including allegations that Mr. Cayne falsely certified Bear’s financial reports. The executives denied wrongdoing, saying they settled to avoid further litigation.
Sean Patrick Walsh says
I am not sure I agree that your examples were failures of SOX. SOX instituted the require that CEO’s personally certify their business’s financial reports. The bill also gave SOX “teeth” by making the CEO criminally liable for materially misleading financial statements. If the SEC and/or the DOJ declined to bring any charges against executives in publicly-traded corporations under the SOX clause, that isn’t a failure of SOX to prevent fraud so much as it’s a failure of regulatory bodies of enforcing punishments and accountability when fraud is found.
Deepali Kochhar says
I agree with your thoughts but since SOX is governed and administered by SEC, ultimately it proves that there is a loophole in the system which needs to be managed.
Therefore I am not against the point that it has not beneficial but it is insufficient to manage the big scams and require to be followed in a strict way.
Mansi Paun says
Well put, Deepali – I agree with your point and second you. While SOX has been effective in limiting instances of fraud, it surely isn’t 100% effective. A good law firm would easily be able to find loopholes in SOX and keep its client safe from being charged with fraud. It is these loopholes and grey areas that need working on to make SOX more effective.
Wenlin Zhou says
Question: The Sabanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
SOX is the appropriate law, and it is a sufficient reaction to the failures. The SOX also called Public Company Accounting Reform and Investor Protection Act. Section 302 directly requires an ICS that guarantees reliable financial reporting. And Section 404 required the management of an organization must disclose the scope and effectiveness of the internal controls for financial reporting in an ICS report. An external auditor must also submit a confirmation.( AGAS Chapter 1) For example, In the case of Enron, several major banks provided large loans to the company without understanding, or while ignoring, the risks of the company. Investors of these banks and their clients were hurt by such bad loans, resulting in large settlement payments by the banks. Therefore, the SOX law is necessary for protecting investors.
Haozhu Huang says
I agree with Zhou`s thought. SOX is not just a law, it protect those investors who unfamiliar with company that they want to invest large loans. SOX is like a bridge to connect with shareholders and investors.
Yu Ming Keung says
I agree with you. The SOX act is an enhance of protection for those investors. Besides of protection, I think the SOX act were established to regain the trust with the investors because the financial numbers are more reliable more under the SOX act. Investors and shareholders won’t invest in a company that they don’t trust so independent auditors are in need to review the financial disclosures of a public-held companies and responsible to issue their opinions to inform investors about how the company is performing.
Yu Ming Keung says
Question: The Sabanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
The Sabanes-Oxley Act was a response to accountants’ failure of Enron Corp, WorldCom and Arthur Anderson by providing a new regulatory framework against fraud for public-held company and to strengthen the internal control and corporate governance within public companies.
Even though the SOX has been challenged for its efficiency and effectiveness over the past years because financial failures still happened after SOX enacted, I still believe it is a more appropriate law to follow by both public-held firms and CPA firms to provide right financial information for investors.
Section 302 of SOX requires the CEO and CFO to take responsibility and accountability for all financial disclosures where CEO and CFO are required to sign the annual report and only the CFO is required to sign the quarterly reports.
Section 404 requires the upper management to maintain and reinforce adequate internal control over financial reporting because the effectiveness of the internal control also has to be disclosed in its reports.
This shows that financial data accuracy and internal controls are in place to safeguard financial data to be transparent for the public in order to protect investors.
One of the main purposes of SOX is to reform the independent relationship between public corporation and the audit firms.
Abhay V Kshirsagar says
Yu Ming,
Although, SOX has been found to improve market liquidity but for smaller public entities, there is a high cost of compliance associated that burdens them. It also demoralizes risk taking in the US’s public entities, which reduces the competitiveness in the market.
Binu Anna Eapen says
Yes, I believe SOX changed the way a public company worked. It made it more alert and cautious. SOX caused companies to have a greater internal control of financial reporting, independence among more-focused management team and increased expertise. SOX imposed new ethic requirement, disclosure requirements, new reporting and audit practices, created internal reporting and structures upon which Dodd- Frank Wall Street Reform and Consumer Protection Act was built.
Sean Patrick Walsh says
In your own words, how would you define a control environment?
I would define a control environment by the corporate culture regarding ICS. When a business has an ICS in place and the management takes the ICS policy and procedures seriously, the attitude of the company toward control systems is reflected as such. The attitude and culture of control should be positively reinforced through continual training over time for employees.
Haozhu Huang says
I agree with you Walsh, Control environment is not hard to understand the definition. For me, i would like to think control environment is set the rule in an organization. And it connect to many aspects like Wenli Zhou and Annamarie Filippone mentioned before including business structure, corporate culture, values, operating style, human resource policies and procedures.
Mansi Paun says
Great example, Sean. Further to the key difference that you mentioned, I’d like to add that the Compliance driven controls rarely change over short time spans whereas profitability driven controls often allow some flexibility based on various factors such as Client / Supplier relationship, long term gains, prospects of new Business as well as timely fulfillment of Contractual obligations. Compliance driven controls are non-negotiable.
For instance, an IT company might reduce its profit margins for delivering a Service if it expects possibility of getting more business from a high-value Client. Profitability controls in this case are flexible and dictated keeping in mind the bigger picture of forming a long term relationship which eventually would be profitable in the longer run.
Vu Do says
I like your definition Sean, control environment has to have the right policy and procedure in place for employees to understand. Everyone must follow it and if they all agreed upon it, then it will produce a positive outcome. It is like having rules in place and if no one likes the rules then it will have a negative impact on the results they produce but if they agreed upon it and understand why it’s necessary then they will produce a more positive result.
Yulun Song says
Q1: Describe a business process you have experienced (either as an external or internal participant) and what your role was.
I want to share some of my experience about my part-time job as a resident assistant and an accountant assistant in a real-state company since last September. Our business process is about to rent a unit to a new customer, collect money from him and prepare everything for the new tenant.
Business process:
1. A new customer, such as a new Temple student, calls to request some information including price, sqft, lease length about different types of apartment we have.
2. I answer all questions and check availability of apartments by a tenant system and make an appointment if he is coming to have a tour about the apartment.
3. The new Temple student comes, and I will show to him the sample room of his desired type of apartment, let’s say, one-bedroom apartment.
4. After the tour, if he decides to live here for a one-year contract lease, he needs to fill out the application form and I will copy his at least two IDs.
5. After his application form is approved (mostly around one week), I will call him to come to the office to pay for all money for signing the lease.
6. Lease signed and money paid, I will set up a time for him to pick up his keys and move-in packages 2-3 days ahead his lease start date.
7. I deposit all payments from the customer by using a bank service application on PC, and I also put him into the tenant system and the system will show that the room is taken by him.
8. I check with maintenance department to make sure the room is available on time.
9. I prepare and active all keys and swipe card for him, and put him into different service systems, for example, callbox system, parking garage system, bike room system and general tenant system, etc.
10. Now, the tenant picks the keys and all move-in packages.
During this business process, I have several different roles. First, I am a customer representative to answer phone calls and information and make appointments. Second, I create an account and a lease for the new customer and deposit all money into the account. And third, I active all services and system for the new customer.
Yulun Song says
Q3: In your own words, how would you define a control environment?
The control environment is the upper management’s attitudes and also refers to some other factors, including internal controls, integrity, organization’s structure, etc. The upper management’s attitudes will influence in the internal control of an organization and it is important for upper management to understand and well manage internal control within and organization.
For example, within an organization, upper management will care about the attitudes and behaviors of all different employees, day-to-day responsibilities, and short-term and long-term goals of the organization.
Upper management also needs to know the importance of potential risks, building a secure organization. For example, the loss of key person’s flash drive and password. If management and employees within the organization do not care about the internal risks, the costs of the risks would be really high.
Vu Do says
1. Describe a business process you have experienced (either as an external or internal participant) and what your role was.
When I was working as an Associate Application Developer for Highmark BlueCross BlueShield, I was assign the task of fixing the ID Card phone number in the back. The process for the ID Card was as follow:
1. The customer gets insurance
2. Receive ID Card
3. Visit Doctor
4. Doctor use numbers on the back of the card to check their information
5. Information gets sent back from insurer verifying everything is correct
6. Doctor proceeds and customer pays deductable if any
My role was to correct the issue of having printed ID Cards that produce missing phone numbers on the back of the cards. I worked on this project for 6 months, looking through codes and running tests with new codes to fix the issue. I manage to add some code to the original program and all ID Cards were printing the correct numbers on the back thus fixing the issue in the business process.
Ming Hu says
Q2: The Sabanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
We all know that the Sarbanes-Oxley Act resulted from a series of high profile financial scandals that occurred at Enron, WorldCom which seriously impaired investors’ enthusiasm and confidence. By defining responsibility of management and strengthening independence of CPA, the law aims to improve accuracy and reliability of organizations’ disclosures so as to achieve proper market supervision.
In my opinion, I don’t think these laws are an overreaction. We cannot be over-optimistic to market itself to prevent same situations’ re-occurring, based on the consideration that so huge losses were caused by top manager’s misuse which had not been detected in advance due to lack of external supervision, we may clearly see that external control is very necessary. Only by combining external control and internal control, enacting compulsory regulations to raise the cost of financial crimes so as to prohibit such fraudulence and misuse, we may rebuild a fair market environment.
Wenlin Zhou says
I agree with your opinion. Sabanes-Oxley Act in the US is not an overreaction. I thought the law is not enough to reduce the business risk such as Lehman Brother case. By implementing the law, the senior manager still did some wrong things leading to bankruptcy. So I thought the Sabanes-Oxley Act should be improved and revised in order to preventing the top manager’s wrong practices.
Yang Li Kang says
I agree with your opinion that Sabanes-Oxley Act is not an overreaction but may not be enough to reduce business risk. Huge companies are responsible for many of their stakeholders. The decision of a few senior managers in the company may place the entire stockholder at risk. I think that there should be internal independent bodies to audit decisions made by the company at the stakeholder’s interests,
Sean Patrick Walsh says
Describe a real life example of a company’s profitability-driven controls. What are the differences between a compliance-driven vs. a profitability driven control?
A profitability-driven control is meeting a minimum gross sales margin. A gas station knows how much to charge for each gallon of gasoline sold each day based upon the market rate of gasoline per gallon plus the overhead and operating costs to run the business. As the price of gasoline changes each day, the gas station owner knows how much to adjust the price per gallon of gasoline to maintain the minimum gross sales margin to maintain profitability.
The key difference between a compliance-driven control and profitability-driven control is a compliance-driven control is mandated by a specific law or regulation. Profitability-driven controls are not mandated by law and are at the discretion of the business and its governorship. A compliance-driven control is also a minimum level of control that is required by law whereas a profitability-driven control has no minimum beyond that set by management or the board.
Paul Linkchorst says
Hi Sean,
I think the example you have given provides a clear example of what a profitability-driven control is. While it not might 100% relate to your example, I think alot of times companies implement these profitability-driven controls within their information systems. While a gas station might have a control where the price of the gasoline is adjusted each day by the owner to ensure profits, a larger organization might have these controls in place that restrict an employee from buying or selling a product or service under/over a set limit. By doing so, they can reduce the risk element of an employee potentially losing money on a sale or purchase all while increasing their profits.
Wenlin Zhou says
Q1: Describe a business process you have experienced (either as an external or internal participant) and what your role was.
When I was work in a bank, my job was a financial center client service.
My duties:
– help customers to open checking account
– help customers to apply credit account
-identify customer financial needs, goals and objectives; comfortable asking customers about their personal finances
-respond and assist customers with inquiries; Sometimes, I need asking for my manager to get help and learn how to solve some problems.
-Meet or exceed sales goals by influencing customers to learn about products/services that will benefit them.
-check the available bank application forms.
I thought my job did both the internal control and external control.
Jaspreet K. Badesha says
1)
I am apart of the IT development process, an internal process, in which I help develop a set of requirements for new applications and other items and then carry it through the development process with other members such as a developer and QA. This process flows through many functions of the business.
2. The idea comes through sales or upper management
3. The idea passes through a team to see if its feasible
4. I take the idea and I write up requirements and detail them out
5. I then review them with appropriate teams
6. The development begins on the item (i.e. coding for an application)
7. Development completes, QA tests
8. Business owner’s tests
9. The item is released
10. The item is used internally or for external members
11. If the item is made for external users, then it goes to sales and then will get sold
Paul Linkchorst says
Question 2:
In your own words, how would you define a control environment?
Based on my internship experiences as both an Internal and IT Auditor, I would define a control environment as the attitude of those throughout an organization towards how its members “control” or gain confidence that business processes are working properly and reliably. Since controls are just policies and procedures that aim to increase effectiveness, efficiency, and reliability or certain processes, it is up to those in management positions to develop these procedures and policies as well as enforce them.
In a positive control environment, those managers and executives set a “tone” which identifies that controls have a positive effective on processes and are beneficial in meeting that organization’s objectives. Due to this positive attitude toward internal controls, that tone is carried throughout an organization which can result into a well-designed internal control system that is properly followed throughout the organization.
In contrast, an organization that has a negative control environment, there is no tone at top of the organization supporting a good control environment. An organization can have on paper a very robust and well-designed control environment but ultimately have a tone where the controls are not followed and become ineffective. Likewise, a company with a negative attitude might not have even have internal controls designed into their business processes. Ultimately, a control environment is the attitudes of which an organization’s members have toward an internal control system.
Abhay V Kshirsagar says
Paul,
You correctly said that executives need to set a “tone” in an organization. Since you have already got some internship experience as an IT Auditor, I was wondering if you ever experienced any resistance from any level management employee(s) for the newer control policies? If yes, how did you bring change in their attitudes?
Paul Linkchorst says
Hi Abhay,
I have a couple of experiences where management had shown resistance to either new controls or testing certain controls. Since auditors are not the control designers, they are not the ones implementing it or forcing employees to practice new controls. However, since auditors are the ones testing the controls there could be resistance back when an auditor tells them a certain control is not working effectively. The one experience that comes to mind is during my Internal Audit internship I working on a fixed asset audit. As part of the audit, we had to test the process around disposals of assets and the processes of recording the disposal of assets was determined to be ineffective. We received a lot of push back by management stating that the risk wasn’t big enough, the responsibility wasn’t theirs, and that overall it wasn’t worth the effort. As auditors, we couldn’t enforce them to make the changes that we suggested, but if they were to not change those procedures, each time that process is audited it would result in ineffective and most managers do not want to see that on their “record”. Sometimes you can convince managers or employees to adopt a certain control, but other times you have to find different avenues to coerce change.
Seunghyun (Daniel) Min says
Hi Paul,
Thank you for sharing your experience! Several days ago, I had a chance to talk to an IT Audit manager from MetLife. And he described an internal auditor’s role as “The role of internal audit is to provide independent assurance that an organization’s risk management, governance and internal control processes are operating effectively.” He also mentioned that the main duties of the internal auditor include observing and documenting findings but not an execution of control changes. Control changes independently rely on management’s decision.
Fangzhou Hou says
Question: The Sabanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
The Sabanes-Oxley Act in the US is a sufficient reaction to the high profile control failures. After a series of accounting scandals in public corporations like Enron and Worldcom, the Sarbanes-Oxley Act passed on July 30, 2002. Within these accounting scandals and financial frauds, the Internal Control System of public companies was lax and nonfictive. To prevent similar control failures, happen again, the SOX enhance the weight of ICS through the SOX 302 – ICS and SOX 404 – ICS.
According to the section 302, the organization’s management are required to confirm their responsibility for” setting up and maintaining such an ICS”in writing. Moreover, the section also requires an effective internal control system to guarantee the financial reports are reliable. Because of the section 302, now, upper management of major public corporations needs to take the responsibilities in evaluating the effectiveness of ICS. Section 404 requires organization’s upper management disclose the effectiveness and weakness of the internal controls in an ICS report, which can help investors and shareholders better understand the performance of the company in real, and prevent the potential financial fraud. Both of section 302 and 404 enhance the importance of ICS of an organization, so these laws are a sufficient reaction to the high profile control failures.
Ming Hu says
Great explanation. The occurrence of such shocking financial scandals arose from serious control failure, By enacting a series of legal provisions with which organizations must be in compliance, to raise the importance of ICS within organizations as you said above so as to create a legal and effective control mechanism, not only for evaluation but very helpful for detecting potential risks in advance to ensure that investors and shareholders’ interests are under proper protection.
Yu Ming Keung says
In your own words, how would you define a control environment?
Control environment is a set of standards, processes, and structures achieved by the upper management to provide the basis for carrying out internal control to trickle down throughout the organization. A well-functioned internal control can define culture and behavior within an organization.
Conversely, if upper management failed to demonstrate and communicate throughout the organization, it will lead to a weak control environment within an organization which means internal controls, risk managements and business governance will not be value throughout the organization. It will lead to inconsistency such as differences in value, business ethics and behavior between the lower level and the upper level.
Ming Hu says
I agree with you, whether control environment of an organization is weak or effective, to a large extent, up to its upper management’s attitude and awareness toward the importance of control environment. The establishment of an organization’s culture, ethic and standards, structures highly hinges on upper management’s attention and participation so that it could be followed uniformly by lower level and medium level.
Yu Ming Keung says
Describe a real life example of a company’s profitability-driven controls. What are the differences between a compliance-driven vs. a profitability driven control?
In my opinion, a profitability-driven controls mean that a company will take the most risk and be active in the market to focus on increasing the annual revenue.
Ex: Apple – being active in innovating its products released each year with different functions, designs and better quality. Even though Apple follow the legal provisions in the U.S. It does not really care about the Foxconn labor commit-suicide rate in China.
Differences between a compliance-driven vs. a profitability driven control:
1. Short-term benefits vs. Long-term benefits
2. More risk taking vs. less risk taking
But generally, organization can achieve both controls in parallel because they are not mutually exclusive.
Yang Li Kang says
I agree with your thought on compliance-driven vs profitability driven control.
A profitability-driven company can only go so far to lower their costs. At some point, they will hit a wall set by laws and regulations. A profitability-driven company may ignore this and try to work around it.
I think the Apple example you provided perfectly demonstrates this. Apple tried to maximize their profits, however, manufacturing their products in the US was probably too costly due to relatively high minimum wage set my state laws. Apple hit this wall where they were unable to lower their cost anymore and they decided to outsource in China.
Binu Anna Eapen says
Regarding the differences you mentioned that Compliance driven control has short term benefits. I quiet disagree with that. Compliance driven control may have long term benefits as well. As in if the company is complaint to all its policies then they might not have to waste money with lawyers or with government to get things right after a control failure. Do you have an example to explain?
Brou Marie Joelle Alexandra Adje says
Reading Yu Ming’s example of Apple being compliant in the USA but not caring about the Foxconn labor commit-suicide rate in China, raised a good question : would you say that a profitability driven company can be unethical?
Yang Li Kang says
I very much believe so. Profit-driven companies tend to act unethically, through still within bounds of the law. Nike sweatshops are another example of a company moving out of the country at an attempt to reduce their costs.
Fangzhou Hou says
Question: Describe a business process you have experienced (either as an external or internal participant) and what your role was.
Experience: Customer Service Department in the China Construction Bank.
Background: The China Construction Bank (CCB) is the second largest bank in China. There are different teams in the customer service department, I was in the individual investment team.
My role: Because I have no experience in finance, so my job was collect basic information of potential clients, and answer their questions online. More importantly, I need to classify the clients and transfer them to different level of investment advisors by using the Online Customer Service System.
Process:
1. Log in the online customer service system by using employee account.
2. Choose online service option individual investment service current date
3. The system will randomly choose customers who want to consult the invest plan and profitable funds in the CCB.
4. Flow the question list and ask several questions like “how much money you want to invest?”or “Which kind of investment do you prefer? High-return but high-risk or Low-return but save?”
5. If the amount of investment $10,000 but $100,000, click “Transfer”option, and transfer this client to available professional individual investment advisor.
8. If the customers have some other questions which is no related to investment or you have no answer, click “Transfer”option, and transfer this client to the manager.
9. At the end of a day, check and save data in current date, click “Finish Report”option.
10. Log out the system.
Yang Li Kang says
1. Describe a business process you have experienced (either as an external or internal participant) and what your role was.
I am currently working in Temple University’s International Admissions office. As all of us know, applying to a University involves many steps. Basic run down of the admissions process:
1. Potential applicants will need to submit their application materials
2. The application materials will have to be indexed into the student’s application
3. Once the application is complete, an admissions counselor will review the application
4. Counselor will make an admission decision
5. Once the decision is made, the student will be notified of their acceptance both electronically as well as physically through mail.
My role involves the safe transfer of documents student submit to our office into our system as well as notifying students of their acceptance both electronically and physically. An example of a typical work process:
1. Students submit documents to our office either electronically or by mail.
2. I will open the mail or download and print the documents and compile the documents.
3. The documents is then sent to be scanned and indexed to the applicant.
(A counselor will take over this step)
4. The application is reviewed and a decision is made
(Back to me)
5. A report is generated of all the students who was accepted and denied.
6. I will notify all the students of their admissions decision first by email.
7. Then, the physical acceptance packages will be prepared to mail to the respective students.
Yu Ming Keung says
1 Describe a business process you have experienced (either as an external or internal participant) and what your role was.
Over my summer, I interned in a real-estate company in California as a junior accountant. I was part of a team of professionals working to manage daily accounting tasks.
My responsibilities included:
1. Assigned to assist with reviewing expenses and payroll records.
2. Update accounts receivable and issue invoices
3. Update financial data in databases to ensure the information will be accurate and available to other professionals to review.
4. Assist in preparing monthly report.
5. Ensure all business transactions are recorded.
6. Ensure all business invoices are paid by the due time.
7. Verify financial data is accurate
8. Verify real-estate disclosures signed by using Docusign.
Magaly Perez says
1.In your own words, how would you define a control environment?
A control environment is an established setting in which regulations and procedures are used and enforced by governing bodies of an organization; their main purpose is to influence the control consciousness of their establishment such as providing discipline and structure.
A few examples of a control environment influences can include but are not limited to:
– The organization’s skill set, integrity, and overall ethical values
– The philosophy and operating style of its management team
– The way management allocates power and responsibility amongst their employees
– The overall direction and attention of its organization
Overall, internal control can aid an organization’s success, by ensuring its attainment of basic business goals. However, internal control cannot change characteristically poor management. Also, shifts in policy and procedures, competitors’ engagements or economic conditions can undermine a control environment.
Paul Linkchorst says
Hi Laly,
I have never thought about the impact of competition or economics and its affects on an internal control environment. In the perfect world without competition or strict financial goals, I am sure most organizations will pay heavy attention to controls that particularly affect the reliability of the financial statements and protected information. However in bad economic times when companies are trying to make their businesses more efficient, managers might spend less time on controlling the reliability of financial statements and compliance and more on making a bigger profit. Not only that, but stress on an organization can cause employees to try to circumvent those controls in place ultimately making them less effective. That was a very interesting point that you brought up which was something I have never thought of prior.
Wen Ting Lu says
Q: Describe a business process you have experienced (either as an external or internal participant) and what your role was.
A: One of my experiences that I want to share is working as tax accountant in a small CPA accounting firm. My job was to prepare individual and business tax returns for clients.
In my company, we use a CRM called insightly to track our work progress. I think this is a very useful tool for business owners. It make sure that employees are on top of their project at every stage. For example, if I were absent and a client call in for immediate response, my co-workers will able to search the name of the client and look the history/comments that I left for that client’s project.
We have a pipeline for each project, the following are the pipeline for preparing a business tax return:
1. Interview: in this step, I will have three tasks, which are calculate the depreciation, gather financial statements and complete tax organizer. This step is where I contacting the clients in person, by phone or emails to get the tax information I need to prepare the tax return.
2. ATX: In this step, I will have two tasks, which are input data to ATX and review tax returns. I will compute all the information I gathered from clients into ATX. After I have a draft copy I will review the tax return to make sure the balance sheet balances and all the data is correctly inputted.
3. Signature: in this step, I will have two tasks, which are obtain efile signature and process payment. I will send the draft copy and efile form to get the approval from clients. Also, I will send client our service invoice through quick book.
4. Process tax return: in this step, my task is to print/email the tax return copy, payment coupon to clients if necessary.
5. Efile: in this last step, I will make sure all the tasks from stage 1-4 are completed, and then I will efile the tax return for clients.
Joshua Tarlow says
Describe a real life example of a company’s profitability-driven controls. What are the differences between a compliance-driven vs. a profitability driven control?
A compliance driven control is focused on legal and regulatory requirements, while profitability driven controls concerned with revenue and expenses, and not mandated. Companies use profitability driven controls to maximize revenue, while minimizing risk.
Google’s recent pause of its expansion of its fiber network is an example of profitability driven control. It is expensive to build infrastructure for a fiber broadband network for a city. Google reportedly spent $1 billion in Kansas City, which included digging up streets and yards to lay underground fiber cable citywide. The process is slow and expensive, which caused google to delay plained expansion into two markets. It is now testing a wireless alternative to delivery gigabyte internet to customers, which could dramatically lower expansion costs. There is no legal requirement for Google to consider a wireless alternative to fiber cables, it is a profit driven decision. The company wants to reduce its financial investment with future expansions, which would increase profits while reducing its risk.
Wen Ting Lu says
Q: In your own words, how would you define a control environment?
A: A control environment is the cornerstone of the internal control system, it supports and decides other elements. In an organization, the control environment represents upper management’s attitudes, awareness and actions towards controls and focus they have on IT controls. The “Top-Down” approach to control are most often use in the organization environments, it means that the managements set the tone for the focus of and adherence to controls.
A good control environment will include communicating ethics, employing good staffs who have positive influence, participation and professionalism. Also, management’s philosophy and operating style is very important in a good control environment.
Jianhui Chen says
Q1: The experience I share is about my intern at a textile and laces manufacturer company in China this summer. The company’s business is to sell the textile product such as laces and lace trims to laces product trading company, and finished clothes manufacturers.
Business Process:
1. The existing or potential customers will request the information on the price, the availability and samples of laces product they need.
2. After checking the price and avability of the products, we will offer the price, shipping method and payment method (T/T ect.) as well as send the samples of the laces the manufacturer request as soon as possible.
3. The customers will close the deal if the price, delivery date and quality of the sample meets the their satisfaction. and they will pay 30% deposit before production starts.
4. After the product the customers request is ready, We will contact logistics company to shipping. And the customer will pay the remaining 70% before shipment.
My role is the sale representatives, and the responsibility to maintain good relationship with the existing and prospective customers, to develop plan and strategies to achieve sales target, and to ensure that availability of products suits the needs of the customers.
Jianhui Chen says
Q3
The top management of the company establishes of kind of policies, rules affects the way to solution problem, and respond to crisis etc. A good internal control environment and system can enhance the development of the company. but in some state owned company in China, they didn’t have good control environment, bureaucratism plays important role in the companies’ management, so they have low effectiveness on decision-making and production. For example,Xinhua is the a state-owned book store, dominating the market before 2010. The state-owned company, filled by corruption and bureaucratism, has low effectiveness to response to the market. In 2010, Dangdang.com, an online bookstore, come out and dominate the market soon and Xinhua bookstore’s domination ends.
Fred Zajac says
Jianhui,
You make an interesting reference with Xinhua and Dangdang.com. I am not familiar with the reference.
When you say, “Low effectiveness to response to the market” because of “corruption and bureaucratese”, do you mean management’s hands are tied when making business decisions because of the threats or bribes from outside parties? I agree this is puts a blanket over internal controls but do you think the failure was internal controls or the death of brick & mortar bookstores, similar to music / record stores?
Wen Ting Lu says
Q: The Sabanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
A: The Sabanes-Oxley Act (SOX) served as sufficient reaction to protect corporations from accounting errors and fraudulence. The primary purposes are to improve accountabilities of corporations by introducing mandatory storage of several specific types of records from a business, as well as keeping all records for an extended period of time. In another words, corporations are mandated to store all business and financial records by following the exact measurements and guidelines set by SOX. In this case, SOX determines exactly how and what types of records should be kept, hence lead to an absolute clear and fair ground to help extinguishing accounting errors and fraudulence.
Jianhui Chen says
Q4:
Example of profitability-driven: the textiles manufacturers, they would try to increase the profit margin by keeping the revenue and reducing the cost, and they still follow the regulations.
the difference is that complacence-driven control with set of standards and policies needed to be considered.
but
Jianhui Chen says
Q 2:
Sox act is in sufficient action. As to prevent such event like Enron bankruptcy, and regain the investors’ confidence on the information the public companies provided, US congress passed the Act. it protect the investors from high possibility of fraud risks, cause of the act require public companies’s financial disclosures and keep them from the accounting fraud.
Wen Ting Lu says
Q: Describe a real life example of a company’s profitability-driven controls. What are the differences between a compliance-driven vs. a profitability driven control?
A: Profit driven marketing is to optimize revenue growth by leveraging economics of scale. Profit driven controls usually focus on “profits” rather than “efficiency” by analyzing all key components of a strategy and recognize the limit of optimum profitability.
A real life example of profitability-driven controls are Beats Electronics. In order to maximize profitability, the company would optimize the advertisement spending and allowing a better awareness, recognition and reputation of their brand. However, the analysts would identify the optimum spending on advertisement and adjust the price of products accordingly so that the profits are not only retailed at reasonable price, but also looks classy for a company with such reputations.
Profitability-driven controls focuses on maintaining profit from business activities, while compliance-driven controls focuses on correctness and is based on legal provisions. However, these two types of controls are not mutually exclusive, so organization can achieve both controls in parallel.
Edward N Beaver says
In your answer you said ‘Profit driven controls usually focus on “profits” rather than “efficiency”. My experience is that profit improvements can come from both revenue (top line) growth / improvements as well as bottom line cost improvements. Efficiency is a common (but not only) driver for cost reductions and hence profit growth.
Paul M. Dooley says
My apologies, while I was preparing for class and going back to review my comment I could not find it so I will respond again.
I was a business to business sales representative for Verizonwhich specialized in infrastructure and IT Solutions sales. I was apart of the Automotive and Manufacturing vertical team and dealing with 6 high profile accounts. When we were working on designing a complex solution and working to generate a quote we had to go through what was referred to as the PCM process (internal control) in order for us to be able to present an aggressively priced solution while also maintaining the margin for it to be a profitable solution for Verizon. My role included getting initial baseline pricing and completing a complex spreadsheet with the list prices of the various components of the solution and also the requested discounts in order to meet the required price point. Once this was completed, we would meet with a dedicated PCM analyst who would review the pricing models and assist the sales group to help get to the requested price point by adjusting the discounts on components to meet margin requirements that the sales team was not privy to. Once the pricing model had been completed we would take this in front of the CFO, VP of International Sales, and various other parties to present the business case where they would make a collective decision whether to approve or deny the associated requests. This process was a control to maintain profitability in the company and to ensure that shareholder value was never endangered.
While the PCM business process was definitely a needed process for business operations, the efficiency of the process and the amount of parties involved would usually hurt, if not, kill the deal before we had a chance to win the business. I can see this as a constant struggle within corporations from an governance perspective as implementing controls but doing so in a way to not hurt the natural flow of business or meet the customer’s required deadlines in their own decision-making processes. If they were to make some of the required info available to the front-line sales people, i.e. the margins available on different products, it would allow us to make the second layer of approval need (PCM) much more efficient and allow us to turn around deals in a much quicker fashion, which in the end would please the client.