- Describe a business process you have experienced (either as an external or internal participant) and what your role was.
- The Sabanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
- In your own words, how would you define a control environment?
- Describe a real life example of a company’s profitability-driven controls. What are the differences between a compliance-driven vs. a profitability driven control?
Nathan A. Van Cleave says
1. Describe a business process you have experienced (either as an external or internal participant) and what your role was.
I think the easiest example of a business process I was involved with was the HR hiring/onboarding process when I joined my current company. I guess my role would be “new hire” or “new employee” and it involved a wife array or activities that supported the process.
This included completing tax and employee documents; reading and understanding several policies, standards and procedures related to my specific IT role; and even providing banking information for direct deposit. Behind the scenes, I am sure there were several triggers that my inputs fed into additional activities by a host of other groups or individuals both in HR, IT and other departments.
Heiang Cheung says
This was a really good example because i wouldn’t even of thought of this as a business process but it is. Going through this process multiple time it start to seem normal after a while. Thinking through this there are actually controls put in place like having you sign papers that you agree to the company policies.
Mengqiao Liu says
Hi Nathan,
I have worked as an HR intern in a head-hunting company, my job was to assist my supervisor to communicate with the candidates. There were other two HRs who were doing the jobs just like you. I had no connection with those two HRs, thank you for explaining the business process of it.
Folake Stella Alabede says
Yes Nathan, its a really good and easy-to-understand and relate example. The main theme of business process is being able to ‘repeat’ a process over and over. As with HR and new Hires, the steps are repeatable and are the same for all the new employees of that particular company.
Akiyah Baugh says
Hi Nathan, The HR Onboarding process is a very good example of a business process. It is something that the majority of people have experienced but would have never have thought to mention including myself. My former place of employment is looking to improve upon their current onboarding process. They would like to adopt an onboarding process that can be implemented across all departments as many of the departments follow their own practices and new employees to the company do not receive the same information when hired.
Mahugnon B. Sohou says
Great example. I gave a similar example. At first I did not think is it as being a nosiness process but after reading your comment I realized I had something similar, and that it is indeed a business process. Many people go through this process as well without realizing that it is a business process in itself, the Hiring process.
Nathan A. Van Cleave says
2. The Sabanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain
I believe appropriate oversight and governance is absolutely critical in providing assurance that the actions of corporations. The individuals and groups of individuals operating companies should be held accountable for their actions and decisions. SOX regulations were a proportional response to the Enron and WorldCom financial debacles. It provided a baseline for companies to abide by and presents entities opportunities to either fail, meet the standard, or enact more stringent controls.
Though not completely related, I believe there is an effort being pushed by the current US Federal administration to undo/rollback additional consumer protections as some believe the regulations stifle competition. I agree that over regulation or the application of too many controls can stifle not just competition, but can simply the ability for efficient work to be completed. However, as mentioned, accountability can only be met through appropriate transparency and consequences for unscrupulous or unfair activities.
Nathan A. Van Cleave says
3. In your own words, how would you define a control environment?
As I have come to understand it, a control environment provides a standardized framework of controls that can/should be utilized by an organization to employ a uniform and consistent compliance structure. For instance, in current organization, there is a standard framework of policies and processes that span across areas like written standards, enterprise oversight, training. risk management, and others. Additionally, the framework presents the levels of assurance:
– Level 1 -> Management Monitoring
– Level 2 -> Independent Business Monitoring
– Level 3 -> Independent Assurance (Internal/External Audit)
Through a framework like this, an organization can better and more consistently align values, principles, standards and controls across varying business units.
Rouying Tang says
Hello Cleave,
Thank you for your sharing, you provide a good definition regarding to control environment and hit the points of the targets and the procedures of the control environment.
Nathan A. Van Cleave says
4. Describe a real life example of a company’s profitability-driven controls. What are the differences between a compliance-driven vs. a profitability driven control?
Hopefully I am reading this question correctly. An example of a company’s profitability-driven control centers on the recent Wells Fargo woes. Management had set unreasonably high quotas for its branches to meet; quotas requiring branches to hit new product “sales” targets (opening new accounts as an example). Under pressure to meet these quotas, employees were compelled to open false accounts with individuals’ information and without those individuals’ consent.
I’m thinking that a compliance-driven control would be the specific banking and common sense controls and regulations in place to prevent this very thing from happening. Controls like an actual individual needs to acknowledge and consent to opening a new checking or saving account.
The compliance-driven control are meant to prevent unethical behavior or actions or to protect individuals or companies from a wide array of things. Profitability-driven controls are necessary to spur financial or economic growth. I imagine compliance-driven and profitability-driven controls are likely not designed to be at odds with each other, but in this example, one type of control drove wrong behaviors in direct conflict with the other type’s intended function. Or maybe it’s the other way around??
Nauman Shah says
Nathan that’s a good example of a profitability driven culture. The same analogy can be applied to other industries as well. For instance in the Pharamaceutical industry, clinical trials present serious compliance challenges. The compliance challenges, however, often become secondary because of the lack of project milestones to measure compliance and inspection readiness. These compliance issues can have serious impact on the efficacy of a clinical trial, if the investigator sites do not adhere to the study protocol.
Nathan A. Van Cleave says
Nauman, as I too work for a global pharma company, this is a great example and something not obvious. You hit it on the nail, there is somewhat of a double edged sword for pharma, they are driven to find that next blockbuster, but must do it in a highly controlled, highly regulated environment as drug efficacy as well as patient safety are competing goals.
Xiaozhou Yu says
I agree that compliance-driven controls helps with unethical behavior, this is the regulation for company and employees within, i would add government regulations as well, this is part of business ethics. And i like your example of bank account, hit right on the point of compliance. I also believe these two controls should be cooperated.
Mahugnon B. Sohou says
That’s a great example of a profitability driven culture. Pharma companies have to make profit by finding the next big product that will drive protabily. However they are also constrained because of all the regulations surrounding the industry. And these two don’t go so well together all the time. Compliance driven controls are there more to take care of ethical issues, While profitability driven controls assure financial growth.
Folake Stella Alabede says
3. In your own words, how would you define a control environment?
A control environment in my own words is an environment which starts with defining the groundwork in an organization for various types of applicable internal controls to be put in place, which could be done through procedures, guidelines, rules, processes etc. to give reasonable assurance that the organization would achieve its desired objective.
Folake Stella Alabede says
2. The Sarbanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
On the one hand, these laws could be a sufficient reaction to the failures, because the Sarbanes-Oxley Act puts pressure on Organizations to do the right thing which is to provide assurance about the accuracy and completeness of financial statements.
The Sarbanes-Oxley Act was passed in response to a number of corporate accounting scandals that occurred between the years 2000 and 2002, which resulted in billions of dollars in corporate and investor losses. This act, put into place in response to widespread fraud at Enron and other companies, set new standards for public accounting firms, corporate management, and corporate boards of directors.
SOX forced companies to be disciplined and helped businesses reduce the number of mistakes they would otherwise make. As a result, according to an annual report done by Audit Analytics, the number of restatements noted in 2016, at 671, was the lowest in a decade. In 2015, 765 companies told investors a restatement was needed.
On the other hand, the laws could be considered an overreaction, because while it is agreed that there could be great loss that affects the economy as seen in the case of Enron and co, these can be classified as isolated incidents because statistically, the no of companies reported to have been in violation does not match the greater number of companies that exist in the same capacity and are in compliance.
Based on the SOX requirements, and the cost of sox compliance, a lot of startup companies/certain coy’s choose to remain private rather than go public, thereby preventing the general public from investing in some potential viable businesses. Implementing SOX also increased audit costs which is a greater burden especially for small companies, this may have convinced some businesses to use private equity funding instead of using the stock market.
Also, too much regulatory compliance puts the burden of meeting these requirements on the board and top management rather than focusing on the primary business objective of the company. The penalty placed on the CFO and CEO serves as a deterrant to ‘risk and advisor qualified personnel’ as they might not feel encouraged to step into these positions. (The criminal statute calls for maximum penalties of $1 million and 10 years imprisonment for a false certification and $5 million and 20 years for a willfully false filing.)
The question remains, – is there a slight, tiny, minuscule chance that the CEO and/Or the CFO might not know that the organization is in violation of some aspects of the Internal controls over Financial Reporting and still attest to the accuracy of the financial reports ?
Also, technically, the laid down sox requirement in terms of reporting and how applications are supposed to run has prevented some level of change in technology evolution as it may prevent companies from meeting SOX requirements, even though these changes might be more viable options than the requirements being specified by SOX.
And like everything invented, there has to be an upgrade/improvement, but what improvement has been done to the SOX laws since 2002?
Some recent concerns have been Cybersecurity. Cybersecurity is something that historically was not part of the standards of what to look at when SOX was first enacted, but with the widely increased adoption of cloud computing, cyber security has become one of the major concerns among companies.
Even though SOX brings new challenges and then some to companies, it has contributed far more to corporate excellence through more robust internal controls for financial reporting, increased investor confidence and a greater appreciation for discipline, transparency and management responsibility.
https://www.accountingtoday.com/opinion/sarbanes-oxley-marks-15-years-of-successes-and-challenges
https://www.thebalancesmb.com/sarbanes-oxley-act-and-the-enron-scandal-393497
http://www.sarbanes-oxley-101.com/sarbanes-oxley-faq.htm
James T. Foggie says
Stella,
In my experience, the C-suite executives in my company are invested in the SOX controls and audit procedures. Because of the deterrent measures set forth by SOX requirements, adherence to controls is cascaded from the top-down; and front-line managers understand that SOX audit findings must be addressed and closed out in a reasonable time period. Before the enactment of this legislation, there was no true all-encompassing compliance regulation that motivated corporations to deter fraud and risk. Although inevitably SOX has its price, in the form of program expense and man-hours, deterring vulnerability to fraud may ultimately help the attainment of corporate business objectives.
Mahugnon B. Sohou says
You are absolutely correct. These laws are sufficient reaction, but when we look at it from a bigger picture prospective you realize that it might be doing more harm than good, because of all the way it affects other businesses, especially small businesses who now have to go private because of all the regulations, and because of how costly it would be to comply with them if they were to ever go public.
Heiang Cheung says
1. Describe a business process you have experienced (either as an external or internal participant) and what your role was.
I used to work in account payable paying invoices to our vendors. I worked with multiple people from the warehouse to buyers. Sometime to get something paid I would need to ask the requester to receive the item in and if they don’t remember I would have to go back and ask the vendor for proof of delivery. Also with the buyers I would sometime have to ask if a certain purchase order was correct if not tell them to correct it.
James T. Foggie says
Heiang,
Seems like the business process you describe in this post was in desperate need of an automated system that provides a close-loop process for billing and accounts receivable. Although I am not entirely sure yet, but it seems like an ERP system could provide that automation. At the very least, invoice tracking via an online portal would eliminate the need for employees to talk to other humans (other internal departments, or vendor contacts). Through processes of an ERP system, invoice status updates could be automated throughout the lifecycle of an invoice. I would guess your former employer has probably implemented some form of automation into the process by now. Then again, there are still people who resist change and automation… 🙂
Heiang Cheung says
Yeah we had invoice tracking and online view of all the invoices and stuff it was just making people do their job effectively. We also had EDI, which supposed to be automated but there are still some issues that have to be worked out.
Heiang Cheung says
2. The Sabanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
I believe SOX was a sufficient reaction to the failures of ENRON. It’s definitely not a overreaction because we could see what happened in 2007 and all the financial companies going under because they were over leveraged. I believe that companies need regulation to keep things under control. This is why I think the roll back of some of the Dood -Frank regulations is a bad idea because companies will go back doing the same things as before. Most financial companies are profit driven and as long as they’re pushing profit it’s good for the company.
Heiang Cheung says
3. In your own words, how would you define a control environment?
I would define a control environment as a company culture from the top down that has a set of standards, processes and structure that emphasize the importance of internal control.
Tamekia P. says
1. Describe a business process you have experienced (either as an external or internal participant) and what your role was.
Accounting and Financial Reporting: I have participated in the Financial Controls audit of the Accounting and Financial Reporting process. This process relies extensively on the completeness and accuracy of the data flowing into the general ledger and management’s review of the output. Responsible for assessing the design and operating effectiveness of the internal controls.
Nathan A. Van Cleave says
Tamekia,
I think you hit on a critical point around Integrity (completeness and accuracy of data) and quality checks (management’s review of outputs). In assessing the design and operating effectiveness, did you find common areas of concerns or issues?
Tamekia P. says
Typical areas of concern: Who is responsible for reviewing this data? Are they qualified to make this assessment? What compensating controls exist to alert user to an anomaly in the data? Does the control operate at a precise enough threshold to identify errors?
Tamekia P. says
2. The Sarbanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
These laws are a sufficient reaction to the failures as they provide a framework for management to follow. The laws help mitigate the risks that were presented in the previous failures. In addition, this laws help bolster public/investor confidence regarding the ‘correctness’ of the financial information presented.
Pascal Allison says
Tamekia, like the clarity – simple and straight. There was a failure, and this is how we control the occurrence or re-occurrence – SOX. This is good for the companies, investors, and it helps regulatory body all the hassle with recovery of flaw.
Tamekia P. says
3. In your own words, how would you define a control environment?
A control environment is defined as the processes/procedures that have been put in place to mitigate identified risks. This environment is based on the inherent risk presented in the respective processes and the procedures necessary to mitigate these risks to an acceptable level.
James T. Foggie says
Tamekia,
Very good all encompassing statement describing a control environment, Your post makes me reflect on my company’s Change Control process. The ultimate goal of our IT change control process is to ensure:
1. System availability for all mission & business critical applications
2. Data integrity
3. Confidentiality of all sensitive data
Through our very rigid change process, change requests are scrutinized daily via standard process that requires record reviews at the various management levels (from 1st line management up through sr vice presidents of business units). This review process ultimately mitigates risks, or obtains sr. VP signoff on any risk acceptance associated with any given change request.
Tamekia P. says
James, does this process take into consideration whether or not that the person has enough knowledge of downstream impacts to approve the change?
Tamekia P. says
4. Describe a real life example of a company’s profitability-driven controls. What are the differences between a compliance-driven vs. a profitability driven control?
A profitability control would be to create an analytic that ensure that products are priced at combination of the maximum price the consumer is willing to pay and creates no drop in consumers. A compliance given control would be an analytic to review that all product sales have been appropriately recorded in the general ledger regardless of appropriate pricing.
Heiang Cheung says
This is actually a really good example because this made me think of airlines or hotels where they raise prices when times are the busiest and lower it when it is slow.
Tamekia P. says
Heiang,
Yes, good point. I wonder now if the airline has analytic that would identify how many seats went unfilled and if they should have lowered them and if the flight was oversold then the prices should have been increased further.
Xiaozhou Yu says
Answering questions 1
I have worked at an energy company for summer intern. I was involved in a marketing campaign for north-east existing and potential new customers. This is a key marketing expansion process that operated by marketing department and data analysts. I was responsible for collecting and managing existing customer and potential customer information including name and title, email, tel and address, and verify if this information is still valid and correct and update if not. For existing customer, I also verified previous order history to analyze whether they are likely to keep the business with us.
James T. Foggie says
Xiaozhou,
Seems like a very interesting task for an intern, We there any checks-and-balances (controls) in place to eliminate human-error when handling customer (and potential customer data)? Also, were there any controls in place that you can remember that were implemented to protect customer data? Just curious.
Xiaozhou Yu says
Definitely , there was another team of people working specifically on data security side, as many information of the customer are not exposed over the whole network and should remain confidential, we should get permission from them first to collect their information, and have contract of confidentiality, and the data security team helps store those data in a security method. Thanks for point that out, great perspective!
Xiaozhou Yu says
Answering question 2
The application of Sabanes-Oxley Act reflects both success and weakness.
It helps with accounting scandals which will cost billions of dollars to recover and provide assurance for the financial statements. Furthermore, with years of application, SOC forces companies to be disciplined and reduced the mistake higher level managements would make. So that investors’ confidence was maintained, and the business would be able to keep growing. It also faces challenges when technology involved. Cyber security was not a part of SOX standards when it first enacted but has becomes a major concern.
There are also criticisms over SOX in terms of overreacting. It is true that SOX set tough corporate governance legislation, hard for large companies to follow perfectly and manage efficiently. And it cost a lot for requirements and implementation. This become a concern for smaller companies
Source:
Voices Sarbanes-Oxley: 15 years of successes and challenges
https://www.accountingtoday.com/opinion/sarbanes-oxley-marks-15-years-of-successes-and-challenges
Is the Sarbanes-Oxley Act Working?
https://insurancenewsnet.com/oarticle/Is-the-Sarbanes-Oxley-Act-Working-a-516096
The Costs And Benefits Of Sarbanes-Oxley
https://www.forbes.com/sites/hbsworkingknowledge/2014/03/10/the-costs-and-benefits-of-sarbanes-oxley/#74ad83b6478c
Scott Radaszkiewicz says
Xiaozhou,
Great links to articles. I like the 15 years of successes and challenges, where they talk about the impact on Sarbanes-Oxley has had on investor confidence. When you look at regulations, I think that is one of the biggest indicators, especially on this one. Does the law have a big enough impact to help with the confidence of the people. I think Sarbanes-Oxley has accomplished that.
Xiaozhou Yu says
Answering question 3
Control environment is standards and process help with the business operation. It includes regulations for conducts also comprises the ethics. It keeps the proper operation and protect business from potential risks.
Control of the business applies both internally and externally, all the data collected from employees and outside business cooperation can help maintain and develop the control environment.
Xiaozhou Yu says
Answering question 4
Profitability-driven controls focus on cost-saving and profit-increasing. It collects data related to sales and pricing as well management costs.
For example, a supermarket wants to figure out bestselling products as well as worst selling products. They collect order information and define the cost for inventory management. Such controls help with reasonable pricing, profit and cost management.
Compliance-driven controls focus more on business process as well business ethics. Whether the business operates obeying the laws and regulations. Employees work following proper business ethics. Also ensures business process’ efficiency.
Go back to the supermarket example, if employees work properly with assigned hours, if business process such as order info collection, inventory maintenance are operated efficiently for regular working cycle.
Rouying Tang says
Hello Yu,
Nice example, thank you for your sharing. The supermarket example are pretty vivid and practicable. I agree the parts about the function of compliance-driven controls are also focusing on business process as well.
Mengqiao Liu says
Hi Xiaozhou,
As you mentioned inventory management, there are several advantages but also some disadvantages when use ERP inventory management software in a business that I found on the Internet.
Advantages:
-Cost savings
-Increased efficiency
-Updated real-time data
-Data security
-Insight into trends (as well as you mentioned in your post)
Disadvantages:
-Expense
-Complexity
James T. Foggie says
1.Describe a business process you have experienced (either as an external or internal participant) and what your role was.
Answer:
During my years of employment in data center operations, one of the key business processes I have experience in is Service Delivery. IT service delivery is the manner in which a corporation provides users access to IT services. IT service delivery covers design, development, deployment, operation and retirement. Quality of IT service delivery is gauged by metrics included in a service level agreement (SLA). [1]
A few of my role(s) in the service delivery business process have been:
– Data center command center mainframe operator
– Database Online Support (DB2 and IMS)
– Disaster Recovery & Business Resiliency Support
– Application Scheduling Support
In essence, many of the jobs I have performed in the data centers within my company have been centered within the IT Service Management (ITSM) life cycle. My role within the various teams have always been to ensure system availability and eliminate outages and missed SLAs.
[1]
TechTarget ITOperations website (https://searchitoperations.techtarget.com/definition/IT-service-delivery-information-technology-service-delivery) – August 2018
James T. Foggie says
2.The Sarbanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
Answer:
So, I can speak to the effectiveness of SOX control procedures because these are the regulations I have experience with. The Sarbanes-Oxley Act of 2002 is a US federal law that set new or expanded requirements for all U.S. public company boards, management and public accounting firms. [1]
One of the reasons I believe SOX audits and controls are effective is because these regulations mandate participation from all departments, direct FTEs, managers and executive staff members. One of the key requirements of the SOX process is attestation from the executives of departments being audited. The requirement of attestation ensures there are several members of the management team who have a vested interest in the accuracy of audit reporting and evidence. This controlled environment promotes active participation in all phases of the audit process (internally & externally); which in turn helps lead to the ultimate goal of eliminating financial fraud within companies.
[1]
Wikipedia website(https://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act)
Xiaozhou Yu says
I agree that SOX offers effective regulations to all business department, and the requirements for audits ensure the well-control of business environment, I actually point out some problem I’m curious about in my answer, Since SOX offers all kinds of regulations for business control, will some of those be too tough to follow? Or maybe some of those might not be that necessary, as it was enacted first in 2002. What if the cost of application and maintenance become too high for small business, or too complicated for large business when there are too many employees and departments involved?
Scott Radaszkiewicz says
James, I think you’re right. The effectiveness of Sarbanes-Oxley really does come from the fact that all levels are held accountable, and the attestation from executives and managers is crucial. No longer can anyone claim they were unaware of what was going on, and the secrets are no longer secret. People at all levels know what is happening, and hiding information is nearly impossible.
James T. Foggie says
3. In your own words, how would you define a control environment?
Answer:
My explanation of a control environment is one in which procedures are in place to (1) provide standard steps for tasks and processes; (2) reduces the possibilities of vulnerabilities and risks; (3) ensures information availability, confidentiality and integrity.
As previously mentioned in my response to question 1, my career in IT afforded me opportunities to work on teams whose primary role was to ensure service delivery. Often, each of the aforementioned teams relied upon control environments. Application release management; Disaster Recovery & Business Resiliency support; and Command Center Operations all rely upon control procedures to ensure availability, confidentiality and integrity of information assets.
Robert Conard says
Hi James,
Great answer, I think you cover the bases of having controls in a business. I think first and foremost, controls are in place to reduce risk which you mention in your second point. Your first point ensures this with an inception of a process by which a department or individual should conduct their work. And your third point brings it home by pointing out that these controls shouldn’t limit the efficiency of the company. It is possible to have too many controls where, for example, employees needing the information are unable to get it because they are lacking in authorization. A perfectly controlled company gives 100% correct allowances to its employees who use them appropriately.
James T. Foggie says
4. Describe a real life example of a company’s profitability-driven controls.
Answer:
Key Performance Indicators (KPIs) are measurable value that demonstrate how effective a company is achieving key business objectives. A few examples of KPIs used my executives to analyze the performance/profitability of their respective companies are:
– Return On Investment (ROI)
– Quarterly Metrics – to be compared within current fiscal year; and compared to historical metrics
– Lead to Win Conversion by Month – tracks performance relating to leads
What are the differences between a compliance-driven vs. a profitability driven control?
Answer:
While compliance-driven controls are typically mandated by a regulation or some governing body within an industry; profitability-driven controls are implemented due to motivation relating to business objectives and strategic goals. Executive performance agreements are often tied to metrics spawned from profitability-driven controls.
Rouying Tang says
Hello Foggie,
Thank you for your sharing. The KPI and ROI do be great controls for measuring the profitability of companies. I really agree on your statements for the explanations of the targets of profitability driven controls as an assurance of the executive performance.
Nauman Shah says
Describe a business process you have experienced (either as an external or internal participant) and what your role was.
The business process I got to experience lately as an external participant was the Network on-boarding and off-boarding process. I worked on Identity and Access Management audit, which encompassed the HR onboarding process for both internal resources and contractors. My job as an auditor was to evaluate the HR paperwork required to onboard a resource in the HR system, the identity creation process in the Identity access management system and the subsequent Network ID creation. Basically, when a resource is on-boarded, a record for them is created in the HR system, that information flows to the IMS system via an automated batch job. To get access to the Network and the downstream applications via Active Directory, appropriate approvals have to be provided before an ID can be created for that resource.
Nauman Shah says
Response to Question 2:
The Sabanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
SOX was a reaction to the fraudulent activity that happened at Enron and other companies. The purpose of the Sarbanes Oxley regulation is to provide assurance that the company’s Financial Statements are complete and accurate. Credit providers and stockholders are not in a position to independently evaluate the validity of a company’s financial statements, therefore SOX audit are necessary to evaluate the internal controls over financial reporting. SOX laws and the resulting audits are necessary to ensure that a company is operating in a controlled environment, so I believe that these laws are an appropriate response to some of the control failures that occurred in the past. Too many audits and a poorly planned SOX audit can definitely be an impediment to the business, but if planned well, it ultimately helps the business by creating value in the sense that investors would be more confident to invest in that company.
Pascal Allison says
I like this line Naumah, “Too many audits and a poorly planned SOX audit can definitely be an impediment to the business, but if planned well, it ultimately helps the business by creating value in the sense that investors would be more confident to invest in that company.”
The laws or rules are there, create a vibrant control environment and increase the company value to retain and attract investors. If I am understand your position correctly, SOX is sufficient.
Pascal Allison says
I like this line Nauman, “Too many audits and a poorly planned SOX audit can definitely be an impediment to the business, but if planned well, it ultimately helps the business by creating value in the sense that investors would be more confident to invest in that company.”
The laws or rules are there, create a vibrant control environment and increase the company value to retain and attract investors. If I am understand your position correctly, SOX is sufficient.
Heiang Cheung says
4. Describe a real life example of a company’s profitability-driven controls. What are the differences between a compliance-driven vs. a profitability driven control?
A real life example of a company profitability- driven control would be Gas station raising the price of gas according to the cost of a barrel oil and compliance-driven control would be that they could only change their gas prices once a day because there’s a law saying they can’t raise prices more than once a day.
Nauman Shah says
Control environment is one of the 5 components of COSO internal control framework. Control environment provides the basis for the performance of internal controls in an organization, because control environment represents the tone at top at an organization.
Pascal Allison says
1. Describe a business process you have experienced (either as an external or internal participant) and what
your role was.
I served as a relationship manager for more than five (5) years with a commercial bank and was involved
with an important business process – on boarding process of customers. The goal of the team was to have
the customers signup for new product(s) and to insure the customer first success with the product.
We were expected to provide excellent customer service during the on boarding process which reigned
from setting expectation, explaining things to the customers, gather information as required, understand
customer need and provide information necessary, etc.
The process flow was:
• Initiate communication – contacted customers (written or oral);
• Set up – processed customer information (in person or via phone);
• Follow up – gathered feedback and made changes based on feedback;
• Retention – present other products/services, measured success, and made appropriate changes.
I was involved more with the retention side of the process where we ensured all of the promises were kept;
and additional products/services were acquired by customers.
Pascal Allison says
2. The Sabanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high
profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction?
Explain.
The Sabanes-Oxley Act in the US was enacted to protect shareholders and potential shareholders from
fraudulent representation of financial statement.
In my opinion, the Act is sufficient, but there a spot that needs some consideration. The periodic reporting
or disclosure requirement is too serious especially for small companies. To insure whether internal control
procedures are sufficient and efficient come with a cost and require resources. I think the requirement for
internal/external auditing, reporting, and presentation should be as per the size or the financial of the
corporation.
Xiaozhou Yu says
I agree that procedures are sufficient, but the cost and requirements may be a burden. I like the idea of applying the regulation per different business size, definitely saves on time and cost, easy to implement and maintain. Not only for small business, large business may also have difficultly since the huge amount of process and employees are involved in auditing process.
Pascal Allison says
I totally agree that the leverage should be across the board for big and small companies taking into accounts the costs and resources involve in the process, Matter of fact, it takes lot more for bigger companies to satisfy these requirements than smaller companies. Yet, I think because of the risk with bigger companies and its financials compare to smaller companies, small companies should have some leverages.
The companies will look at things from the profitability-driven control stand point while regulatory agencies see things from the compliance stand point.
I think the risk pushes the regulation.
Pascal Allison says
3. In your own words, how would you define a control environment?
Organizations have aims and goals, financial reporting must be dependable and true, business
processes need to be well-organized and current, and its assets always need to be guided. This is
achieved through a vibrant internal control system.
The internal control system that makes all the above a success must be developed and implemented on
some definite strategies, procedures, tactics, structure, etc. These strategies, procedures, tactics,
structure, etc. make up the control environment which make internal control achievable.
Mengqiao Liu says
Hi Allison,
You have a good explanation on control environment. Yes, a control environment is the standards, the processes, and the structures which afford a basis for the internal control of the organization. Board of directors and senior management are the fundamental to internal control. Management strengthens the expectation of each department in the organization.
Pascal Allison says
4. Describe a real life example of a company’s profitability-driven controls. What are the differences
between a compliance-driven vs. a profitability driven control?
One real example of a company’s profitability-driven control is the payment of sale tax in the state of Ohio.
When the sale tax is reported on time, taxpayers (organizations) get a 0.75% discount on the amount due, if
not the full amount must be paid. Some tax payers willfully files incorrectly to take advantage of the
discount (when all the figures are not available); then file an amended return to correct the incorrect
return. Willfully filing incorrect tax to take advantage of the discount is a noncompliance issue. This
potentially increase profitability but exposes organization to finds and penalties.
The difference between compliance-driven and profitability driven control is that compliance focuses on
law and regulation while profitability driven control looks more at decreasing expenses or increasing profit.
Like, profitability driven-controls do not consider losses from non-compliance issues. As along as the
balance sheet is in high positive, that control is realized while compliance-driven control wants law and
regulation to followed as required at all time.
Robert Conard says
Hi Pascal,
Great example. As a person working in tax for awhile, I am aware of a few of the many things tax professionals have at their disposal to take advantage of when fulfilling the tax return. I’m still not quite sure where the advantage is, unless they are able to add in sales happening after the end of the taxation period, and they are able to include them for the amended return. Regardless I see the manipulation of business processes to maximize profitability.
In estate planning, there are many tax loopholes an individual can take. For persons needing Medicaid from the State of New York, an individual may put their assets into a trust controlled by their spouse. This takes the money out of the debilitated person’s name and makes them eligible for subsidized care. Companies may do the same with trusts to avoid reporting certain sums of money on their taxable assets.
Pascal Allison says
For example, if the sale is 1 million, the discount for filing the return on time is $7500.
Tax payer will make up figure when they do not have the actual amount; file the return to claim the discount. Later files an amended return to report the actual sales amount. When the amended return is done, if the sale increases, the discount increases, if the sale decreases, the discount decreases. Either way, they claim the discount because the return is considered on time.
They just miss out on the discount for not filing on time.
Because it intentional, that is non compliance, but safes money for the tax payer.
Folake Stella Alabede says
4. Describe a real life example of a company’s profitability-driven controls. What are the differences between a compliance-driven vs. a profitability driven control?
An example that comes to mind is one I came across while doing some study on the Sarbanes Oxley Act.
In April 2017, a Los Angeles County jury awarded $22.4 million in punitive damages (that was later reduced to $2.27 million) along with $2.7 million in lost past and future wages to Steven Babyak in a whistleblower retaliation and wrongful termination case against Cardiovascular Systems, Inc (CSI).
Babyak, a former sales manager for Cardiovascular Systems, Inc (CSI)., argued that he was retaliated against, culminating in termination, after making complaints about a hostile work environment and violations of the Anti-Kickback Act and securities laws under the Sarbanes-Oxley Act.
Babyak, the whistleblower, brought his concerns to his supervisors after the company implemented an illegal kick-back policy of referring patients to doctors only if the doctors purchased Cardiovascular Systems’ products (profitability-driven control.). CSI performed an internal investigation but dismissed the case despite other employees’ corroboration of Babyak’s claims. In retaliation, Babyak’s supervisor transferred the whistleblower to a less desirable region and unfairly raised his sales quota.
During Babyak’s time as manager of the new region, he witnessed a “sale” of a large number of products on the last day of the quarter in order to meet their sales quota. However, the sale was made under a prearranged agreement that the purchaser would return all of the products the next day (another profitability-driven control). CSI is a publically traded company that must report to their shareholders, so this false sales information was correctly identified by the whistleblower as a violation of the statutes and laws enumerated under the Sarbanes-Oxley Act’s anti-retaliation provision.
Anti-Kickback Act prohibits the exchange of anything of value in an effort to reward referrals of business. (compliance-driven control). This criminal violation is punishable on the first offense by a $25,000 fine or up to 5 years in prison.
The Sarbanes-Oxley Act prohibits a publicly traded company, or any contractor or agent of such company, from retaliation against an employee who blows-the-whistle on what she reasonably believes to be a violation of statutes prohibiting mail fraud, wire fraud, bank fraud, securities fraud, any rule or regulation of the Securities and Exchange Commission (SEC), or any provision of Federal law relating to fraud against shareholders. Successful whistleblowers are entitled to recover their attorneys’ fees and costs under SOX. (another compliance-driven control)
https://www.omtrial.com/blog/jury-awards-whistleblower-over-25-million-in-sarbanes-oxley-retaliation-case
Akiyah Baugh says
This was a great example of a company’s profitability controls. Your post was very informative and provided great detail as to why laws like The Sarbanes-Oxley Act should be signed into law and enforced. The companies/ people responsible for these offenses should be fined and receive jail time as a result of their actions. Whistleblowers should be protected from retaliation at all costs.
Rouying Tang says
1. I have a cousin working in Japan as warehouse manager of a small business focusing on international trading. They still used the paper booking, so she asked me to help her do something electronically for tracking the goods and products. So, I created a database via access for her. That was not something fascinating or complicated, but I think it does fit this question. Through that experience I knew something about warehouse management.
First, we need to defined each storage locations, name and number them. Check the goods name, number and other attributions like the shape, quantity and operator name, etc. in all locations.
Second, I settled transactions for filling in the data for goods coming in or out the storage locations, the attributions inputs like operator name, time, quantity, price etc. are available.
Third, I settled inquiries for searching the current goods in each locations, good counts; operators; created automatic updating monthly report regarding counting the goods and balances for the changes of each locations
The business process of warehouse management is basically about tracking the counts and changes of goods in different storage locations and who and when make those changes, then report the summaries in a regular basis.
Rouying Tang says
2. I think those laws are neither sufficient nor overreacting. I think the updating laws and regulations are always necessary to reacting to the rapid changes of the new environments and new vulnerabilities.
Rouying Tang says
3. Control environment referred to all business standards, processes, framework, values and culture for creating an environment to meets the internal controls. It targets on maximum the profits of stakeholders under the minimum risks and regulatory requirements.
Rouying Tang says
4. An example of compliance-driven controls is like the applications of DLP tools for meeting the requirement of EDPR. The company may increase costs, but they need the related investment to maintain the business toward European consumers and their market shares in Europe. Those controls are designed for fulfilling the regulatory or ethnic requirements.
Mengqiao Liu says
1. Describe a business process you have experienced (either as an external or internal participant) and what your role was.
The business process I have experienced was the summer intern I have worked in a head-hunting company. I was the human resources intern that assisted the full-time employees to post jobs. After received resumes through the website, I screened and evaluated the resumes, and selected the valuable resumes to my supervisor. I called to the candidates for settling a phone interview with my supervisor. If the candidates passed the phone interview, I would schedule a face-to-face interview for the candidates. When there was a candidate came into the office, I arranged for the candidate to fill in an information form and told him/her to wait for the interviewer. I also collected the forms of the candidates for further movement.
Mengqiao Liu says
2. The Sabanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
I believe the SOX was a sufficient reaction to the failures. The incident happened in Enron because there was no sufficient and compliance law or policy to limit the financial crime. Meanwhile, there was no policy for management to provide the effectiveness and efficiency of operations.
Mengqiao Liu says
3. In your own words, how would you define a control environment?
Control environment is the system for the corporation to ensure all the processes in the organization are smooth and free from error. There would be various control environments in the organization to oversee the different operation. For example, account receivable, account payable, and cash receipt.
Mengqiao Liu says
4. Describe a real life example of a company’s profitability-driven controls. What are the differences between a compliance-driven vs. a profitability driven control?
My friend went to Sephora and asked for a product for anti-acne treatment, but the staff recommended a pricey serum which was launch by a recently established brand. I don’t know how the commission is calculated by Sephora employment policy, but the staff is used to introduce the new products to customers. I think this brand needs to achieve a target sale so that requires the staff to introduce the product to customers continuously. A profitability-driven control put profit on the first demand, on the other hand, a compliance-driven control focus more on ethics and the regulations.
Derrick A. Gyamfi says
Mengqiao,
Thanks for sharing! I think this was a prime example of how an organization’s culture and control environment impacts the everyday actions of its employees and translates to their interactions with customers. Similar to the fictitious accounts scandal regarding Wells Fargo a while ago, despite the strategic objectives, mission, and vision of a company, policies that enact a profitability-driven culture in some ways is toxic to organizations.
Akiyah Baugh says
Business Process Example:
An example of a business process in which I am an external participant is a billing process. Billing processes across different companies vary but also are similar. There are billing cycles that vary in length, multiple forms of bill deliveries (paper or electronic)etc… One type of billing process is to request payment to satisfy a debt such as a bank loan or a credit card bill. The billing process is repeated on a schedule where invoices are generated and sent to the customer, the customer receives the invoice and remits payment according to the due date (in most cases). and these steps are repeated. My role in the billing business process is as the customer satisfying a debt.
Rouying Tang says
Hello Baugh,
Thank you for your sharing regarding billing process, which does be a common process among a varieties of industries and sharing similar procedures.
Scott Radaszkiewicz says
1. Describe a business process you have experienced (either as an external or internal participant) and what your role was.
One business process I was recently involved in was setting up an onboarding process for payroll. At our organization, when a person started their employment, and email was sent to various departments. IT for email creation, Operations for an ID Badge creation, etc. This process was not efficient, as there were gaps in needed items for an employee to start their job. We created a process that helped to streamline the onboarding of a new employee. An electronic form was created, and this was completed by HR once the employee was officially onboard. This form was routed to all necessary departments and logins were created, badges produced, names added to phone directories, etc. Once it was all complete, the form routed back to HR and HR informed the new employee of all necessary information, gave ID badges out, parking passes, etc. Now an employee has one point of contact for all needed items, where in the past they had to work with a few different departments to get things. This is also a great auditing system to help ensure everything is done accordingly.
Robert Conard says
1. An example of my participation as an internal piece of a business process was during case fulfillment at an estate planning firm. While preparing the documents that our clients were essentially purchasing, we needed information about the assets we would be transferring into the name of their trust. To gather that information we had meetings where we could receive copies of deeds, IRAs, and bank info. Thereafter having the client sign the document, my additional duty was to fulfill the transfer of assets from one name to another.
Scott Radaszkiewicz says
2. The Sarbanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
Enron, possibly one of the largest and most widely know scandals. This scandal, and many others, have led to regulations to help ensure that organizations can’t easily misconduct business. The keyword in the last sentence is help. While many lessons were learned from scandals like Enron, Sarbanes-Oxley was written to help avoid such scandals in the future. On a whole, they are helping. Sarbanes-Oxley has helped to ensure that auditing techniques have been strengthened. It has also helped to ensure that accounting firms are doing a better job of keeping to financial standards, and avoid large scale misconduct by organizations to hid information.
Scott Radaszkiewicz says
2. The Sarbanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
Enron, possibly one of the largest and most widely know scandals. This scandal, and many others, have led to regulations to help ensure that organizations can’t easily misconduct business. The keyword in the last sentence is help. While many lessons were learned from scandals like Enron, Sarbanes-Oxley was written to help avoid such scandals in the future. On a whole, they are helping. Sarbanes-Oxley has helped to ensure that auditing techniques have been strengthened. It has also helped to ensure that accounting firms are doing a better job of keeping to financial standards, and avoid large scale misconduct by organizations to hid information.
Scott Radaszkiewicz says
2. The Sarbanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
Enron, possibly one of the largest and most widely know scandals. This scandal, and many others, have led to regulations to help ensure that organizations can’t easily misconduct business. The keyword in the last sentence is help. While many lessons were learned from scandals like Enron, Sarbanes-Oxley was written to help avoid such scandals in the future. On a whole, they are helping. Sarbanes-Oxley has helped to ensure that auditing techniques have been strengthened. It has also helped to ensure that accounting firms are doing a better job of keeping to financial standards, and avoid large scale misconduct by organizations to hid information.
Scott Radaszkiewicz says
3. In your own words, how would you define a control environment?
A control environment is the culture set within a business on how that organization operates. This culture, or tone, is set by management. In essence, it is how they act and react to issues. It is the policies and procedures that are put into place to ensure smooth and consistent operation of the business.
Scott Radaszkiewicz says
4. Describe a real life example of a company’s profitability-driven controls. What are the differences between a compliance-driven vs. a profitability driven control?
I recently had a very long conversation with a good friend. He manages a auto repair shop and we recently brought in to manage the shop. The shop was in need of some controls, because jobs were taking too long to complete, and time was being wasted. One of his first controls he put into place was putting a time limit on a job. For instance, a brake change would be listed as 1 hour of work. If any technician went over 1 hour to repair/replace a set of brakes, they had to explain to management the reason for the increased time. This had accountability for each technician on jobs, and allowed for management to schedule technicians more efficiently.
The difference between a compliance-driven control and a profitability driven control, is that compliance driven controls are put in place for regulatory reasons. They are controls that ensure the organization is running things according to all local and federal laws to ensure they are no penalized. A profitability driven control is not regulatory, but a control set by the business to ensure they are maximizing profits. In a way, regulatory controls help with profits. If you don’t comply with regulations, and have to pay fines, then that negatively impacts profits.
Robert Conard says
2. These laws are a reasonable, substantive action to curb the financial misconduct committed by companies like Enron, who were the cause that led to the inception of Sarbanes-Oxley (SOX). The new law sought to protect the shareholders of companies from fraudulent reporting tactics. In collaboration with the Securities Exchange commission (SEC), the law puts forward guidelines that the SEC enforces companies to abide by, improving the transparency of the company so that shareholders are given an accurate depiction of the business’ stature. For perspective, Enron misreported earnings leading shareholders to misunderstand the company’s strength. The company auditing Enron also failed to disclose said fraud. SOX created more stringent guidelines, enforced by the SEC, which also constituted new punishments for people committing the same crime described.
Robert Conard says
3. A control environment is an environment in which functions behave as they are supposed to, uninhibited. Controls are used to lower risk of things like: individual fraud cases, theft, and inconsistencies from internal and external parties. Controls keep the business operations working how they are supposed to, by the appropriate people performing them.
Robert Conard says
4. Profitability driven controls are guidelines and culture set out by a company to ensure quotas are met. Compliance controls are policies in place to ensure legal obligations are met. Companies struggle to find the common ground between the two where profitability driven controls can be maximized after having satisfied compliance controls.
In cases like Wells Fargo, compliance controls were abandoned to further the financial “integrity” of the company. Employees, directed by executives, were so focused on reaching profitability goals, they used current clients to create additional fake accounts. This is a clear departure from compliance regarding the safeguard of client accounts and is the reason for Wells Fargo’s massive reinvention.
Companies failing to meet compliance controls before focusing on profitability controls are risking punishment by the laws they are violating.
Tamekia P. says
Thanks Conrad. This a good example. Could Wells Fargo have implemented a control that covers both Compliance / Profitability?
Derrick A. Gyamfi says
With my experience in the public accounting industry as an information technology auditor in process assurance, I have had the opportunity to review business processes in different capacities. This includes processes related to accounting & finance, product development & technology, HR & management, as well as service delivery.
In relation to these processes, a few roles I have played include:
– Getting an understanding of the business process from the client through walkthrough meetings
– Gathering evidence from the client through inquiry, observation, inspection, and re-performance to support the business process as described by the client
– Assess the operating effectiveness of the business process
Derrick A. Gyamfi says
I do not think the Sarbanes-Oxley Act in the US and many similar laws in other countries that were enacted as a result of high profile control failures were an overreaction. In many ways, I think these laws (SOX specifically) provided more benefits to organizations. Some of these benefits include:
– Risk Triage: Not all risks are created equal. SOX compliance benefits companies by giving them a starting point for asset analysis. Bringing in the risk means being able to more effectively manage your controls.
– Control Structure Strengthening: SOX compliance benefits around controls include better Control Awareness by Control owners. This means that how and why these controls are important and where they fit into the big picture is more transparent.
– Efficient Financial Reporting: The main goal of SOX was to provide transparency in financial reporting. In doing this, the regulation defined the process for determining reliable information.
Hence, aside from the high profile control failures of these laws, from an organizational standpoint, the benefits far outweigh the cost. Moreover, I will argue that the reaction to some of these laws was not “sufficient” enough.
Xiaozhou Yu says
I do agree that compared with profile control failures, benefits of enacting SOX is overwhelming. No policy can be perfect, and the three aspects you mentioned in term of distinct advantages gave me clear view of SOX’ mean benefits on business organizations. Especially the financial reporting, I was thinking the regulations might be too hard to follow so that there were failures over profile control, and you mentioned it might because the weak of laws, that’s an interesting point of view and is reasonable. It may not cover everything in financial reporting process, so that human errors occurs in certain area.
Derrick A. Gyamfi says
I think a control environment is the overall baseline, tone, foundation, principles, culture, and system within that is built or established in an organization as it strives to
– achieve its strategic objectives and vision
– provide reliable financial reporting to internal and external stakeholders
– operate its business efficiently and effectively
– comply with all applicable laws and regulations
– safeguard its assets
Akiyah Baugh says
In your own words, how would you define a control environment?
I believe a control environment is safe guards that are put in place to protect a business legally and its profits. These safe guards consists of standards and policies that a company needs to follow. across the orgainzation. Failing to have a controlled environment can leave a company open to a loss of profit and regulatory complications.
Akiyah Baugh says
Describe a real-life example of a company’s profitability-driven controls. What are the differences between a compliance-driven vs. a profitability driven control?
An example of a company that has profitability controls in place could be a customer service department. A company wants to control the number of calls and the amount of time spent on each call by their representatives. The longer a representative is on the phone with a client the more it costs the company which in turn means the company is losing profit. Through data research, the company has targeted the length of time and number of calls that a representative should spend on calls daily if they company wants to remain profitable.
The difference between compliance and profitability driven controls are:
-Profitability controls are in place to increase revenue; compliance controls are in place to follow a set of laws/ rules
Akiyah Baugh says
The Sabanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
The Sarbanes-Oxley Act of 2002 is a federal law that was established in order to enforce auditing and financial regulations for public companies after the Enron disaster. I think it was a sufficient reaction due to the mass failures to protect the public from the fraudulent and criminal activity of companies that recklessly handled their money and caused the public to suffer huge monetary losses.
Mahugnon B. Sohou says
Describe a business process you have experienced (either as an external or internal participant) and what your role was.
I used to Intern as an IT auditor for a firm. I remember going through the hiring/ on boarding process, being surprised that there was so much requirements, because it was my first time being in the work force. My role in this process was of course new hire.
Most the requirements were things that I needed to do/ information I needed to provide, completing tax documents for tax purpose, signing that I read understood and agreed to follow the firm’s policy on private or client information disclosure, as well as procedures to get me into their system and give me my own access to their system. I also provided my social security number as well as banking information for payment purpose. I also needed to provide a proof of address so they know where to send all the tax return related documents.
Mahugnon B. Sohou says
2. The Sabanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
I think these laws are a sufficient reaction to the failures because this forces organizations to accurately provide assurance. The Law was a result of a scandal around the years 2000’s involving multiple corporations amongst which Enron which was the biggest one. This law has strengthened assurance for businesses.
However this law that governs all corporations now could also be seen as an over reaction because the Eron case was an isolated incident as well as the other companies. There were only few of them compared to the bigger picture, and that alone affected all other corporation’s way of doing business now. This has caused smaller companies from going public and missing out on some potentially good. SOX is also costly for those firms. With all the regulations to comply with, certain industries now besides profit, also have to worry about compliance and those two can be hard to do at the same time, therefore creating additional burden for certain companies. The Pharmaceutical industry is a good example of that.
Mahugnon B. Sohou says
3. In your own words, how would you define a control environment?
To me a control environment, or Internal control environment” is set of standards, actions and awareness of management taken to secure their systems because it is importance to the organization. They have different ways of doing ensuring and implementing those controls, through corporate culture, values, philosophy and their style of operation, the policies and procedures.
Mahugnon B. Sohou says
4. Describe a real life example of a company’s profitability-driven controls. What are the differences between a compliance-driven vs. a profitability driven control?
An example of a company’s profitability-driven control would be for example management setting a quotas or profitability goals to meet, requiring some branches to reach a certain target and having controls in place around it. A good example of that would be what happened at Wells Fargo where employees were creating false accounts with people’s information without their consent, due to the pressure to meet those quotas.
A compliance driven control would be a bank for exemple, where Someone might for exemple need to give his consent before certain banking operations are performed, or certain authorizations have to be granted before certain transactions can go through.
Compliance driven controls are there more to take care of ethical issues, While profitability driven controls assure financial growth.