- Describe a business process you have experienced (either as an external or internal participant) and what your role was.
- The Sabanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
- In your own words, how would you define a control environment?
- Describe a real life example of a company’s profitability-driven controls. What are the differences between a compliance-driven vs. a profitability driven control?
Andres Galarza says
I worked as a barista at Starbucks when I was younger. I’ll approach buying a cup of coffee as an “Order to Cash” business process.
A guest would place an order with the barista at the service terminal. That barista would input the order information into the cash register/terminal, which would generate a ticket and a price. The guest would pay either in cash or by card which also involved the terminal (process credit card information, open the cash drawer/till). A different barista would use the ticket generated by the terminal to make the drink and hand it off to the guest.
There’s a few different business functions happening, if I’m identifying them correctly.
– Price quote and order
– Accounting
– Coffee “manufacturing”
If I think about it a little more deeply, I’m sure the terminal and each individual transaction was harnessed and tied into business processes like supply chain planning (order more bags of coffee, etc.) and financial reporting processes.
Andres Galarza says
In case it’s not clear, this is an answer to the first question, “Describe a business process you have experienced (either as an external or internal participant) and what your role was.”
Jing Jiang says
All the providing quote, ordering, accounting, and making coffee are the business process that you have experienced. All the activities are to produce profits for Starbucks, which may be one of the objectives of it.
Parneet Toor says
Andres,
Completely agree that there are series of business functions involved to fulfill one business process. You have explained very nicely about ‘Order to Cash’ which is a good example, of Enterprise Resource Planning System. Adding my thought many large enterprises like Walmart, Target, etc. have dozens of independent computer systems. Integrating those systems creates efficiency that can shorten the order to cash cycle by automatically sending data into the next level. Fully integrating order, fulfillment, billing, and payment processing systems eliminates the possibility of human error and, depending on the industry and the company, can cut days or weeks off of the order to cash process. Finance and accounting professionals may need to push IT departments on this, but doing so can considerably improve processing times and cut costs.
https://www.avidxchange.com/order-to-cash-process-flow/
Andres Galarza says
Parneet,
Thank you for your reply. I’m sure the terminals we used to place orders and manage payments were tied into an ERP system like those that you described.
Jing Jiang says
Good further examples provided. With IT department’s support, accounting and financial works can become more efficient and accurate.
Andres Galarza says
2. The Sarbanes-Oxley (SOX) Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
I don’t believe they are an overreaction at all. In fact, I don’t think they went far enough. Look at the role of financial institutions during the financial crisis in the late 2000s.
– Subprime and predatory lending
– Fraudulent underwriting
– Weakening existing regulations and laws
I the following section particularly supports my argument.
“Regulators and accounting standard-setters allowed depository banks such as Citigroup to move significant amounts of assets and liabilities off-balance sheet into complex legal entities called structured investment vehicles, masking the weakness of the capital base of the firm or degree of leverage or risk taken. One news agency estimated that the top four US banks will have to return between $500 billion and $1 trillion to their balance sheets during 2009. This increased uncertainty during the crisis regarding the financial position of the major banks. Off-balance sheet entities were also used by Enron as part of the scandal that brought down that company in 2001.”
Sources for above:
https://en.wikipedia.org/wiki/Financial_crisis_of_2007–2008#Causes
https://en.wikipedia.org/wiki/Financial_crisis_of_2007–2008#Deregulation
Khawlah Abdulaziz Alswailem says
2. The Sarbanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
The Sarbanes-Oxley Act (SOX) initiated for the purpose of restoring public confidence in corporate financial statements. Specifically, it was intended to address issues of accounting fraud by attempting to improve both the accuracy of and reliability of corporate disclosures.
SOX required a segregation of duties and responsibilities for corporate personnel to spread decision-making ability to prevent the ease of collusion. In addition, to avoid a conflict of interest for outside auditing companies, SOX set limits and restrictions on the types of services and products an auditing business could offer to the company they are auditing.
In my opinion, the changes established by SOX were greatly needed and not an overreaction, but at the same time, I think it’s not sufficient solution since corporate fraud still exists.
https://www.accountingweb.com/practice/practice-excellence/has-sox-been-successful
M. Sarush Faruqi says
Hi Khawlah,
Great explanation and points on Sarbanes Oxley. I’ll add that the act in general is sufficient when combines with other standards. Corporate fraud certainly still exists but it is a lot harder to “get away” with it for small or larger companies. External auditors are responsible for performing an independent assessment of the controls during audits so it puts public accounting firms on the hot seat as well when it comes to making sure companies are not committing any type of fraud and following standards. I do agree that SOX was necessary to enact or else scandals such as Enron and WorldCom would continuing happening effecting shareholders and industries in general.
Andres Galarza says
The most recent breach scandal involving Equifax is a chance to see if and how a large corporation will be held to account. It’s not so much the breach, but the fact that executives sold their stock holdings prior to notifying the public.
Andres Galarza says
Citation for above:
https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do
Candace Nelson says
Hi Andres,
It is interesting to see that you noted that “minor” detail as well. It is appalling to learn that Equifax company executives “cashed in” before the public even knew that they had potentially become victims.
As an internal auditor and a certified fraud examiner – as well as a potential victim – I did some research into protecting myself from this breach. I will share what I learned in the hopes you may benefit from it:
– The Federal Trade Commission reported that – if you have a credit report – there’s a good chance you are one of 143 million American consumers whose sensitive personal information was exposed.
– Visit this site to determine if you are a potential victim: https://www.equifaxsecurity2017.com/potential-impact/
– CNET recommended calling Equifax (800-349-9960), Experian (888‑397‑3742) and TransUnion (888-909-8872) to freeze your credit, which makes it harder for criminals to open credit cards in your name.
– NJ does not charge a fee for placing a credit freeze and the cost for temporarily or permanently removing credit freezes is nominal (as much as $5, depending on the circumstances). If you live outside NJ you can call the numbers above to obtain information re: fees.
I called all three credit agencies and here is what happened:
Equifax – I was able to freeze my credit via phone by providing my SS# and the numeric portion of my home address. A PIN ** and a confirmation # were provided and I will receive written confirmation via mail.
Experian – I was able to freeze my credit via phone by providing my SS#, birth date and the numeric portion of my home address. They will send my PIN** and confirmation via mail.
TransUnion – I need to send a letter requesting a credit freeze to PO Box 2000 Chester, PA 19016. The letter must include my name, address, SS# and a CC# that they will keep on file, to be utilized when a temporary or permanent removal is requested. The freeze will be placed within 5 business days and a PIN** will be provided (i believe via mail)
** PIN numbers will be required by each agency to modify these requests, so they must be maintained securely.
Other recourse you may want to consider includes:
– Place a fraud alert on your credit files to warn creditors that you may be an identity theft victim.
– Closely monitor existing credit card and bank accounts for unfamiliar charges.
– File your income taxes early to avoid tax identity theft and respond to letters from the IRS immediately.
Sources:
https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do
https://www.cnet.com/how-to/equifax-data-breach-find-out-if-you-were-one-of-143-million-hacked/
Edward Gudusky says
Andres, i’m happy you brought up Equifax! I was going to mention this if someone else hadn’t. I too am anxious to find out what kind of accountability will be given. If there was a solid control environment (which I would hope so with this business!) and the company followed the SOX Act (and others), then the exact point of failure should be identified.
Candace, that is some excellent information! Thanks. I also find it hard to believe that Transunion does not have an instant type of locking procedure in place as the other two credit bureau’s do. Sending a letter for something like this in the year 2017 seems ridiculous to me.
Candace Nelson says
Thank you Edward,
In a September 8th Forbes article titled “A Brief History of Equifax Security Fails” the author suggests a congressional inquiry may be forthcoming and quoted one congress women, as follows: “Given the important role credit scores play in the lives and financial futures of hardworking Americans, Congress must diligently examine the way our credit reporting agencies are operating and impose additional statutory and regulatory reforms to protect the integrity of the country’s credit reporting system.”
The article also reports that Equifax is utilizing old technologies (including out-of-date Java software and a Netscape web browser that was discontinued in 2008) that could be old and unpatched, and therefore more vulnerable to cyber attacks
I have a feeling Equifax will become a case study down the road for students like us who are trying to defend our employers, clients and selves against cyber-crime!
https://www.forbes.com/sites/thomasbrewster/2017/09/08/equifax-data-breach-history/#6e2ee276677c
Khawlah Abdulaziz Alswailem says
3. In your own words, how would you define a control environment?
From my understanding, control environment can refer to an overall attitude, awareness, and actions of directors and management. It includes the factors that have an influence in establishing a policy to minimize the potential risks of an organization. It also ensures the efficiency of implementing the internal control.
Parneet Toor says
My understanding Control Environment is the set of activities, policies, processes, values, management style that influence organization’s culture and set the tone of a firm to perform day to day activities by employees. Once Control Environment is set it provides the basis for carrying out internal control across the organization. It provides the mechanism of oversight by senior management and auditors. Effective control environment minimize potential risks to the organization by taking timely actions to avoid risks.
Khawlah Abdulaziz Alswailem says
I agree, Parneet. An effective control environment is an environment where competent people
understand their responsibilities, the limits to their authority, and are knowledgeable, mindful,
and committed to doing what is right and doing it the right way.
Jing Jiang says
I agree, an effective control environment will be important for an organization to develop well and work toward its objectives more effectively.
M. Sarush Faruqi says
Khawlah and Parneet,
I agree with both of your definitions. In addition, I want to add that a control environment is the foundation of building an effective system of internal controls. If the tone of from the top is not favorable to making sure the controls established are working, the staff will not will not care either. It is also important to establish a favorable control environment to promote accurate financial reporting and so the business can operate at an optimal level. Although internal controls may be costly to implement and maintain, companies must have them in place to follow regulations in their respective industries as well as safeguard their assets.
Khawlah Abdulaziz Alswailem says
4. Describe a real life example of a company’s profitability-driven controls. What are the differences between a compliance-driven vs. a profitability driven control?
A compliance driven control is focused on legal and regulatory requirements, while profitability driven controls concerned with revenue and expenses, and not mandated. Companies use profitability driven controls to maximize revenue while minimizing risk.
An example of a profitability-driven control within an organization is price comparison prior to vendor selection. Many cost-conscious organizations, such as Walmart, will complete a thorough comparison of potential vendors before selecting one. There are no legal regulations that require an organization to choose the lowest-priced vendor for goods or services ordered, therefore this is not compliance-driven. However, selecting a lower-priced vendor will reduce costs and increase profitability, thus making it profitability-driven. On the other hand, If, for example, you use a control to address the risk of incorrect valuation or incorrect display of a specific financial statement item, then you are addressing the ICS objective of correctness.
To summarize: even if we can differentiate between the objectives of compliance and profitability contols, they are not mutually exclusive. Generally, organizations follow both objectives in parallel.
Reference
Auditing and GRC Automation in SAP (AGAS) by Chuprunov, Maxim
Kevin Berg says
I used to be a purchaser so I did vendor comparison quite frequently. Any time you can reduce the cost of a component or a box to package an item in, it results in 100% of the reduced cost into profit. For instance, I would submit three quotes to three different corrugated companies for a specific box. On top of that, I looked at usage then requested volume price breaks as well. So as long as I could house them without too much warehouse space, I would sometimes save the company thousands of dollars that all went to the bottom line.
Another one I did was usually paying the invoices for certain terms like N/10 2%. You could save money instantly if you paid the bill quickly as long as cash flow was adequate which it usually was.
Khawlah Abdulaziz Alswailem says
Appreciate your great examples Kevin. I totally agree with you about the quick payment point. In fact, organizations need to shorten their payment term since giving customers too much time to make payments causes a slow cash flow. For example, let’s say you give a customer 45 days to pay an invoice. The customer pays two weeks late. That means you waited two whole months after you completed work to get paid.
Andres Galarza says
Kevin,
I don’t have much experience with purchasing and vendor management.
I always wonder how companies take into consideration that the lowest bidder may have significant issues (quality, timeliness of delivery, poor customer service, etc.) Are there controls in place to guard against these concerns? How does one weigh lowest cost versus the headaches or snowballing costs that are associated with terrible vendors?
Thanks!
Jing Jiang says
Good example provided, Khawlah. I agree with you that choosing lowest-priced voucher is a profitable-driven but not a compliance-driven control. And I also agree that most organization follow both objectives in parallel. I did not have much real life experience of a company’s profitability-driven controls, but I have read many related news. For examples, some companies in order to increase its profit by its evasion of tax. The behavior is illegal. It is certainly not a compliance-driven control, but a profitable-driven.
Kevin Berg says
As an accounting clerk for a small company, we all wore many hats. One of the main control events that I had to work with was the cash control. It was my job to process check payments from our customers. There were 3 people in my department: me, the accountant and the controller. Being so small, it was an intimate department that the president recognized as a possible collusion risk with the cash. To minimize risk amongst us, the following checks were put in place.
I handled all of the processing of the checks and did the deposit slip for the day. I gave the checks and the slip to the controller and a copy of the deposit slip to the accountant. Once a month, an independent consultant comes in and goes over the financial transactions and signs off to our president to be sure everything is in order.
This one was put in after I took another position but is relevant and involves petty cash. The accountant controls the in and out of cash via receipts. At the end of the month the accounting clerk would take the money box so they could expense the receipts, count the money and request a check be cut and cashed to replenish what was spent.
-Kevin
Parneet Toor says
Kevin,
You have explained very well the system of checks and balances or Segregation of duties. If you don’t give receipts to the controller/accountant, how would they reconcile their accounts to verify that you made the deposits in companies account? Is this concept known as accounts Receivable?
Parneet Toor says
Adding one sentence….i believe this is a good example of good Control environment as well.
Lezlie Jiles says
Hi Parneet,
My organization’s process is a little different than Kevin’s. Our petty cash accounts have held by a custodian who reports/is attended over by a supervisor. The cash remains in the custodian’s possession at all times. During the replenishment process, the receipts are reviewed by an authorized signer who is someone other than the supervisor.Also, the authorized signer can not also be the person picking up/replenishing the account. The funds are then replenished and returned to the cash box for further usage and reconciliation.
If at anytime it is identified that the money was misused or the custodian/supervisor does not adhere to the usage policy the account is closed immediately and reported to internal audit for review.
Lezlie Jiles says
I too have a great deal of experience dealing with petty cash and this is one of those business processes that could be exploited if not reconciled in a timely manner, and policies such as separation of duties have not been adhered to. We have many employees who over see petty cash that is not an accountant, nor do they have an interest in balancing a petty cash account. However, by implementing processes such as quarterly audits. As well as separation of duties and surprise audits allows this business function to stay in line with the organization’s control of cash policies.
“This one was put in after I took another position but is relevant and involves petty cash. The accountant controls the in and out of cash via receipts. At the end of the month, the accounting clerk would take the money box so they could expense the receipts, count the money and request a check be cut and cashed to replenish what was spent”
Parneet Toor says
The Sabanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
I agree that in response to numerous corporate failures arising from corporate mismanagement and fraud, Congress passed the Sarbanes-Oxley Act of 2002. Generally recognized as one of the most significant market reforms since the passage of the securities legislation of the 1930s, the act is intended to help protect investors and restore investor confidence by improving the accuracy, reliability, and transparency of corporate financial reporting and disclosures, and reinforce the importance of corporate ethical standards. Public and investor confidence in the fairness of financial reporting and corporate ethics is critical to the effective functioning of our capital markets.
In my opinion, The Sarbanes-Oxley Act (SOX) was a sufficient reaction to the failures to correct the financial reporting disclosures and make people accountable & responsible for releasing financial information which directly effects investors. Although SOX has been successful in increasing corporate focus on a strong ethical culture in publicly owned companies.
http://www.sarbanes-oxley-act.biz/
M. Sarush Faruqi says
Hi Parneet,
Great post. I agree with you on the notion that the ethical culture of a company as a whole will definitely change as a result of SOX. Although corporate fraud still occurs, companies are realizing that they have to instill ethics in their employees in order avoid or reduce the risk of unethical activities. The tone must be set from the top. SOX requires CEO’s to attest to the accuracy of the reported financial statements so they will want to make sure nothing illegal is being done by staff under them.
M. Sarush Faruqi says
The Sarbanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
The Sarbanes Oxley Act was enacted in an effort to establish better corporate governance and accountability among publicly traded companies. The act acts as standard of governance for the financial side of a business as well as the IT side especially when it comes to storing records. The act requires publicly traded companies to establish internal controls that protect the accuracy of reporting of financial statements.
In my eyes, I don’t think this is an overreaction at all. It’s a sufficient way to protect investors from being deceived to the overall financial health of the company. Accountability is very important when it comes to reporting and this act requires chief executives officers to attest to the accuracy of the financial reporting statements. In order to be in compliance with other regulatory standards, the establishment of internal controls is very important. The Sarbanes Oxley Act forces companies to establish such controls especially when it comes to reporting and fraudulent activities. The act also increases the overall ethical standards of companies and sets the tone within the organization.
http://searchcio.techtarget.com/definition/Sarbanes-Oxley-Act
Matthew J. Dampf says
I definitely agree that Sarbanes-Oxley is appropriate and is not regulatory overreach. The market had proven in the time leading up to the passage of Sarbanes-Oxley that transparency and ethics could not be guaranteed by public companies and that this needed to be legislated. In addition, SOX provides an avenue for punishment where appropriate. The sections of SOX that force the organization to publish their internal control systems provides the transparency needed of public organizations.
Candace Nelson says
It is also my belief that the Sarbanes-Oxley regulation has successfully restored public confidence in financial reporting of publicly traded companies. In fact, a report published by E&Y titled “The Sarbanes-Oxley Act at 15” revealed that enhanced focus on financial reporting controls pursuant to the Act has likely resulted in a decrease in the number and severity of financial statement restatements, as follows:
– From 2005 through 2016, the number of restatements from accelerated filers decreased from a high of 459 to a low of 51; and
– In the same time frame, the largest negative restatements (US$ in millions) decreased from $5,193 to $1,085.
These facts speak for themselves, and they serve to support the opinion of myself and others.
http://www.ey.com/Publication/vwLUAssets/ey-the-sarbanes-oxley-act-at-15/$File/ey-the-sarbanes-oxley-act-at-15.pdf
M. Sarush Faruqi says
Describe a business process you have experienced (either as an external or internal participant) and what your role was.
The one business process I have been involved in was the hiring process at my company. HR representatives reached out to me after I applied for an open position on the company website. I had about 1/2 interview with them about my experience and interest in the job. My information was passed to the hiring manager who then decided if it was worth to call me based on my experience. I was lucky enough to receive a call from him and had a phone interview with him about specifications on what I will be doing and other relevant areas of experience. He then took the results from the interview to the team who decided if I should be called in for a face to face interview. I received a call a week later and had a 3 round interview with a peer, a lead, and the manager himself. A couple days later, I received a call from the HR representative about an offer which verbally accepted. As a part of the process. I had to sign my offer letter and do a background check which went to my company’s HR department. After I was cleared, they gave me a start date. When I came in on the start date, I had my laptop and work station configured so I begin training immediately.
Andres Galarza says
Your last sentence raises another important issue, I think: employee on-boarding!
I recently started at a new organization and was encouraged by the intensive employee development they ran me through during the first few weeks. I participated in workshops meant to introduce new hires to the culture of the organization, I was assigned a mentor, etc.
I find it discouraging that some organization make a significant investment when they hire employees, but then fail to really do anything to make the new hire transition a valuable experience.
Matthew J. Dampf says
Andres, it’s great to see that people value this, as it is something that I am involved in at my job. As part of the IT team, I’m involved in ordering and setting up equipment, creating accounts, and assigning those accounts to specific roles. Ideally, the less we’re seen the better we’re doing.
Edward Gudusky says
Andres, good eye. On-boarding is important for organizations. Not only does an efficient on-boarding process make the new employee feel important, but it makes the company seem more competent (at least I think this to be the case). Like Matt, I play a large role in on-boarding new employees in my College. I work here at Temple as an IT Assistant Director for one of the colleges. Prior to my arrival in my position, there was really no on-boarding standard for my college. Yes there is a standard Temple process where new employees are assigned a general ID, HR/benefits are set up, etc…But each college or department has their own systems and processes. Because of this, there was a negative connotation towards IT and the college as a whole. My college is largely involved with Research, so some processes are unique. My role comes in to play before the employee begins. It normally involves a conference call or webex meeting with a potential research candidate where we discuss their research and what IT resources they will require (equipment, type of storage, security measures, etc..). Once the decision is made to hire a candidate, we then put the process into motion to satisfy those IT needs discussed so that they are up and running on day one.
Candace Nelson says
Question #4: A profitability driven control is one that is focused on increased sales and profits and decreased expenditures. A compliance driven control is one that is designed to ensure adherence to laws, regulations, company policies, etc.
An example of a profitability-driven control that I have witnessed is a capital expenditure (Cap-Ex) policy that was adopted by a former employer. The Cap-Ex policy governed the acquisition or upgrade of physical assets, including buildings, computer equipment, etc., and required the requester to calculate a return on investment (ROI) % to assist management with deciding which projects to invest in. A committee – comprised of Executives from the Finance, Accounting, Legal, Real Estate and IT business functions – was responsible for reviewing all Cap-Ex requests, and they were authorized to approve requests up to a specified $ threshold and ROI %. CEO and CFO approvals were also required for Cap-Ex requests that exceeded these limits. Evidence that this control functioned effectively was when requests were denied if management determined the potential risks exceeded the anticipated benefits.
Matthew J. Dampf says
“Evidence that this control functioned effectively was when requests were denied if management determined the potential risks exceeded the anticipated benefits.”
Candace, the way I read your comment made it sound like you were there both before the policy was enacted and after – forgive me if I’m wrong with the assumption. Do you have any idea which percentage of requests were denied in the time shortly after this policy was enacted vs. a time further in the future? I’m curious if the mere existence of this new policy changed the quality of the requests as the policy became entrenched over time.
Candace Nelson says
That is a really good question Matt. I am no longer at that Company because they were a retailer, they were delisted by the SEC when their stock consistently traded below $1, the internal audit function was eliminated (it was no longer required once the company was delisted), and they eventually filed Chapter 11 Bankruptcy. However, I did test this control for a few, successive years.
In the midst of financial decline, spending was scrutinized very closely. One of the projects the Company was piloting in a small group of stores was omni-channel selling. Although the results were positive, and many believed the Company’s future depended on chain-wide implementation of this strategy, the Expenditures Committee did not approve the capital outlay required to expand the program due to the Company’s financial condition.
I did notice that – as money became tighter – the Committee would require additional information and support from those who were requesting capital funds, and that very few projects were approved. Note that these requests were in addition to an annual spending plan for mandatory capital expenditures that were required to keep the business afloat. So, I don’t think I can answer your question entirely, but from an audit perspective it was certainly easier to evaluate compliance by having a standard to measure actual performance against!
Matthew J. Dampf says
#3 – In your own words, how would you define a control environment?
A control environment is the atmosphere around a business in which leadership emphasizes a culture of appropriate controls surrounding all business processes. A control environment comes from the top and trickles down to managers and employees – stressing the importance of these control activities in everything from staffing to daily activities. A good control environment is ingrained into the employees, who act ethically with the best interests of the business in mind.
Edward Gudusky says
3. In your own words, how would you define a control environment?
I think of control environment as a set of rules and procedures that ensure control over the organization. It can sound simple but is very comprehensive. The rules and procedures involved in a control environment would normally begin with the highest division in the organization and would be carried out through the management line. Management must be committed to this control environment, and one way to ensure commitment is to hold all employees accountable.
Lezlie Jiles says
Hi Ed,
I absolutely agree with your comment about holding employees accountable. I believe this was not the case with Wells Fargo the fake account opening and account stacking. I think this process was encouraged by C Level management. The reason I say that is because they didn’t discourage it either. This issue was created and cultivated by their quota policy. Nevertheless, this type (un) controlled environment will prove to be very costly for Wells Fargo.
Binju Gaire says
Thank you for your input, Edward. I completely agree with you. Control environment is all about rules, setting procedures and following them. Management from all levels should be compliant with the rules/policies. Failure to do so can maximize the risk in an organization.
Lezlie Jiles says
1. Describe a business process you have experienced (either as an external or internal participant) and what your role was.
As an advocate external participant (customer) of Amazon, I will attempt to explain their order to cash business process.
Once I have selected my item and surrendered payment during the checkout process. My order is then forwarded to their cash receivable process, which then triggers the warehouse to review and prepare my order for shipping. Once complete the order is then moved into the logistics systems and sent out for delivery. The products ordered are then delivered and my order is then recorder back to Amazon’s systems turning their once liability(owned by the vendor) into an asset.
Edward Gudusky says
2. The Sabanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
I think these laws were very much needed and are not an overreaction. Enron, Tyco, and WorldCom were not the first businesses to commit fraud/malpractice, but were at a scale were many people were impacted from their scandals. I’m sure there have been many other scandals which have occurred prior to these larger organizations, but it never reached the public at the magnitude of an Enron. Because of these larger scale scandals, the SOX Act was enacted. I personally have heard from individuals that need to deal with the SOX Act daily refer to many of the sections as “busy work”. Mandating senior management to certify the accuracy of financial statements or defining which documents a company needs to retain and for how long seems to me like common sense types of things. I much rather have a company pay someone to do “busy work” and ensure that my investment is secure than to run the risk of losing everything, so I do not think the SOX Act is an overreaction.
Lezlie Jiles says
In your own words, how would you define a controlled environment?
A controlled environment is the organization’s management style, policies, standards, and engagement which drives the organization’s daily events. An example of this was identified in something I read last week about the CEO’s arrival to the organization every day.
Today, most organizations have some type of security mechanism to identify everyone that enters the building. Many employees believe that they enter and see the same guard every day, so why should they provide their ID each time. However, this particular CEO set a standard by showing their ID every time they entered the building. This type of adherence to the policies and organizational standards set the foundation to all other employees that everyone no matter who you are MUST adhere to the policy of identifying yourself to gain entrance to the building.
Binju Gaire says
1) Describe a business process you have experienced (either as an external or internal participant) and what your role was.
I have had the opportunity to work as a book-keeper at a local State Farm Insurance company. Primarily, I tracked and updated cash flows for more than 10 business accounts. I used to record expenses and revenues and process bi-weekly payroll. The office employees and my supervisor used to report me all the office related expenses. I then recorded those expenses in the system (QuickBooks).
Binju Gaire says
2) The Sabanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
The Sabanes-Oxley Act (SOX) was enacted as a result of high profile control failures. This and other similar laws are not an overreaction. They are much needed to protect any companies from committing any fraudulent activity. Without these laws, unethical practices will rule the market leading to control failures. Companies need these laws as a guideline to practice clean business and obtain adequate controls.
Binju Gaire says
3) In your own words, how would you define a control environment?
I would define a control environment as a scenario where all the employees involved in an organization are aware of the polices and are fully compliant with those policies. Further, duties should be adequately segregated in a control environment. However, if the duties cannot be segregated given the size of the organization, there should be an independent supervisory review of the works performed by the employees.
Candace Nelson says
In response to Question #4, when I think of the term control environment it brings to mind the “tone at the top” that is established by executive management in an organization. Company culture plays a big part in the control environment, e.g. whether the executives “walk the talk.” As an example, if a Company names safety as a strategic objective, but they don’t invest in safety training, they don’t measure safety incidents, and they encourage employees not to report workplace incidents, they are not practicing what they preach. In my experience, organizations with this type of culture – do as I say, not as I do – are more prone to improprieties.
Yijiang Li says
Question: In your own words, how would you define a control environment?
Within an organization, some specific factors can have a significant impact on company’s business environment, therefore, the process which a company deals with these factors is called control environment. Policies and procedures related to company’s daily operation and production are possible to affect an organization’s efficiency. Everything which a company carries out to strengthen or weaken relevant factors is involved in control environment.
Jing Jiang says
3) In your own words, how would you define a control environment?
The control environment is a series of policies being set to assist internal controls, which includes reliable data provided, properly human resources allocated, standard work procedures and etc. So a good control environment will help the organization to achieve its objective more effectively.
Mengting Li says
I agree with you. The company’s control environment consists of seven elements. The first is the integrity and moral values of communication and execution, the second is the commitment capacity, the third is participation by those charged with governance, the fourth is the management philosophy and mode of operation, the fifth is the organizational structure, the sixth is the power and responsibility Of the allocation of the seventh is the human resources policies and practices. Each element requires careful consideration by the company’s auditors, recognizing that certain elements may be more relevant than others – depending on the subject company.
Mengting Li says
The control environment is a set of standards, processes, and structures that provide a basis for the organization’s internal control. The importance of the board of directors and senior management to the importance of internal control, including the expected code of conduct which can provide a framework to manage the organization.