When management accountants think of internal control and governance frameworks, the first ones that probably come to mind are the COSO (Committee of Sponsoring Organizations of the Treadway Commission) Internal Control—Integrated Framework (IC-IF) and Enterprise Risk Management—Integrated Framework (ERM) that emphasize the financial reporting side of a business. But the accounting profession is undergoing a major transformation as the presence and complexity of automated computer and enterprise resource planning (ERP) systems hardware and software to support accounting systems increase. With this trend comes increased risk that should raise the question of whether or not these business-focused frameworks are adequate to safeguard a company’s assets and business activities.
Section 404 of the Sarbanes-Oxley Act of 2002 (SOX), Management Assessment of Internal Controls, requires all publicly traded companies on U.S. stock exchanges to certify in their Securities & Exchange Commission (SEC) annual reports (Form 10-K) that a company’s management has developed and implemented an effective system of internal control. The SEC’s final SOX rules identified COSO’s IC-IF as an internal control framework that meets this requirement. The focus of this framework addresses financial reporting, is a requirement of an integrated audit, and is designed to satisfy the objectives of providing reliable financial reports, promoting operational efficiency and effectiveness, and complying with laws and regulations.
COSO recognized the role of risk in organizations and developed the ERM framework by expanding the IC-IF to focus on the importance of controlling risk in value creation in an organization. In addition to the IC-IF objectives of operations, reporting, and compliance, a strategic objective was added to ensure that high-level organizational goals are aligned with and support an organization’s mission and vision. The risk assessment component present in the original IC-IF was enhanced by adding three more risk components—objective setting, event identification, and risk response—because inadequate risk assessment can jeopardize an organization’s ability to achieve its strategic objectives. Objective setting represents risk selection in the context of its strategic direction, event identification evaluates risks and opportunities, and risk response represents an organization’s selection or rejection of risks that conform with its risk appetite.
COBIT (Control Objectives for Information and Related Technology) is a framework developed by ISACA recognizing that information is a resource for organizations and is necessary for them to attain IT governance and management objectives. COBIT provides a toolset and methodology to link an organization’s control requirements, technical issues, and business objectives by focusing on IT governance, a subset of corporate governance. IT governance represents setting a direction for decision making by setting objectives, monitoring performance, and measuring compliance and progress against objectives. IT management focuses on operational functions including planning (Align, Plan, and Organize (APO)), building systems (Deliver, Service, and Support (DSS)), and running and monitoring (Monitor, Evaluate, and Assess (MEA)) an organization’s IT activities. The elements of COBIT center on an organization’s role processing and managing information, including its effectiveness, efficiency, confidentiality, integrity, availability, and information regulatory compliance.
Quality IT service delivery and reliability directly affect the success of accounting and finance functions. Poor IT service adversely affects organizational effectiveness and efficiency and can disrupt business processing productivity.
The Information Technology Infrastructure Library (ITIL) Guide is a framework for best practices for the IT service management life cycle. It addresses effective IT service management developed by the U.K. government and widely followed as a standard in Europe. ITIL 2011 is managed by Axelos, a joint venture between the U.K. government and the professional services firm Capita. Like COSO’s frameworks, ITIL’s intent is to provide guidance to organizations to adapt its components to their needs. The focus is on business stressing the integration of IT service components into business units. The framework’s components are service strategy, service design, service transition, service operation, and continual service improvement. Service strategy represents developing and improving IT services over the long term through value creation, demand management, strategy generation, service portfolio management, and IT financial management. Service design examines how to design service management processes to achieve service levels, service continuity, security, and vendor management and relations.
Service transition provides guidance for operationalizing the first two components: service strategy and design. Service operation addresses effective delivery of services and events and incident practices and management. Finally, continual service improvement represents three processes to support measurement, reporting, and continuous improvement in IT services: metrics to measure results, reporting, and improvement. According to Axelos, benefits of ITIL include “helping businesses manage risk, disruption and failure, delivering efficient services that meet their needs, establishing cost-effective practices, critical elements for running an efficient business.”
Both COBIT 5 and ITIL are aligned with achieving and supporting business objectives through IT frameworks. With the increasing reliance on IT systems to process financial information, organizations should consider supplementing financial control frameworks with IT frameworks such as these.
IT CONTROL AND GOVERNANCE
The transformation of the accounting profession, the increasing complexity of transactions, and the growth of technology-enabled processes and transaction automation heighten the role of management accountants in ensuring that their organizations’ internal control and governance systems are adequate. Think about Amazon’s transaction environment. Its business processing architecture is built in a cloud-based ecosystem that processes transactions where the “store,” billing systems, and wireless delivery are all done in the cloud in real-time transactions. This transaction environment is extremely complex and can’t fail. The success of this digital ecosystem relies on IT controls to achieve Amazon’s business objectives. The COSO frameworks alone probably aren’t adequate.
Management accountants need to adopt an integrated internal control and governance approach to ensure that their organizations’ business functions are aligned with technology frameworks, leverage the strengths of business control frameworks like COSO’s and IT control frameworks, and coordinate them with their business objectives. Ask the question: Are COSO’s control frameworks enough for your organization?