Corporate governance refers to the system of rules, practices, and processes by which a company is directed and controlled. It involves relationships among a company's management, board of directors, shareholders, and other stakeholders, and provides a framework for making decisions and setting strategic directions. There are several elements of corporate governance, upon which we have Risk management and Controls.
1. Establishing a Risk Management Framework:
The board ensures that the company has a robust risk management framework in place, which aligns with the organization's strategic objectives. This framework allows for the identification, assessment, and management of risks that could impact on the company's goals and decision-making processes.
Example: At a global manufacturing company, the board might oversee the implementation of a formal risk management framework, such as the Enterprise Risk Management (ERM) model. This framework identifies both operational and strategic risks, like supply chain disruptions, regulatory changes, and geopolitical risks. The board receives quarterly reports on these risks and how they might impact the company’s strategic goals, like expanding into new international markets.
2. Risk Identification and Assessment:
Before making strategic decisions, the board ensures that potential risks are thoroughly identified and assessed. This helps the company anticipate possible disruptions and develop strategies to mitigate them, integrating risk management into the planning process.
Example: Before launching a new product line, the board of a tech company might review a risk assessment report that identifies potential risks such as technology obsolescence, market competition, or production delays. The board may also consider financial risks, such as the potential for not meeting projected revenue targets. This risk assessment informs them of their decision to go ahead with the product launch or delay it until certain risks can be mitigated.
3. Integration of Risk in Strategic Discussions:
The board ensures that risk management is a consistent part of strategic discussions. This involves actively considering how different strategic initiatives could expose the company to risks and how to balance those risks with potential rewards.
4. Establishing Risk Appetite and Tolerance:
The board sets the company’s risk appetite and tolerance, providing clear boundaries within which management can make decisions. The risk appetite defines the level of risk the organization is willing to accept in pursuit of its objectives.
5. Regular Monitoring and Reporting of Risks
The board requires regular risk reports and updates from the risk management committee or senior executives. These reports track the status of key risks and their potential impact on the strategic plan, allowing the board to adapt and adjust strategies accordingly.
Companies monitor and evaluate the effectiveness of ICFR, including testing and remediation of control deficiencies through the following:
1. Establishing a Framework for ICFR:
A company first establishes an internal control framework, such as the COSO (Committee of Sponsoring Organizations of the Treadway Commission) Internal Control – Integrated Framework, which outlines the key components of effective controls. The board and management then define the scope and objectives of these controls, ensuring they are designed to prevent or detect material misstatements in financial reporting.
Example: A global tech company may align its internal control processes with the COSO framework, including setting up control activities like approval workflows for financial transactions, segregation of duties, and independent reviews of financial statements.
2. Ongoing Monitoring and Testing of ICFR:
The company regularly monitors its ICFR through both continuous and periodic testing of controls. This involves:
· Ongoing monitoring of day-to-day activities by management.
· Periodic testing of controls, typically on an annual basis, to ensure they are functioning as intended.
Testing can be performed by internal auditors or external auditors, or even a combination of both, depending on the company’s size and complexity. These tests are designed to identify whether controls are operating effectively and if they can prevent or detect material misstatements.
3. Internal Audit Function:
An internal audit function is often responsible for assessing the effectiveness of ICFR. Internal auditors conduct regular reviews and audits of financial processes, systems, and controls. They test key controls, identify weaknesses or gaps in the controls, and report findings to senior management and the audit committee.
4. Role of External Auditors:
External auditors also play a significant role in evaluating ICFR effectiveness. They typically conduct an annual audit of the financial statements, including testing the design and operational effectiveness of ICFR. Their audit includes assessing whether the company's internal controls provide reasonable assurance that the financial statements are free from material misstatements.
5. Assessing Control Deficiencies:
When deficiencies are identified through monitoring and testing, the company evaluates the severity and impact of each deficiency. The deficiencies are typically classified into:
Material weaknesses: Deficiencies that result in a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected on a timely basis. Significant deficiencies: Deficiencies that are less severe than material weaknesses but still merit attention and could lead to potential issues if not corrected. The company must evaluate whether these deficiencies could potentially result in a material misstatement or compromise the integrity of financial reporting.
Example: In an oil and gas company, a significant deficiency could be identified if the controls over the capitalization of exploration costs are weak, leading to the potential for improper financial reporting. If this control failure is identified, it would be categorized as a significant deficiency and would be remediated promptly.
6. Remediation of Control Deficiencies:
Once deficiencies are identified, companies develop and implement remediation plans to address these issues. The steps to remediation include: Root cause analysis: Understanding why the deficiency occurred, whether it’s due to human error, system issues, or insufficient controls.
Corrective actions: Taking steps to correct or enhance the control environment. This could involve adding new controls, improving existing processes, providing additional training to employees, or upgrading systems to automate certain tasks.
Monitoring progress: Ensuring that remediation efforts are implemented effectively and monitoring the impact of those changes over time. Management often works closely with the internal audit and control teams to ensure timely and appropriate remediation of deficiencies.
Example: A financial services company identifies a material weakness in its controls around reconciliations of certain general ledger accounts. The company addresses this deficiency by introducing automated reconciliation software and providing additional training for accounting staff. After implementing these corrective actions, the company monitors the effectiveness of the new system through follow-up testing.
7. Reporting and Communication of Deficiencies:
Companies are required to report significant deficiencies or material weaknesses to stakeholders. If deficiencies are identified that could impact the financial reporting, these are disclosed in the company’s annual report on Form 10-K and management is responsible for describing the remediation steps being taken.
8. Continuous Improvement and Feedback Loops:
Finally, the company ensures continuous monitoring of its ICFR, making it an ongoing process rather than a one-time event. Feedback from testing, audits, and remediation efforts is used to improve the control environment, making sure the controls evolve in response to emerging risks or changes in the business environment. Example: An e-commerce company continually evaluates its fraud detection controls, especially after each holiday season when transaction volumes peak. They collect feedback on the performance of these controls and adjust based on new fraud patterns or weaknesses that emerge.
Conclusion:
Monitoring and evaluating the effectiveness of ICFR involves a comprehensive and structured approach. The process includes ongoing testing, regular audits, identifying control deficiencies, implementing remediation plans, and continuous evaluation. By maintaining robust internal controls and ensuring deficiencies are promptly addressed, companies ensure that they can effectively prevent material misstatements in their financial reporting and maintain stakeholder confidence.