Management’s Responsibility for Internal Controls: Risk Management Approach Benjamin Fung Caritas Institute of Higher Education Tel: 3653 6662 ABSTRACT Management is responsible for establishing and maintaining a system of internal controls within an organization. Internal controls are those structures, activities, processes, and systems which help management effectively mitigate the risks to an organization's achievement of objectives. Management is charged with this responsibility on behalf of the organization’s stakeholders and is held accountable for this responsibility by an oversight body (e.g. board of directors, audit committee, and elected representatives). Effective internal controls are weakened by time and resource constraints, cost and benefit relationships, human errors, collusion by employee for personal gain, and management override of controls. Board plays an important role in providing active oversight of risk management while management can provide a key focal point in managing risk aligned with the organization’s core competencies and risk appetite. A primary lesson from the financial failure and collapse of numerous organizations is that good governance, risk management, and internal controls are essential to corporate success and longevity. This paper examines the management’s responsibility for ongoing monitoring of risks to which a company is exposed and ensuring that internal control system is effective in reducing those risks to an acceptable level. Our discussions suggest that an understanding of enterprise risk management and internal controls may aid management looking to increase performance and decrease the risk.

Keywords: Internal control over financial reporting; COSO Internal Control Framework; COSO Enterprise Risk Management Framework; SOX 404 compliance; risk profile; and risk assessment

1

1.

INTRODUCTION

A corporation needs internal controls to provide greater assurance that management will achieve their operating, financial reporting and compliance objectives in order to help the corporation succeed in its mission.

Financial reporting is a critical

information component for investors in their decision making. The major risks in corporate financial reporting are either financial statements are not fairly presented the company’s financial position due to inadvertent or intentional errors (fraud) or the publication of financial statements is delayed.

Management may mislead many

diverse users of financial statements about the company’s operations or financial performance. Without the necessary information, it is impossible for investors to fully understand a company’s financial position. This may reduce investor confidence, affect share price performance or cause reputational damage to the corporation.

Effective financial controls, including the maintenance of proper accounting records, are an important element of internal controls of fraud and malfeasance. Management is responsible for the integrity of the corporation’s financial reporting system.

It is

management’s responsibility to put in place and supervise the financial reporting system that allows the corporation to produce timely and accurate financial statements and also allows investors to understand the business and financial risk of the corporation.

Moreover, a corporation should have an effective internal control

system ensuring that its books and records are accurate and reliable, that its assets are safeguarded and that it complies with applicable laws.

2.

INTERNAL CONTROLS

Internal controls are one of the essential elements of all successful organizations. 2

Internal controls build up a system of policies and procedures designed to provide reasonable assurance that a company's objectives will be met.

It is a system of

checks and balances that can help assure consistent, accurate financial reporting and the avoidance of fraud.

Internal control over financial reporting has been recognized for some time as an important role of a company (Kinney et al., 1990; Kinney, 2000, 2001). The focus on having good internal controls has been a major issue for many corporations because it is considered an important factor in achieving good quality financial reporting (Krishnan, 2005). One of the major criticisms levied against Enron regarding its inadequate financial reporting was the charge that there had been a major failure in their system of internal controls to identify all the illicit activities taking place, especially those that had been off the balance sheet (Verschoor, 2002).

Controls are fundamental to all organizations and are effected by people at every level of the organization.

Internal control provides a mechanism to align organizational

goals and aspirations with employee’s capabilities, activities and performance. Internal control starts with the design of policies and procedures that facilitate the effectiveness and efficiency of the company’s operations.

Internal control covers the

policies, processes, tasks and behaviors that, when implemented effectively and efficiently, help minimize or reduce the impact of risk on a company or business process to an acceptable level.

If internal control were strong enough, there would

be no financial statement fraud to deceive the statement users.

In essence, internal

control helps ensure the reliability of internal and external reporting and assists compliance with laws and regulations. Effective internal control facilitates accountability and is necessary for effective enterprise risk management (ERM). 3

In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued Internal Control - Integrated Framework, (COSO framework) which proposed a common framework for the definition of internal control, as well as procedures to evaluate those controls.

The COSO framework defined internal

control as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.” Turnbull Report (1999) provided guidance for creating strong internal control system for UK listed companies to ensure the quality of financial reporting and later incorporated into Combined Code by the Financial Reporting Council in 2005, which still present as a standalone document.

Sarbanes-Oxley Act of 2002 has also detailed internal control

requirements.

The COSO framework recognizes five essential components of any effective internal control system as shown in Figure 1:

4

FIGURE 1: Control Components of the COSO Internal Control Framework




Control Environment: pervasive influence on all the decisions and activities of the organization; integrity, ethics and competence of employees; right tone at the top; and policies and organizational structure established for maintaining controls




Risk Assessment: identification, measurement, and responses to threats




Control Activities: occur throughout the organization, at all levels and in all functions; proper procedures followed for preventive and detective control purpose




Information and Communication: provide for communication between levels and activities within the organization; reliability, timeliness, clarity, and usefulness of information




Monitoring: review of internal control arrangements to assess their effectiveness

Pursuant to the COSO framework, internal control system can be viewed in two layers – the control environment and the control procedures. The former refers to the “tone at the top” showing the overall attitude, awareness and actions of management regarding the internal control system and its importance in the 5

organization and the latter refers to those policies and procedures established to achieve the organization’s specific objectives.

While there may always be “bad

apples” in any organizations, it entails creating the proper control environment to ensure the effective implementation of all the other elements of the integrated control framework.

As the old proverb indicates “actions speak louder than words”,

management must communicate its support for internal controls to all levels of the organization. The control environment primarily includes budgetary controls and internal audit function as a means to strengthening the effectiveness of specific control procedures.

According to COSO, control is the responsibility of the board of directors, management and other personnel within the organization. Control activities are the policies and procedures designed by management to help ensure that suitable risk responses are carried out to eliminate the risk. Some common and important control procedures are the reporting, reviewing and approving bank reconciliations by accounting manager; and application of segregation of duties so that no one staff can control all phases of a transaction cycle.

If the same person handles all duties, it may

be possible he may manipulate documentation to commit fraud.

The COSO

framework identified a broad range of control activities including approvals, authorizations, verifications, reconciliations, and reviews of operating performance, security of assets and segregation of duties. These control activities can be categorized as preventive, corrective, directive, detective, and performance controls. In general, preventive controls are better than detective controls in managing risk because they prevent errors and fraud from occurring and reduce the resultant losses. Detective controls are also important to detect errors or other events after they have occurred, making it more difficult to correct the error or recover from fraud. 6

Internal control is an integral part of ERM. Once established, control activities must be monitored to achieve their operating effectiveness and efficiency. Monitoring activities might include periodic assessment of their current internal controls by line managers, risk owners, internal and external auditors and communications between those parties with management. A significant deficiency in one or more of the internal control components may hide the fact that controls are still working. Moreover, ERM is broader than internal control, expanding and elaborating on internal control focusing more fully on risk and tool for management to manage the risk exposure.

It is true that every company can have its own internal control system. Otherwise, the company is not able to be normally operated.

A sound internal control system

contributes to safeguarding the shareholders’ investment and the company’s assets. The board is responsible for formulating the company’s internal control system and also setting appropriate policies on internal control to ensure that the system is functioning effectively to manage the risks. Management is the owner of internal control and is ultimately responsible to the board for the company’s internal control system and risk management. Moreover, management and staff are responsible for promoting a high level of integrity and professional standards; implementing internal control culture throughout the organization; and assigning authority and responsibility ensuring the highest possible levels of accountability.

Management is responsible for the control design and assessment of internal control within their areas of responsibility. This responsibility cannot be delegated or outsourced. Most often, the chief risk officer (CRO) or the chief financial officer (CFO) is responsible for risk oversight and typically reports directly to the chief executive officer (CEO) of the company.

From their vantage point, the CRO or CFO 7

is able to look across the businesses and functions within a company to develop and implement the portfolio of risks.

Accordingly, all employees should understand

their role in the internal control process and have some responsibility for internal control as part of their accountability for achieving the entity’s objectives. As a result, all employees should have the necessary knowledge, skills, information, and authority to establish, operate and monitor the system of internal control.

An internal control system requires the implementation of effective and efficient control activities at all levels of the company. Each business unit is responsible and accountable for implementing the established procedures and controls to manage risks within its business. Effectiveness of internal control is the degree to which risk will either be eliminated or mitigated by the established control measures. Management has established within its management and reporting systems a number of risk management controls which should be reassessed on an ongoing basis.

These

controls include:




the system should clearly indicate who is responsible for evaluating information and the extent to which it is their responsibility to address an identified control issue or unidentified risk.

Identify uncontrolled risk exposures and bring them

to management’s attention;


closely link risk management to key strategic objectives and the business planning process;




monitoring of annual budgeting and periodic reporting systems for all businesses;




embedding and sustaining ongoing risk assessment and monitoring into existing risk management processes; and 8




establishing guidelines and limits for approval of capital expenditures and investments.

In order to achieve the entity’s goals and objectives, management needs to effectively balance risks and controls. Control procedures need to be developed and monitored so that risk may reduce to a level where management can accept the exposure to that risk.

In order to achieve an optimal balance, internal controls should be proactive,

value-added, cost effective, and address exposure to risk. Being out of balance, this will cause the scenario of:

Excessive Risks Leading To

Excessive Controls

Loss of assets or resources

Increased bureaucracy and supervision

Poor business decisions

Reduced productivity and impacted performance

Non-compliance

Increased complexity and monitoring

Increased regulations and control procedures

Increased approvals and review cycle times

Increased scandals

Increased non-value added activities

Internal controls are important for an organization to the fulfillment of its business objectives, since a weakness in internal control systems might result in:

1.

ineffective safeguards that protect business and financial information; and low financial reporting quality and integrity, which increase the company’s cost of capital;

2.

higher exposure of financial statement fraud and misstatement which will not be prevented or detected;

3.

erroneous management decision based on inadequate or misleading information;

9

4.

inefficient business operations and practices harming the company’s ability to earn profits; and

5.

flourishing opportunity for employees to commit fraud; and employee frustration or apathy.

Thus, weak internal controls should have higher possibility to expose the company to avoidable financial risks, impair its profitability and shareholder value.

3.

ENTERPRISE RISK MANAGEMENT

ERM is the leading risk-based approach to managing and optimizing risks, integrating concepts of strategic planning, operations management, and internal control. ERM is concerned the identification and assessment of the critical risks the organization faces and formulation and implementation of a companywide strategy to manage or mitigate them in a way that maximizes shareholder value. A companywide view of risk management can greatly improve operation efficiencies, generate synergies and ensure that the company takes the optimal amount of risk.

ERM is evolving to address the various needs of shareholders and stakeholders, who want to understand the broad spectrum of risks facing complex organizations to ensure they are appropriately and effectively managed. Since risks are inherent in all business transactions, management must have a clear understanding of risks and can address the risk issues before they occur. The risk issues need to be attended and answered within the context of a comprehensive and coherent risk management framework.

10

In response to a need for principles principles-based based guidance to help entities design and implement effective enterprise enterprise-wide wide approaches to risk management, the COSO issued Enterprise Risk Management – Integrated Framework (the ERM framework) in 2004 thatt redefined the concept of risk risk. The ERM framework expands on internal control, providing a more robust and extensive focus on the broader subject of ERM and can help establish a new and more comprehensive risk management discipline within the corporation.

While it is not intended to and does not replace COSO

framework, but rather incorporates the framework within it, companies may decide to look to this ERM framework both to satisfy their internal control needs and to move toward a fuller risk management process (Source: Source: the Executive Summary of COSO Enterprise Risk Management – Integrated Framework,, September 2004). Moreover, this ERM approach to risk is to develop and operate internal controls that mitigate, avoid or transfer the risks and assist organizations in structuring their entities to best manage exposure to risk. FIGURE 2: COSO Enterprise Risk Management – Integrated Framework 2004

11

In the aftermath of the financial crises, ERM has been gaining momentum with ongoing development of COSO ERM framework.

The core of ERM is to call for a

change in the way risk is perceived and managed.

It poses challenges to the

corporations for their inherent risk management and underscores the importance of analyzing and managing risks across the corporation integrally instead of separately. A robust and effective ERM program can exploit the opportunities and minimize the threats inherent with risk. ERM is a core component of internal control and thus fundamental to good corporate governance. ERM supports and builds on Sarbanes-Oxley Act of 2002 (SOX) compliance efforts.

Section 404 of SOX

compliance requires the implementation of an ongoing control process to address financial reporting risk.

Section 404 requires a separate report on the adequacy of

internal control assessment by management and the independent auditor. Auditors are then required to attest to and report on the management assessment.

As most

companies are using COSO framework as criteria for complying with Section 404, many elements of the compliance process also apply to the implementation of ERM. Therefore, Section 404 provides a foundation for implementing ERM.

Current literatures have paid increasing attention to ERM (Liebenberg and Hoyt, 2003). Furthermore, Pagach and Warr (2008) postulated that ERM is a holistic method of managing both operational and strategic risks across an organization. In addition, ERM provides a process by which a company integrates all of its risk management functions (Pagach and Warr, 2007). As a result, those companies which adopted ERM experience a reduction in stock price volatility, increased asset opacity, a decreased market to book ratio and decreased earnings volatility besides increased the boards and senior management’s ability to oversee the portfolio of risks facing an organization (Beasley et al., 2006 and Pagach and Warr, 2008). 12

A company’s risk management and internal control system have key roles in the management of risks that are significant to the fulfillment of its business objectives. There are various ERM frameworks that contribute to understanding the basic approach for identifying, analyzing, responding to, and monitoring risks and opportunities, within the internal and external environment facing the organization. The core challenge of ERM is to enable management to identify the risks that have the greatest impact on the company’s continued growth and survival, quantify the size of those risks, and take steps to effectively manage or mitigate them.

Once a

company has identified its major risks, it must quantify the magnitude of those risks to align with its risk appetite. Quantification helps an organization decide whether to control, prevent, finance or avoid risk. Management selects a risk response strategy for identified risks in accordance with the company’s risk appetite, which may include the following five possible risk responses:

1.

Avoidance: exiting or eliminating the activities giving rise to the risk

2.

Reduction: taking action to reduce the likelihood or impact related to the risk via everyday business decisions and processes

3.

Sharing or insuring: transferring/sharing or financing a portion of the risk through purchasing insurance and hedging the risk activities

4.

Acceptance: do nothing to alter either the likelihood or impact of the risk, due to a cost/benefit decision

Risk responses need to be supported by internal control, as stated in COSO ERM framework “having selected risk responses, management identifies control activities needed to help ensure that risk responses are carried out properly and in a timely manner”. Risk management as a process, in order to be effective and efficient, must have internal control in place, too.

Internal control of risk management encompasses 13

among other things taking up an attitude that risk management must be taken seriously; ensuring that risk data are current and available to authorized personnel and only to them; controls to ensure that risk responses take place as planned; and determination of neglects and shortcomings in risk management.

Whether a company can operate orderly and effectively or not depends largely on the effectiveness of its ERM.

In essence, ERM enables management to identify, assess,

and manage risks in the face of uncertainty. The emerging trend of evaluating and monitoring the risk management activities may help companies simultaneously meet strategic goals, boost shareholder and stakeholder value, and focus on good governance processes. Risk management assessment helps management achieve the entity’s goals and objectives and prevent loss of resources.

The board and management support is crucial to the success of ERM. ERM works best when an organization develops an integrated process to manage those risks and opportunities within its risk appetite throughout the organization, and the risk policy is communicated to all levels by management.

Effective ERM should comprise

control activities at all levels of the entity and each employee has some responsibility for ERM and understands how his or her individual activities relate to the work of others. Employees also need to know about their responsibility to report problems they notice in the performance of their duties and the risk events that have not been addressed. Since each employee plays some role in effecting ERM process like responsible for communicating problems in operations and deviation from established standards, management bears the responsibility for identifying, monitoring and controlling risk and for putting ERM into practice.

The board has an overall

responsibility for building an ERM framework and also for maintaining a manageable 14

risk profile.

Internal auditors, in both their assurance and consulting roles,

contribute to the management of risk by evaluating the effectiveness of ERM process in helping ensure key business risks on companywide basis are managed properly and the system of internal control is operating effectively.

3.1 Responsibilities of the Directors and Management Corporate scandals of investment frauds and diminished confidence in reliable financial reporting among investors and creditors have triggered internal control and ERM program as a high priority for the boards, management, auditors, and stakeholders. The board, which has ultimate responsibility for the ERM program and total risk management process, reviews and approves the risk management strategy and policies that are formulated by management.

Management is

accountable to the board on risk management issues and has established a companywide system of internal control and risk response strategy to manage or mitigate significant company risks. This system assists the board in discharging its risk management responsibility for ensuring that the wide range of risks associated with the company’s operations are effectively managed in support of the creation and preservation of shareholder wealth.

As the board is the governance body of a corporation, the caliber and commitment of each director have a direct impact on a corporation’s performance. The board is responsible for the corporation’s compliance with laws and regulations, evaluation of the strategic direction and ERM program and the effectiveness with which management implements its risk policies and programs. The board’s responsibilities also include overseeing the structure and composition of the company’s top 15

management and monitoring the management of risks related to the company’s operations and business functions.

The board has overall responsibility for evaluating the design and consistency in application of the ERM and internal control framework of a corporation. The board is committed to implementing an effective and sound internal control system to safeguard the interest of shareholders and the company assets against loss, fraud, misuse and damage.

The board has delegated to management the implementation of

the internal control system and reviewing of all relevant financial, operational, compliance controls and risk management function within an established framework to achieve the organization’s objectives.

The essence of ERM is putting in place a clear and systematic process to identify, improve and monitor significant risks and controls. Management recognizes the importance of the quality and timeliness of information and communications in ensuring that all significant risks have been identified and addressed, the proper controls have been established and those risk owners assigned to monitoring can take immediate steps to execute their responsibilities effectively. The board and the senior management team should have responsibilities for: a) Understanding the Risk Profile: The board members should clearly understand the risks to which the company is exposed and also decide which risks are acceptable and which must be eliminated. b) Setting Policy: The board should set policy guidelines and procedures, including the corrective action to be taken when things go wrong.

16

c) Objective Setting: Management considers risk strategy in the setting of operations, reporting and compliance objectives; formulates the risk appetite and risk tolerance; and accepts variations around objectives, which are aligned with risk appetite. d) Event Identification: Management identifies the potential internal and external events affecting achievement of an organization’s objectives and distinguishing between risks and opportunities. Events may be negative (risks), positive (opportunities) or both.

Management needs to address how potential events and

risks to influence the risk profile while opportunities should be channeled back to management’s risk strategy setting processes. e) Risk Assessment: Management understands the extent to which potential risk events might impact objectives; assesses relevant risks based on likelihood and impact; employs both qualitative and quantitative risk assessment techniques which need to be understood and accepted by the respective risk owners and management; and assesses risk on both an inherent and a residual basis (the remaining risk after management’s action to alter the risk’s likelihood or impact). f) Risk Response: Management evaluates the risk responses of mitigation, avoidance and undertaking; evaluates the risk tolerances; assesses cost and benefit of potential risk responses and degree to which a response will reduce impact and/or likelihood; and selects and executes risk response based on evaluation of the portfolio of risks. g) Establishing Controls: Management takes action steps to ensure policies and procedures and risk responses are carried out; and controls occur throughout the organization at all levels and in all functions. h) Information and Communication: Management identifies, captures, and communicates pertinent information that enables employees to carry out their risk 17

management responsibilities; and communication occurs flowing up, down and across the organization. i) Checking compliance: The CRO or CFO should send reports regularly to CEO and the board.

These reports should check compliance with the established

policies and procedures. j) Periodic Review: The board must clearly indicate to the risk owners and managers that the entire ERM process should be periodically reviewed to make needed modifications and that any violation of policies, guidelines or controls will be punished.

Although the board should not assume direct responsibility for risk management, its governance structures and activities have contributed significantly to the effective development and implementation of ERM.

The board should define and

communicate risk tolerance thresholds to senior management to guide their risk decisions; and assign authority to them to manage risks within the specified tolerance levels. The board should hold senior management accountable for assessing the effectiveness of the related internal control system in managing the significant risks and reporting risk management performance results.

In contrast to the board, management is responsible for designing and implementing a structured and disciplined approach to managing risks and monitoring the entity’s evolving risk profile. Under senior management’s supervision, risk owners develop, implement, perform, and monitor risk management capabilities and activities to enhance overall organizational performance. Overall, monitoring of risk management is most effective when (1) the CEO is wholly committed to the risk management process, (2) the CFO and other officers manage the risks under their jurisdiction, and 18

(3) business unit managers assume everyday responsibility for managing the key risks under their control.

3.2 Integration of Risk Management and Internal Control Risk management and internal control are basically two sides of the same coin in that risk management concerns identification of the threats while internal controls are risk controls designed to manage those threats. COSO states that ERM is effected by the board of directors, management and other personnel like internal and external auditors. It is integral to what they manage risk to achieve the entity’s objectives.

Managing

an organization and managing risk should be inextricably linked.

From an

organizational prospective, an organization is required to have a formal risk management system, an internal control system or both.

Empirical researches

indicated that risk management and internal control systems in some organizations are more separate due to different systems, processes and/or owners, etc.

Others

reported that some organizations’ risk management and internal controls are more integrated due to one system, combined processes and same owners. Since risk management is embedded in all the processes of the organization, it should be integrated with internal control systems to become an integral part of a wider corporate governance system.

Successful integration of risk management and

internal control into the management oversight structure, governance, strategy and operations of the organization will make the system more effective, efficient and manageable thus leading to better organizational performance.

19

4.

LIMITATIONS OF INTERNAL CONTROL SYSTEMS

There is no such thing as a perfect internal control system. No matter how well designed and operated, internal controls provide reasonable but not absolute assurance regarding the achievement of the entity’s goals and objectives. Management needs to recognize the inherent limitations in the design and application of the internal control systems.

Some of the most common limitations to the effectiveness of

internal controls are time and resource constraints, cost and benefit relationships, human errors, faulty judgment, misinterpretation of instruction or lack of knowledge in decision making, collusion by employee for personal gain, and management override of controls. When designing the internal control system and specific control procedures, it is management’s usual requirement that the cost of an internal control does not exceed the expected benefits to be derived (in terms of lowering risk and achieving objectives). The relevant costs to consider include direct costs of implementing and operating that control as well as indirect costs of having that control in place. Some control procedures that provide the most assurance may be too costly to implement and other, even less costly, compensating controls may have to be substituted. For example, a poor internal control system would exist if there is no proper segregation of duties; however, in a small company where the controller is solely responsible for all financial matters, it may not be cost effective to hire another staff for the sole purpose of segregating the controller’s duties.

Instead, a more cost effective control

is preferred to have a board member periodically review and monitor the work of the controller, especially monthly bank reconciliations, to substitute for the lack of segregation of duties.

Small and medium-sized corporations may need to adopt this

approach to ensure proper internal controls are in place and to avoid incurring 20

additional costs. Having the appropriate internal controls in place is a procedure-based type of deterrent.

Since all procedures are implemented by personnel, thus the proper

functioning of any internal control system depends on the competence and integrity of those operating the control process and the risks they face. The qualifications, selection and training as well as the requisite attributes of the personnel involved are important factors to be considered in setting up any control system. Moreover, the board and management should also be aware that possible collusion between two or more staff can defeat the original purpose of a system of controls. Often effective internal controls are designed so that one staff functions as a check on another staff’s work. In this respect, there is always the risk that staff who is supposed to perform independent control procedures may instead choose to cooperate to circumvent management’s controls. Management needs to be alert to close personal and family relationships between staff that might present opportunities to circumvent in place controls. This is especially true when a line manager is responsible for monitoring control procedures performed by his or her family member or close personal friend. Alternatively, staff are free to report the suspected collusion to their line manager (or to bypass their immediate line manager if they suspect that the line manager is involved in the collusion). Finally, even though internal controls are well-designed and effective to prevent and monitor those significant risks, the same controls can be overridden by management itself in every entity. As management is primarily responsible for the design, implementation and maintenance of internal control system, the entity is always exposed to the danger of management override of internal controls. Further, management’s high level of authority in the entity creates a good opportunity to 21

intentionally manipulate or override otherwise effective and properly designed controls. Management can direct that controls be bypassed or ignored when there is powerful incentive to engage in fraudulent operation. Internal auditors or whistleblowing mechanisms can help mitigate the possibility of management override of internal controls for personal gain or other fraudulent purposes. The rationale, however, is that hiring and promoting managers with good integrity and ethical values can go a long way in building a positive control environment and diminishing the risk of management override of controls.

5.

CONCLUSION

In short, management should have good understanding of their responsibilities relating to internal controls and the need for annual assessment of their effectiveness. All in all, all corporations should not be exempted from ongoing monitoring for strong risk assessment and good internal control. determinant of the control requirements.

Risk assessment is a key

Internal controls are put in place based on

impact of a relevant risk on the organization and the perceived likelihood that the risk would be materialized if nothing was done by management. Moreover, every corporation should have an obligation to its stakeholders to ensure that internal control system is functioning effectively to provide insight to significant risks and to link them to the organization’s objectives and business processes, the financial reporting and disclosure are accurate and transparent, and the integrity of management is beyond doubt.

It is important for company management to become more transparent by showing the results of the efforts they have made to strengthen their internal control mechanisms to achieve good corporate governance and ERM for the benefits of the company and 22

ultimately the shareholders. With the establishment and adoption of internal control framework, companies, which can implement ERM effectively, will be able to generate a sustainable competitive advantage and create value for shareholders.

23

REFERENCES AICPA (2005) Management Override of Internal Controls: The Achilles’ Heel of Fraud Prevention, the Audit Committee and Oversight of Financial Reporting Beasley, M., Clune, R. and Hermanson, D. (2006) The Impact of Enterprise Risk Management on the Internal Audit Function, Strategic Finance, pp. 1- 26. Daud, W. and Yazid (2009) A Conceptual Framework For The Adoption of Enterprise Risk Management In Government-Linked Companies, International Review of Business Research Papers, Vol. 5/5, pp. 229 -238. DeLoach, J. (2005) Enterprise Risk Management: Practical Implementation Ideas, A summary of a presentation at the MIS SuperStrategies Conference, Las Vegas Deloitte Consulting LLP (2010) Reducing Financial Reporting Risk Doyle, J., Ge, W. and McVay, S. (2006) Determinants of weaknesses in internal control over financial reporting Fung, B. (2010) Enterprise Risk Management Successes and Challenge, The Hong Kong Manager, 3rd Quarter Fung, B. (2011) Corporate Governance and Internal Controls, The Hong Kong Manager, 2nd Quarter ICAEW (2013) Internal Control: Guidance for directors on the Combined Code Irwin, D. (2007) Why do we need enterprise risk management? Insight Article, WIPFLi, CPAs and Consultant Kinney, W. (2000) Research opportunities in internal control quality and quality assurance, Auditing, Vol. 19, pp. 83–90. Kinney, W. (2001) Accounting scholarship: what is uniquely ours? The Accounting Review, Vol. 76, pp. 275–284. Kinney, W., Maher, M. and Wright, D. (1990) Assertions-based standards for integrated internal control, Accounting Horizons, Vol. 4, pp. 1–8. 24

KPMG (2001) Enterprise Risk Management - An emerging model for building shareholder value KPMG (2011) Implementation Guidelines for Enterprise Internal Control, Risk & Compliance Krishnan, G. (2005) Did earnings conservatism increase for former Andersen clients? Journal of Accounting, Auditing and Finance, Vol. 22, pp. 141-163. Liebenberg, A. and Hoyt, R. (2003) The determinants of enterprise risk management: Evidence from the appointment of chief risk officers, Risk Management and Insurance Review, 6(1), pp. 37-52. Moeller, R. (2007) Understanding the New Integrated ERM Framework, John Wiley & Sons Nocco, B. and Stulz, R. (2006) Enterprise Risk Management: Theory and Practice, Journal of Applied Corporate Finance, Vol. 18/4 Pagach, D. and Warr, R. (2007) An Empirical Investigation of the Characteristics of Firms Adopting Enterprise Risk Management, North Carolina State University Working Paper Pagach, D. and Warr, R. (2008) The Effects of Enterprise Risk Management on Firm Performance Pfister, J. (2009) Managing Organizational Culture for Effective Internal Control, 1st edition, Springer Pickett, K.H. (2006) Enterprise Risk Management, John Wiley & Sons PWC (2011) Is Management Out of Control? Protiviti (2006) Guide to Enterprise Risk Management Frequently Asked Questions Razali, A. and Tahir, I. (2011) Review of the Literature on Enterprise Risk Management, Business Management Dynamics, Vol.1/5, pp. 8 - 16. Risk management and internal control systems, Discussion Paper, NIVRA taskforce on Internal Control 25

Rittenburg, L. and Martens, F. (2012) Enterprise Risk Management – Understanding and Communicating Risk Appetite, The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Securities Adviser (2009) Enterprise Risk Management: A financial services survival kit, Grant Thornton Shil, N.C. (2008) Accounting for Good Corporate Governance, Journal of Administration and Governance, Vol. 3/1, pp. 22 – 31. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management - Integrated Framework, Executive Summary, Sep 2004 The KPMG Review Internal Control: A Practical Guide (1999) UNISYS (2007) A CEO’s Guide: 10 Steps for Managing Enterprise Risk Verschoor, C. (2002) Reflections on the audit committee’s role, Internal Auditor, 59, pp. 26–35.

26