Internal control systems within the framework of the 8th EU directive

Table of Contents

Acknowledgement

List of Figures

Abstract

1. Introduction
1.1. Background
1.2. Analytical Procedure

2. Literature Review
2.1. Regulatory Environment
2.2. Fundamental Elements of the ICS
2.2.1. Basic Idea and Definition of an ICS
2.2.2. Principles of the ICS
2.2.3. Objectives of the ICS
2.2.4. Critical Assessment
2.3. Control Models of the ICS
2.3.1. COSO
2.3.1.1. Background
2.3.1.2. Internal Control - Integrated Framework
2.3.2. COBIT
2.3.2.1. Background
2.3.2.2. Framework
2.3.3. Critical Appreciation and Interaction of the Models

3. Research Design and Methodology
3.1. Research Philosophy
3.2. Research Approach and Method
3.3. Research Strategy
3.4. Research Time Horizon and Data Collection
3.5. Access to Data and Resources
3.6. Ethical Issues

4. Analysis, Discussion and Interpretation
4.1. Presenting the Data: Relevance of the ICS for a Company ..
4.1.1. Benefits of the ICS
4.1.2. Drawbacks of the ICS
4.1.3. Restriction of the ICS
4.1.4. Implementation Problems of the ICS
4.1.5. Areas for the ICS
4.1.6. Drivers and Prospective Usage of the ICS
4.2. Interpretation: Design in Companies
4.2.1. Determination of the Actual State of an ICS
4.2.1.1. Self-Assessment
4.2.1.2. Identifying Risk Areas and Processes
4.2.1.3. Roles and Responsibilities
4.2.2. Determination of the Target State of an ICS
4.2.2.1. Roles, Responsibilities and the Analysis Process
4.2.2.2. Control Activities
4.2.2.3. Realisation, Monitoring and Documentation
4.2.2.4. Challenges in IT
4.2.2.5. Design of Processes

5. Conclusions

6. Recommendations

List of Appendices

References

Acknowledgement

I am heartily thankful to my supervisor, whose encour- agement, guidance and support from the initial to the final level enabled me to develop an understanding of the subject.

Lastly, I offer my regards and blessings to all of those who supported me in any respect during the completion of the project.

Björn Möller

List of Figures

Figure 1: Exemplary ICS Lobbies

Figure 2: Targets of the ICS by COSO

Figure 3: Internal Control Components by COSO

Figure 4: COSO CUBE

Figure 5: Layers of the Research Onion

Figure 6: Evaluation of the Benefits of an ICS

Figure 7: Evaluation of the Drawbacks of an ICS

Figure 8: Evaluation of the Limits of an ICS

Figure 9: Evaluation of the Reasons for Failures of an ICS

Figure 10: Evaluation of the Implementation Problems of an ICS in general.

Figure 11: Evaluation of the Areas for an ICS

Figure 12: Evaluation of Drivers of an ICS

Figure 13: Evaluation of the Prospective Usage of an ICS

Figure 14: Example of a Derived Profile of a Self-Assessment

Figure 15: Porter’s Value Chain

Figure 16: Proposal for the Identification of Risk Areas and Processes

Figure 17: Risk Matrix I (Example)

Figure 18: Risk Matrix II (Example)

Figure 19: Roles and Responsibilities I (Example)

Figure 20: Roles and Responsibilities II (Example)

Figure 21: Determination of the Roles and Responsibilities (Example)

Figure 22: Control Activity Description (Example)

Figure 23: Evaluation of the Implementation Problems of an ICS in IT

Figure 24: Combination of IT BSC and Business BSC

Figure 25: Process Map

Abstract

ANGLIA RUSKIN UNIVERSITY ABSTRACT

ASHCROFT INTERNATIONAL BUSINESS SCHOOL MASTER OF BUSINESS ADMINISTRATION

INTERNAL CONTROL SYSTEMS WITHIN THE

FRAMEWORK OF THE 8th EU DIRECTIVE -

SIGNIFICANCE AND IMPLEMENTATION IN COMPANIES By BJÖRN MÖLLER

JULY 2010

This dissertation evaluates the significance of Internal Control Systems (ICS) within the framework of the 8th EU Directive. The author analyses the advan- tages, disadvantages, as well as impending conflicts and limits regarding the implementation process of an ICS in the regulatory environment of the EU. Possible theoretical implementation guidelines are elaborated on the basis of two commonly known frameworks for internal control, namely 1) the COSO Framework, which considers the general design of an ICS, except for detailed results of IT-based internal controls, and 2) the COBIT Framework, which pro- vides details for the IT processes and their proposed controls.

In addition, the author analyses the findings of a survey in which 27 internal control specialists, auditors, and internal control consultants participated.

The results of the survey reveal that companies face a number of problems and challenges when aiming to implement and maintain an effective ICS. Similar to the findings in literature, the survey sample name the effort, re- sources, costs, and maintenance, as well as the acceptance, awareness, com- munication, design and complexity as the main challenges and problems an Internal Control System is confronted with. On the basis of the survey results, the author provides insights into determining an ICS’ actual state, as well as its target state.

Finally, the author of this dissertation proposes establishing an ICS project in order to create awareness for ICS, to structure the ICS process transparently and within an appropriate time frame. Furthermore, the usage of checklists and frameworks facilitates the implementation process of an ICS. It is recommended to use the COSO and COBIT Framework.

1. Introduction

1.1. Background

Liberalisation and globalisation of the markets, as well as international com- petitiveness are the main catchwords executives have to coordinate. The chal- lenges of a global cross-linked world market require suitable corporate gov- ernance processes and structures in order to ensure the competitiveness. Many existing structures have failed in the past which translated into decep- tive practices. In order to prevent criminal activities and to promote a profes- sional and ethically appropriate culture in the company, a wide range of ideas and principles for corporate governance and Internal Control System (ICS) structures have been introduced. The far-reaching financial scandals in the United States of America in the last years involving companies such as Enron and WorldCom, which engaged in fraudulent financial accounting reporting practices and a multitude of other forms of fraud, has resulted in corporate governance becoming a key issue in corporate management. The confidence in capital markets has been fundamentally shattered. In response, the Congress of the United States adopted the Sarbanes-Oxley Act (SOA) in June 2002. Be- cause of these past incidents and developments, legislators in the EU were also forced to respond with a similarly stringent legislation as the SOA. One major issue in this debate is the demand for transparency of internal proc- esses in companies. Consequently, the 8th EU Directive was issued specifying an Internal Control System for companies of public interest.

Furthermore, successful companies have acknowledged the significance of the strategic approach and relevance of governance, risk management and com- pliance. Hence, the pervasiveness of Internal Control Systems for individual departments has become increasingly more common and companies are plac- ing greater pressure on monitoring the effectiveness of internal control. The challenge that might arise is problems with regard to the design of an effective Internal Control System, as well as its implementation. Consequently, a lot of questions have to be addressed, including: Which parts of the company have to be taken into consideration in terms of the planning and implementation of an ICS? Which processes are relevant for ICS implementation? Which rules have to be complied? What problems and challenges might arise? How can an Internal Control System be successfully implemented within the scope of the available IT infrastructure?

Moreover, the current IT environment is entrenched in the business environ- ment and rests on regulatory compliance, cost control, availability, and risk management within the regulatory environment. As only few companies have established a comprehensive ICS, the need for general solution for European companies has increased. Companies which have already successfully intro- duced an ICS will benefit considerably in the areas of compliance, governance, and strategic issues.

1.2. Analytical Procedure

This thesis investigates Internal Control Systems and their implementation in companies within the framework of the 8th EU Directive, focussing on the IT- based implementation. Accordingly, this applies to all companies that own stocks in the EU on the regulated market, as well as credit institutions and in- surance companies. The objective of this dissertation is to identify the prob- lems, challenges, and relevance of an effective ICS for those companies af- fected by the 8th EU Directive. The purpose of this analysis is to provide check- lists and recommendations in order to prevent problems or to effectively tackle them to establish an efficient ICS.

To achieve the defined goal, a comprehensive literature review on Internal Control Systems and their application in practice is necessary. Therefore, the first part focuses on the regulatory environment, in particular on the 8th EU Di- rective and the underlying effects for companies. The second section focuses on the fundamental components of an ICS, including the basic concept and definition, the principles and structure, as well as the objectives of an ICS. The need for a distinct control model has increased due to the different approaches worldwide to implement Internal Control Systems. Therefore, two ICS control models are introduced in the third section of the dissertation. Based on the in- sights from the previous sections, it is possible to derive an “implementation strategy” for companies. This is done in the practical part of the thesis (fourth part). First, the relevance of an ICS for a company must be determined. This includes an assessment of the advantages and drawbacks, as well as the limits and acceptability of an ICS. This is done in two different ways. First, a survey is carried out to ascertain how companies from different sectors perceive the main purpose, advantage, and disadvantage of ICSs. Second, the answers from the companies are put into the context of the literature. The fifth section of the dissertation combines the findings of the data analysis with the author’s own suggestions for establishing an ICS. Subsequently, it is possible to iden- tify problems that might occur during the implementation of an ICS and to provide checklists to prevent such problems. Ultimately, the key objective of this thesis is to explore:

- Which control models of the ICS are suitable for successful implemen- tation within the framework of the 8th EU Directive?
- How is an ICS in companies composed?
- How can an ICS be implemented successfully?
- What problems and challenges do companies face and how can they be solved?

2. Literature Review

2.1. Regulatory Environment

The amendments of the 8th EU Directive were concluded on 17 May 2006 and came into effect on 29 June 2006 (European Union, 2006, p. 1). Since then, the Directive has been compulsory for all EU member states and had to be transferred into national law by 29 July 2008. The legal changes have had several impacts and effects on companies located in the EU. In fact, all com- panies of public interest have to meet the requirements of the national prac- tice of the 8th EU Directive. Accordingly, the regulations apply to all companies that own stocks in the EU on the regulated market, as well as credit institu- tions and insurance companies (European Union, 2006, p. 2.). Furthermore, other companies may be affected by the Directive by reason of their activities, size or number of employees (European Union, 2006, p. 2f.).

The amendments of the 8th EU Directive include an increase in audits, as well as initiatives for the improvement of corporate governance (Berwanger & Kullmann, 2008, p. 124). Thus, the audience addressed by the Directive only involves capital market-oriented companies and companies of public interest (European Union, 2006, pp. 4, 13). The Directive was mainly influenced by the Sarbanes-Oxley Act (SOX), which was introduced in 2002. One key issue of SOX is the establishment of an audit committee (Moritz & Gesse, 2005, p. 8f.).

This is also explicitly stipulated by the European Union (2006, Article 41, §1, p. 17):

“Each company of the public interest has an audit committee”.

That is, the amendment of the 8th EU Directive can be summarized as followed (European Union, 2006):

- compulsory application of international auditing principles,
- determination of criteria for the public supervision of auditors,
- foundation for the cooperation between government authorities in the EU and third countries,
- establishment of an audit committee for public interest companies,
- guarantee of neutrality and independence of the auditors, and
- European coordination of the supervision.

The aim of the 8th EU Directive is to enhance the synchronization and to improve the quality of information and transparency in European capital markets. Therefore, the 8th EU Directive transfers the responsibility for control over financial reporting, the Internal Control System, the administrative audit, and risk management to the audit committee. This is enforced by Article 41 of the 8th EU Directive which specifically refers to the Internal Control System and lists the following tasks for the audit committee:

“The audit committee has to supervise the accounting processes, the ef- fectiveness of the Internal Control System; if necessary the internal au- dit system and the risk management system” (European Union, 2006, Article 41, p. 17).

One key area which could be affected by the 8th EU Directive is the organiza- tional area. In order to meet the given requirements and to avoid sanctions, organizational groups (e.g., audit committee) have to be established. The supervisory functions described in the 8th EU Directive seem to be similar to the regulations introduced by SOX. Yet there is one major difference. The 8th EU Directive does not limit the supervision of the effectiveness of an Inter- nal Control System to one specific area as is the case in SOX. SOX focuses on the control environment around financial reporting (Congress of the USA, 2002, Section 404).

The supervision of the effectiveness of the Internal Control System according to the 8th Directive of the EU, however, is directed at all corporate divisions. This includes accounting and financial reporting, essential operative processes, as well as procedures in the area of compliance management. But there is no commitment to disclose the assessment results of the Internal Control System and the consequential failure these may entail. Article 41 of the 8th EU Direc- tive also does not require additional verification of the effectiveness of the ICS to be submitted by an auditor (European Union, 2006, Article 41, p. 17).

Beyond that, the 8th EU Directive does not explicitly define a framework for usage within a company, although there have been some proposals to use COBIT for the IT audits. As COBIT and COSO are the standard framework tools used for internal control within SOX, this thesis focuses on these models to assess their usage within the 8th EU Directive.

2.2. Fundamental Elements of the ICS

2.2.1. Basic Idea and Definition of an ICS

Internal control is not new; in the past, internal control was mostly associated with “bookkeeping where checks were done to detect errors and fraud” (Leitch, 2008, p. 13).¹ However, this approach first transformed in the 1950s. In 1949, the American Institute of Accountants (AIA, today American Institute of Certified Public Accountants, AICPA) released a study which focused on the issue of internal control and provided the following definition cited by Root (1998, p. 68):

“Internal Control comprises the plan of organization and all of the coor- dinate methods and measures adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed managerial policies”.

Leitch (2008, p. 13f.) and Trenerry (1999, p. 4f.) assert that internal control was a process designed to provide “reasonable assurance as to achievement of controls” in the following three areas:

- effectiveness and efficiency of operations;
- reliability of financial reporting; and
- compliance with applicable laws and regulations.

Although the 8th EU Directive was mainly driven by SOX, Internal Control Systems already existed prior to the release of the 8th EU Directive. Yet the 8th EU Directive changed the focus of the ICS. Now, not only is the effectiveness of internal processes supervised but the requirements for the annual audits in terms of compliance and governance issues as well. Menzies (2004, p. 74) provides a comprehensive definition of the ICS:

“The Internal Control System consists of regulations for the guidance of company activities (internal guidance system) and regulations for the supervision of these regulations (internal supervision system). The internal supervision system consists of process-integrated and not process-oriented supervision activities”.

Taking this into account, the basic idea behind an Internal Control System is the reduction of potential disruptions in all business-related matters, as well as the underlying negative effects they have on companies (Helbeck, 2008, p. 6 and Trenerry, 1999, p. 6). Furthermore, an ICS is not only a toolkit for regula- tions, but also a “risk-oriented instrument of guidance” (Helbeck, 2008, p. 8 and Patel, Prasad & Prasad, 2010, p. 18.). Thus, the principles, procedures, and structures introduced do not only have to meet the regulatory require- ments, but also the organisational practicability within a company.

Finally, the definition of an Internal Control System reflects the development of the concept of internal control and the influence of different lobbies on it². This idea is supported by Leitch (2008, p. 13f.):

“Each time there was or is a major scandal involving a large company that had falsified its accounts people are thinking of internal controls”.

Figure 1: Exemplary ICS Lobbies

illustration not visible in this excerpt

Source: Own figure.

2.2.2. Principles of the ICS

An Internal Control System is based on different principles upon which the ICS builds a framework or foundation. As an Internal Control System involves dif- ferent processes within an organisation, it has to be transparent. Helbeck (2008, p. 8f.) considers transparency to be a general measure through which externals are able to assess the processes and the supervision of these proc- esses within a given company. On the other hand, the Institute for Administra- tive Audit Austria (2004, p. 35) and Trenerry (1999, p. 8ff.) consider trans- parency in more detail. In their view, the transparency principle has to be supported by some organisational structure, like a four-eye-principle, which implies that no essential process is carried out without a counter-check, e.g., some signature regulations, access controls, destruction regulations, and stor- age regulations. Furthermore, the principle of functional separation is one of the key principles of an Internal Control System. Klinger & Klinger (1998, p. 16f.) state that “no business process should lie in the hand of just one per- son”. The following functions should be separated from each other: Commis- sion, permission, accomplishment, booking, payment, and control (Klinger & Klinger, 1998, p. 16f.).

Another principle that must be mentioned is the principle of information or the principle of minimum information. This means that the availability of informa- tion has to meet the requirements of the daily tasks, no more, no less (Klinger & Klinger, 1998, p. 16f.). This principle can be realised with the support of the four-eye-principle and the principle of functional separation (Institute for Ad- ministrative Audit Austria, 2004, p. 34f.). Unfortunately, the implementation of these principles often ends with the organizational implementation in the literature. But it is essential for all these principles to be supported by IT. This, for example, includes controls within computerised processes such as:

- completeness controls,
- sum control,
- automatically generated document number or
- job logs (Institute for Administrative Audit Austria, 2004, p. 34f.).

2.2.3. Objectives of the ICS

The objectives of an Internal Control System vary from company to company. Due to the fact that organisations use different frameworks for Internal Con- trol Systems, the processes and objectives linked to them differ as well. The Institute for Administrative Audit Austria (2004, p. 18) and Jones & Pendle- bury (2000, p. 232) assert that the objectives of an ICS are to support and secure:

- the orderly process of business,
- the observance of business decisions and compliance,
- the observance of defined goals,
- the assets of an organisation,
- the completeness and reliability of information, documentation, and processes,
- the profitability and effectiveness of processes,
- the prevention and disclosure of failures and irregularities,
- the transparency and auditability of procedures, and
- the protection of life and limb within an organisation.

In contrast, COSO (1994, p. 16ff.) separates the objectives of an ICS into 3 categories: Financial reporting, operations, and compliance.³

illustration not visible in this excerpt

Figure 2: Targets of the ICS by COSO

Source: Helbeck, 2008, p. 10.

Within the scope of financial reporting, criteria like accuracy, completeness, cut-off, existence, occurrence, valuation, rights and obligations, and presentation and disclosure are monitored (COSO, 1994, p. 16ff.). The area of operations focuses on ensuring the processes’ effectiveness. The following goals are included in the area of operations:

- cost control,
- optimisation of cash management,
- quick response time to customers,
- higher productivity,
- higher quality, and
- observance of delivery times (COSO, 1994, p. 16ff.).

The last category, compliance, comprises the observance of laws and regulations. As different regulations apply to different sectors, compliance requirements also differ from company to company (Menzies, 2004, p. 92ff). Therefore, internal control has different meanings to different parties (Palfi, & BotaAvram, 2009, p. 1092).

The two approaches agree that an Internal Control System is to affirm the safety, accuracy, and profitability of all processes. Safety is ensured when all economically feasible measures have been implemented to minimise the likelihood of damages to assets (Klinger & Klinger, 1998, p. 12). Accuracy is achieved when objective and formal accuracy, completeness, implementation in due time, documentation, auditability, and the observance of legal regulations is guaranteed. Finally, the profitability of all business processes must be monitored regularly. The costs of these controls should not exceed the possible damage (Klinger & Klinger, 2000, p. 8).

2.2.4. Critical Assessment

The literature review of the fundamental elements of the ICS has revealed that companies face a number of difficulties and challenges, and that different un- derstandings of an ICS exist. One major disadvantage with regard to the cur- rent literature is that an ICS means different things to different people in terms of understanding and interpretation. On the one hand, the focus is on financial reporting only; on the other hand, the focus lies on the entire enter- prise including all processes. Likewise, one enterprise may focus exclusively on the security approach of an ICS, while another enterprise applies the ICS as an overall concept to include security, process alignment, as well as an early warning system and use the ICS as a strategic tool to generate a competitive advantage. These different understandings may be attributable to the influ- ences various lobbies have on the management board and the ICS.

Furthermore, the literature addresses the complexity and differing ICS imple- mentation approaches. No standardisation exists as of yet. This results in dif- ferent implementation strategies, which can be quite costly and may not suc- ceed due to organisational failures or due to an ICS that is not aligned to the business processes.

On the other hand, as mentioned in the literature, an ICS offers the possibility to integrate all processes into a single system; it may reduce potential disrup- tions and provides transparency. This transparency allows companies to trans- pose future legal regulations quickly. Cost efficiency and quality can be en- hanced, if companies recognise changes in the processes and risks at an early stage.

One key issue that was debated in the literature was the need for an ICS on account of legal requirements. Many companies have no choice but to imple- ment an ICS. The following chapters examine which opportunities exist in practice to implement an effective but quite standardised ICS and what has to be taken into consideration when adopting and implementing an ICS.

2.3. Control Models of the ICS

2.3.1. COSO

2.3.1.1. Background

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) introduced the framework “Internal Control - Integrated Framework” in 1992 to support companies and other organisations to assess and improve their Internal Control Systems (German Institute for Administrative Audit, 2006, p. 1 and Gallegos, F. et al., 2004, p. 370).

The primary function of this control model involves the documentation, analy- sis, and design of Internal Control Systems, albeit focussing primarily on fi- nancial reporting (COSO, 1994, p.3f). Through the usage of the COSO frame- work “the transparency, fairness and honesty shall become key words for cor- porate governance, government oversight and investor protection” (Biegelman & Bartow, 2006, p. 42). In general, COSO can be considered the “Master Framework” of Internal Control Systems. This view is also shared by the Public Company Accounting Oversight Board (PCAOB) (2004, number 14), a private- sector, non-profit corporation:

“Although different frameworks may not contain exactly the same elements as COSO, they should have elements that encompass, in general, all the themes in COSO”.

2.3.1.2. Internal Control - Integrated Framework

The COSO Internal Control - Integrated Framework defines internal control as a process that is affected by people in order to “provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations, reliability of financial reporting and compliance with applicable laws and regulations” (COSO, 1994, p. 3 and 13 and Palfi, & Bota-Avram, 2009, p. 1092). Furthermore, COSO describes internal control as a model consisting of five interrelated components:

- Control environment,
- Risk assessments,
- Control activities,
- Information and communication, and
- Monitoring (Schaefer & Peluchette, 2010, p. 47).

These five components provide for a synergy which ensures that an Internal Control System can react dynamically to changing conditions (COSO, 1994, p. 5). These objectives apply to all entities and processes of a company (Menzies, 2004, p. 78). Figure 3 illustrates the five components of COSO’s Internal Control System.

illustration not visible in this excerpt

Figure 3: Internal Control Components by COSO

Source: COSO, 1994, p. 17.

Based on these objectives, a relationship between the objectives and compo- nents of an ICS can be developed. The relationship can be depicted by a three-dimensional matrix (COSO, 1994, p. 18). Accordingly, the matrix con- sists of the three objectives (operations, financial reporting, and compliance), the five interrelated components mentioned above, as well as the units or ac- tivities of an entity (COSO, 1994, p. 18). Figure 4 illustrates the relationship between the objectives and components of an Internal Control System.

illustration not visible in this excerpt

Figure 4: COSO CUBE

Source: COSO, 1994, p. 19.

In order to gain a comprehensive understanding of the individual components of an Internal Control System, they will be explained in more detail. The control environment represents the foundation of an effective Internal Control System and for the other components of internal control (COSO, 1994, p. 23 and Patel, Prasad & Prasad, 2010, p. 18.). COSO (1994, p. 31f.) identi- fies the following seven principles which the control environment has to achieve:

- integrity and ethical values,
- commitment to competence,
- board of directors or audit committee,
- management’s philosophy and operating style,
- organizational structure,
- assignment of authority and responsibility, and
- human resource policies and practices.

Risk assessment comprises the systematic identification and assessment of events and incidents within the operating process, which could jeopardise the company’s goals (Helbeck, 2008, p. 31). In order to determine the risks and critical success factors, management has to first set the objectives (opera- tions, financial reporting, and compliance) at the entity and activity level (COSO, 1994, p. 33). The objectives provide the “measurable targets toward which the entity moves in conducting its activities” (COSO, 1994, p. 39). Prin- cipally, two factors are important for risk identification: Internal and external factors (Menzies, 2004, p. 79). Internal factors which represent a potential threat to an enterprise include, e.g., a disruption of information systems, the quality of personnel hired, etc. (COSO, 1994, p. 40f.) External factors may, e.g., be the level of technology, changing customer needs, etc. (COSO, 1994, p. 40). Menzies (2004, p. 79) further deepens the risk assessment process through the assessment of risks by which management has to identify the ap- plicable factors for the enterprise. Hence, the identified risks have to be weighted with the probability of occurrence and the effects assessed. This idea is continued by COSO, which maintains that risk analysis involves considera- tions of how the risk should be managed - “what actions need to be taken” (COSO, 1994, p. 42). The ICS’ task is to ensure that the objectives which have been set and the risks involved will be identified (Menzies, 2004, p. 79).

The purpose of control activities is to reduce the risks associated with the company’s objectives (Harrer, 2008, p. 85). Helbeck (2008, p. 35) broadens this notion by determining that the control activities should cover the risks re- vealed in the risk assessment. The control activities consist of policies and procedures for the observance of management decisions (Menzies, 2004, p. 79). COSO (1994, p. 49) defines three control activity categories: “Operations, financial reporting and compliance”. Furthermore, COSO separates the control activities into different types. COSO (1994, p. 49) refers, e.g. to “preventive controls, detective controls, manual controls, computer controls and manage- ment controls”.

Information and communication are crucial for management’s decision-making procedure (Menzies, 2004, p. 79). Relevant information must be communi- cated in a “timely manner in order to carry out the responsibilities” (Harrer, 2008, p. 85). Within the scope of an ICS, indispensable information is gener- ated which influences the decision-making procedure and allows for the as- sessment of business activities. This is supported by Helbeck (2008, p. 31), who claims that the establishment of appropriate communication lines and strategies to ensure effective information flows are crucial for attaining a func- tional ICS.

The fifth and last component of an ICS according to COSO is monitoring. Due to changing or irrelevant processes within an ICS, internal controls may be- come ineffective (Harrer, 2008, p. 90). Therefore, Internal Control Systems need to be monitored in order to “assess the quality of the system’s perform- ance over time” (COSO, 1994, p. 69). COSO (1994, p. 69ff.) identifies three different approaches to the monitoring of the ICS: First, ongoing monitoring activities can be used, secondly, individual evaluations can be carried out, or thirdly, a combination of the two can be implemented. Ongoing activities in- clude regular management and supervisory activities, comparisons, reconcilia- tions, and other routine actions that provide continual feedback on the effec- tiveness of controls (COSO, 1994, p. 70 and Harrer, 2008, p. 91). Separate evaluations provide a fresh perspective and more in-depth analysis on the ef- fectiveness of the ICS (COSO, 1994, p.71f. and Harrer, 2008, p. 91).

2.3.2. COBIT

2.3.2.1. Background

IT and information are catchwords that play an important role in companies. IT has to be used if accurate and complete information is to be provided within the time stated. Thus, information and technology may exemplify the most valuable, but least understood asset of an enterprise (ITGI, 2005, p. 6). In or- der to secure IT’s value added and to conduct IT risk management, an IT framework has to be applied. One option is the COSO Framework which pro- vides a comprehensive model to evaluate and develop an ICS in general. Yet COSO does not explicitly mention the critical IT processes or the objectives re- lated to IT. Accordingly, another framework is required: A framework which contributes to the structure and processes of COSO, but also includes the IT processes (ITGI, 2005, p. 6). The COBIT Framework developed by the IT Gov- ernance Institute (ITGI) represents just such a framework.

The COBIT Framework (Control Objectives for Information and related Technology) was first introduced in 1996 and focuses on the significance and impact IT has on business processes (ISACA Switzerland Chapter, 2001, p. B2). COBIT provides a model of internationally accepted and approved control objectives that ought to be implemented in a company to ensure an appropriate application of IT (ISACA Switzerland Chapter, 2001, p. B2).

2.3.2.2. Framework

The COBIT Framework is based on the principle of IT resources and IT proc- esses⁴. This implies that the enterprise has to manage the IT resources through the application of structured IT processes in order to achieve the company’s predetermined aims (Tipton & Krause, 2007, p. 1417). This ap- proach is further deepened by the ITGI (2000), which defines the mission of COBIT:

“To research, develop, publicise and promote an authoritative, up-to- date, international set of generally accepted information technology control objectives for day-to-day use by business managers and audi- tors”.

To achieve the company’s aims and to develop an ICS, information has to match specific criteria like effectiveness, efficiency, confidentiality, integrity, availability, reliability, and compliance (ITGI, 2005, p. 14).

Furthermore, business processes are related to IT resources. This implies that the enterprise has to invest appropriate resources for the deployment of tech- nical possibilities (e.g., software) in order to support the business activities (Tipton & Krause, 2007, p. 1418f.). This may indicate that the quality of busi- ness processes depends on the quality of IT resources. The ITGI (2005, p. 15) refers to the following IT resources: Applications, information, infrastructure, and people. IT processes are required to control, plan, develop, implement, and monitor these different IT resources. ITGI (2005, p. 15) clusters these ac- tivities into four different domains:

- plan and organise,
- acquire and implement,
- deliver and support, and
- monitor and evaluate.

COBIT identified 34 critical IT processes within its Framework which are as- signed to the four domains and have to pass through the COBIT circle⁵. All of these IT processes are characterised by High Level Control Objectives, De- tailed Control Objectives, Management Guidelines, as well as a Maturity Model (ITGI, 2005).

The COBIT Framework is one of the most detailed IT frameworks in the world. This is supported by Hochstein & Hunziker (2003, p. 50), who assert that CO- BIT IT processes comprise between 3 and 30 detailed control objectives per process; in total, the framework consists of 318 detailed control objectives. These are based on the desired aims the implementation of the COBIT Frame- work is to achieve. COBIT provides different tools to support the assessment of objectives, as well as of responsibilities. First, COBIT’s Management Guide- lines mention the interdependencies of the inputs and outputs (ITGI, 2005). These interdependencies demonstrate which process might be the predecessor of another and which impact a process might have on its successors. Further- more, the Management Guidelines offer a RACI chart which shows in detail who is responsible, accountable, consultable, and who has to be informed⁶ for each IT process (ITGI, 2005). The Management Guidelines’ third tool includes Key Goal Indicators and Key Performance Indicators for each IT process (IS- ACA Switzerland Chapter, 2001). The key goal indicators reveal whether an IT process has achieved the business requirements, whereas the key perform- ance indicators are measurement parameters for the performance of an IT process with regard to support in goal attainment (ITGI, 2005).

Finally, the Maturity Model of COBIT provides the possibility to assess the company’s own state. This is done using a six step model ranging from “nonexistent” to “optimised”. Within this range, the enterprise has to assess where it stands (performance), where the competitors stand (benchmark), and which path ought to be followed or is desired (strategy) (ITGI, 2005, p. 21f.). Each of the 34 IT processes has such a Maturity Model in order to identify problem areas and support the prioritisation of activities⁷.

2.3.3. Critical Appreciation and Interaction of the Models

The review of the COSO and COBIT Frameworks has shown that they are both valuable for assessing risks and establishing structured processes and guide- lines to manage these risks. The COSO Framework is one of the most interna- tionally renowned and accepted frameworks, especially for financial audits. However, this might be one of the disadvantages of COSO. It is too general, focuses too much on financial reporting, as already mentioned in Chapter 2.3.1, and too little on IT issues. Nevertheless, COSO provides a wellstructured foundation for the implementation of an ICS. COSO’s approach does not only focus on reducing risks, but on actually managing them. This is supported by the ongoing adaptation of the framework to current issues. However, COSO should not be perceived as a framework that ensures success, reliability of financial reporting or compliance, but it can help to further develop these areas, manage risks, and prevent loss of resources.

Similar to the COSO Framework, the COBIT Framework has to be perceived as a guideline for the implementation of IT-based objectives. Owing to COBIT’s detailed and general structure, as described in Chapter 2.2.3, it might be diffi- cult to assemble the framework completely. Due to the complexity of the framework, the enterprise has to tailor the framework to its own specific inter- ests (Hochstein & Hunziker, 2003, p. 50f.). Although the COBIT Framework is more of a guideline than a tool for specific control information or for support- ing process flows, it is aligned to the given business and creates interdepend- encies with the IT processes. This is supported by the ongoing adaptation of the framework to current issues. Furthermore, COBIT provides applicable tools for management (input/outputs, RACI chart, KPI, KGI) to assess the impacts IT processes have on the enterprise. Similar to the COSO Framework, the CO- BIT Framework can be perceived as a tool which ensures the ICS’ success, but it also helps recognise best practices for IT management, and to understand the relationship between internal control and IT-related control objectives.

The literature review has shown that the two frameworks focus on different areas of an enterprise and do not exclude each other. On the contrary, due to the strong general but financial-oriented approach of COSO and the IT- oriented approach of COBIT, it might be helpful to use both frameworks in a company. As the COSO Framework is more comprehensive than the COBIT Framework, the author recommends using it as the primary framework. The COBIT Framework could support the primary framework by focussing on the IT issues. This view is supported by the ITGI (2006, p. 54), which attempts to integrate the COBIT IT processes into the COSO environment⁸.

The 8th EU Directive does not stipulate special control models for internal con- trol, as mentioned in Chapter 2.1; enterprises are free to choose. As COSO and COBIT are the best known frameworks for Internal Control Systems, the author proposes using both frameworks. In the course of this study, the fac- tors that need to be taken into consideration to implement these frameworks within the 8th EU Directive.

3. Research Design and Methodology

Research can assume many characteristics and classifications. In their ‘research onion’, Saunders, Lewis & Thornhill (2009) identified the “issues underlying the choice of data collection techniques and analysis procedures”⁹. Accordingly, the following issues will be addressed here (Saunders, Lewis & Thornhill, 2009 and Bryman & Bell, 2007):

illustration not visible in this excerpt

Figure 5: Layers of the Research Onion

Source: Saunders, Lewis & Thornhill, 2009 and Bryman & Bell, 2007.

3.1. Research Philosophy

Saunders, Lewis & Thornhill (2009, p. 109ff.) divide research philosophy into different clusters:

- positivism
- interpretivism,
- pragmatism, and
- realism.

[...]

---

¹ “The first signs of internal control and in particular, internal auditing, can be found in the records of the early Mesopotamian civilisation- the Sumerian around 3600 to 3200 BC” (Patel, Prasad, & Prasad, 2010, p. 18.).

² Figure 1 provides an overview of potential lobbies of an ICS.

³ See Figure 2.

⁴ Appendix i provides an overview of the COBIT Framework.

⁵ See Appendix i and ii.

⁶ Appendix iii presents the tools that are exemplary of one IT process.

⁷ Appendix iv provides an overview of the Maturity Model.

⁸ Appendix v provides an overview of the integration.

⁹ See Appendix vi.