Assessing the effectiveness of ‘In Control’

(1)

Assessing the effectiveness of

‘In Control’

A case study at Rabobank Nederland Trade Services

University of Groningen

Faculty of Economics and Business

Master of Science in Business Administration

Specialization: Organizational & Management Control

(2)

2 Assessing the Effectiveness of In Control: A Case Study at Rabobank Trade Services

Preface

I have written this thesis during and after an internship at Rabobank Nederland, to complete the master Business Administration with the specialization: Organizational & Management Control at the University of Groningen. This thesis is a case study on internal control which was exercised at the department of Trade Services. I have completed this internship with great satisfaction.

I would like to thank my former colleagues at Rabobank and my supervisor Bo Qin of the University of Groningen, for their knowledge and feedback. Furthermore I would like to thank my roommates, family, friends and neighbour for inspiring and supporting me in completing my thesis. I hope you enjoy reading my thesis as much as I have enjoyed writing it.

(3)

Executive summary

This thesis is a case study and investigates how an internal control system is implemented in an entity. This study first explicates a widely used internal control framework. This framework is developed by COSO. In addition, various theories regarding to these COSO components are being discussed. A significant amount of research has been done on the implementation of internal control frameworks at the organization level. Less research is available on the interpretation an entity gives in their implementation of internal control. This thesis contributes to the understanding of the implementation of an internal control system at entity-level.

The case study is done at the department Trade Services within Rabobank Nederland. The most important findings are that the internal control components found in the literature are applied at Trade Services. In addition, internal control practices are mainly implemented to provide reasonable assurance of the achievement of effective and efficient operations.

(4)

1. Introduction

1.1. Background

In daily life, everyone has to deal with risks and everyone assesses risks in a different way. In 2010, a Dutch man answering to the name “The Iceman” climbed the Mount Everest wearing nothing but shorts. In contrast, a pianist would go to an insurance company for insuring his hands. Some people tend to take quite some risks where other people are more risk averse. There is not only a difference between people in terms of risk aversion, also companies differ from each other in their opinion on risks. The balance between risks and control differs from company to company. The assessment of risks can be also situational different per company (Raape, 2008). It can be said that the banking industry is different than other sectors in that respect.

It is often mentioned that banks have a duty to society, and therefore the industry is different than other industries. Especially after the recent financial crisis, being ‘in control’ is an actual topic in the banking industry. Banks are expected to be in control to prevent a new financial crisis. National supervisors, but also international supervisors demand a certain level of ‘in control’ exercised by financial institutions. There are several (new) codes, laws and regulations drafted in the last decades to prevent that banks are ‘out of control’. But still, banks have to choose their own balance between risks and control, within the borders of laws and regulations.

In the beginning of the 1990s, there still was a distinction between financial controls and operating controls (CPA, 1996). After years of struggling, companies believed that is was wrong to make that distinction and believed that they should report on their entire system of internal control as a whole.

(7)

financial controls, but also had sections on integrity, arrangement of management boards and minimization of risks and fraud (Cadbury, 1992). After UK, many other countries followed by drawing their own corporate governance codes. During the last two decades, each year has seen the introduction, or revision, of a corporate governance code in a number of countries (Mallin, 2010).

Partly, for complying with the codes and regulations and to create a certainty of being in control, companies tried to arrange internal control mechanisms. The question arises; what is internal control exactly? The definition of internal control has evolved over recent years as a result of different models used by organizations. Colbert et al (1996) distinguished different models, which dates from the 90s, and are a result of continuing efforts to define, assess, improve and report on internal control.

The various control definitions are in line with each other, but have different emphases. The internal control framework of the Committee of Sponsoring Organization (COSO) is the most widely used tool for testing the adequacy of an organization’s internal control structure (Savage et al, 2008). COSO (1992) defines internal control “as a process, effected by an

entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

(1) Effectiveness and efficiency of operations; (2) Reliability of financial reporting

(3) Compliance with applicable laws and regulation”

COBIT (Control Objectives for Information and related Technology) defines a framework for providing good practices for the management of IT processes in a manageable and logical structure. Because of the focus of COBIT only on efficiently and effectively, it views internal control as a process which includes policies, procedures, practices and organizational

structures that support business processes and objectives.

SAC (1994) offers assistance to internal auditors on the control and audit of information systems and technology and emphasizes that internal control is a set of functions, subsystems,

and people and their interrelationships to ensure the effective achievement of objective and goals. (Colbert et al, 1996)

(8)

1.2. Research objective

This study aims to give an assessment of the internal control system used at Trade Services. Therefore, this study gives an overview of the different internal control mechanisms and will link the theories of internal control with the department Trade Services to show how the internal control theories are applied on the entity level of a company. When this analysis and the judgment of the effectiveness of the internal control framework are made, this study can give recommendations to (re-)design the set of control measures.

1.3. Research question

The central question of this case study is the following:

To what extent does Rabobank Trade Services arrange an internal control system and to what extent is the internal control system effective?

Subquestions

 Which internal control components can be distinguished, and how can it be applied to an organization?

 Which internal control components can be observed at Trade Services?  What are the improvements to the internal control system at Trade Services?

1.4. Relevance of the thesis

This study will be a case study and contributes to the stream of research on implementation of an internal control framework. Holmström et al (2009) makes the distinction between theoretical relevance and practical relevance. The theoretical relevance of this study will be small. This study is of practical relevance because it aims to bridge the gap between theory and practice to solve problems especially in a company’s entity.

(9)

There is also little research on the effectiveness of internal control systems. This study intends to link internal control from a theoretical perspective with the internal control system of a company’s entity, to ultimately assess the internal control system in practice.

1.5. Methodology

To answer the sub-questions and finally the research question, both field and literature research is conducted. The theoretical framework provides a number of variables that will be explored in the field. The five risk management components described in chapter two are plotted in a three-dimensional matrix. These components relate to three entity performance objectives, across four potential organizational levels. This study focuses on the entity-level. To provide a complete view, the four objectives as well as the eight components will be taken into account. Also the external influences regarding to laws and corporate governance codes will be connected to the internal control system of the department Trade Services.

This research will be conducted by collecting information from document reviews and from in-depth and semi-structured interviews. Semi-structured interviews can give a better understanding of the various internal control mechanisms used in an organization.

1.6. Conceptual model

(10)

Figure 1.1. Conceptual Model

COSO – ERM Control environment Risk assessment Control activities Information and communication Monitoring Effectiveness of internal control

Effectiveness and efficiency of operations

Reliability of financial reporting

Compliance with applicable laws and regulation

The relationship between the major components and the effectiveness of internal control will be investigated. The five different stages in the COSO model are the major components that will be explored to give an assessment of effectiveness of the internal control system and therefore meet the three objectives; (1) effectiveness and efficiency of operations, (2) reliability of financial reporting and (3) compliance with applicable laws and regulation.

1.7. Structure of the thesis

(11)

2. Internal Control Frameworks

2.1. COSO Model

The Committee of Sponsoring Organization was formed in 1985 by five major professional associations from the United States. The organization has developed an integrated framework for internal control (COSO, 1992). According to COSO, management must pay more attention to the internal control issues on operating effectiveness and efficiency, rather than to those solely for SOx compliance (Tsay, 2010). The Internal Control-Integrated Framework is perhaps the most widely used tool for providing a suitable and available framework for management’s assessment for internal control (Savage et al, 2008).

The key objective of this framework is to help management better control their organization’s activities. It is designed to provide reasonable assurance of achievement of three categories of objectives: (1) the reliability of financial reporting, (2) the efficiency and effectiveness of operations and (3) compliance with laws and regulations (Henry et al, 2010).

As mentioned in the introduction, COSO defines internal control as a process, and not as a single event or circumstance. It is important that the stages in the framework are built into the entity’s infrastructure and that observers do not see the control activities as a necessary burden imposed by regulators.

(12)

As shown in figure 2.1., The Internal Control-Integrated Framework outlines five interrelated components of any internal control system. The five components are (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication and (5) monitoring.

In 2004, COSO provides a second document in which it examines the concept of Enterprise Risk Management. This document is called the ERM – Integrated Framework (also known as COSO II) for practical illustrations of techniques in applying enterprise risk management principles. Where the focus of the framework of 1992 was mostly on the internal control, this new framework focuses on the entire system of internal control and added three extra components to the original framework. These components are: Objective setting, event identification and risk response and can be seen as a part of the risk assessment process. The changes in the two different models are shown in figure 2.2.

Figure 2.2 COSO Framework (COSO, 2006)

The components of the original COSO framework will be explained below one by one. In the following sections also other relevant theories will be discussed, within these components, to give an addition to the COSO model. There has been chosen for the COSO I model as this model is widely used in practice. The risk assessment phase will give extra attention to the three extra components mentioned in the COSO II model.

2.1.1. Control environment

(13)

other components not only in their arrangements, but also in their effectiveness. There are several factors distinguished within the control environment.

One factor is the philosophy of risk management. This philosophy consists of a set of beliefs and attitudes towards the consideration of risks. Managers, as well as other employees may have different perceptions of risks. Risk-management philosophy carries a culture which sets a tone for consideration of risks. Outcomes of the philosophy are documented in policy statements, oral and written communications and decision making.

Senior management has an important influence on the entity’s personnel’s integrity and ethical values. The “tone at the top” is very important for realizing that the organization’s people will do the right thing, both legally and morally. Also the top management can create or influence a culture in which integrity and ethical values are important (COSO, 2004). To communicate the ethical values, companies often draft code of conducts, in which states the organization’s policies.

The translation of the ethical values and integrity of senior management, combined with the culture and history of the organization, will influence the control consciousness of organization’s people. Employees should be committed to the internal control system for them not to abuse it (COSO, 2004).

Management has to decide on the extent of tightness of their control activities. A tighter control system should provide a higher degree of certainty that employees will act as the organization wishes. A condition for using tight controls is that there has to be good knowledge about how one or more objects of control relate to the organization’s goals. Otherwise, managers choose often loose controls when they do not have this adequate knowledge. The philosophy of risk management can also influence the tightness of control in a way that consideration of risks determines whether the control system is tight or loose (Merchant and van der Stede, 2007).

2.1.2. Risk assessment

1. Objective setting

(14)

objectives have to be set when their direct impact on the entity is reasonably likely (Ballou et al, 2005).

A part of the objective-setting is to determine which risks have to be accepted or not by management. Therefore, the risk appetite has to be determined. Risk appetite can be expressed in a quantitative way, illustrating in a risk map as shown in Figure 2.2. This map shows the boundaries of accepting risks, depending on an estimation of the likelihood and the impact of the risks. When identified risks exceed the company’s risk appetite, management should take actions to reduce the likelihood and/or impact.

Figure 2.2: Forming Risk Appetite (COSO, 2004)

Another element of objective setting is the determination of the risk tolerance. “Risk

tolerance is the acceptable levels of variation relative to the achievement of objectives”. It is

a quantitative way to set a range around the strategic and related objectives. Organizations have to link their objectives with their mission and determine the risk appetite and tolerance (COSO, 1994).

2. Event identification

(15)

anticipate on time. Events can be divided in events with positive impacts and events with negative impacts. Events with negative impacts represent the risks and need to be assessed by management. Events with positive impacts can be seen as opportunities, which can be adopted in the strategy and objective-setting process. These events have to be linked with the organization’s objectives (COSO, 2004)

O’Donnell (2005) describes a systems-thinking framework for identifying events that could hinder the achievement of the organization’s objectives. He states that two requirements are important for the effectiveness of organization’s business processes; procedures and agents. Procedures must be capable of producing the desired results and agents must execute these procedures correctly. The two requirements are influenced by three factors each. Procedures (1) have to be designed properly, (2) have to embed adequate infrastructure support and (3) have to be not constrained by factors outside the organization. For executing these procedures correctly, agents must have (1) the appropriate skills, (2) the motivation and (3) the information needed to perform their task. The different factors are shown in figure 2.3.

Figure 2.3 Factors that influence business process performance (O’Donnell, 2005)

(16)

infrastructure- and technology related events would be included under support. Finally, personnel-related events would be included under the three agents’ categories.

3. Risk assessment

Risk assessment is the phase where the potential events will be assessed to the extent to which these events have an impact on the achievement of the objectives of an organization. It is a logical step after the identification of the events. COSO (2004) distinguishes inherent risks and residual risks. Inherent risks are the risks in absence of management’s actions. Residual risks are those risks which (partly) remain when management responds to these risks, i.e. by taking actions to reduce these risks.

The risks can be assessed by measuring the likelihood and the impact of the identified events. This can be measured by quantitative and qualitative techniques. When there is enough information to estimate the risks, quantitative techniques can be used. The distinction can be made between probabilistic, non-probabilistic and benchmarking techniques. These techniques use interval or ratio measures.

Probability-based techniques provide exact information of the likelihood and impact of a range of outputs based on the distributional assumptions about changes of value, cash-flows, earnings or losses. Non-probability techniques are used to assess only the impact of the identified events, determining likelihood separately. Some techniques used are sensitivity analyses, scenario analyses and stress testing. Also benchmarking can be useful to get insight of the likelihood and impact of the events.

When there is not enough reliable information to confidently estimate, risks making it difficult to use quantitative techniques, qualitative techniques might be more appropriate.. The quality of these assessments depends on the knowledge and judgments of the individuals who are involved in the risk assessment process. These qualitative techniques consist of the use of ordinal and/or nominal measurement scales.

4. Risk response

(17)

The risk avoidance strategy seeks to eliminate uncertainty (Hillson, 1999). When risks arise from lack of knowledge, these risks can be avoided directly by e.g. clarifying requirements or acquiring expertise or eliminating the uncertainty by removing the source of risk. Risks can also be avoided indirectly by choosing a different way of working.

Risk sharing can be realized by contractual agreements with customers, vendors and other business partners. Insuring or hedging the risks is also a strategy to share the risks. Another strategy is to transfer the risks to a third party. In the case of outsourcing the ownership and liability of risks will be passed to a third party. Often a risk premium is paid for outsourcing activities. In contrast to risk avoidance, risk sharing does not remove risks, but only transfer or share the responsibilities (Hillson, 1999).

The purpose of risk reduction (or risk mitigation) is to reduce the size of the risk exposure, until the risk falls within the risk tolerance. The size can be diminished by reducing the likelihood or the impact. Hillson (1999) distinguishes preventative responses and mitigation responses. Preventative responses reduce the likelihood of risks, tackle the cause of risks, and ensure that the chance of risks will be reduced through preventative measures. Mitigation responses tend to reduce the impact of the risks by targeting the impact drivers which determine the extent of the impact.

Risk acceptance is often used, when the previous response strategies are not likely in terms of cost-effectiveness. The initial costs to design and implement a response have to be considered as well as the potential benefits, coming from this response. The result of this ‘calculation’ can be that management is forced to accept the risks, and therefore the potential costs. To measure the cost-effectiveness, Boehm (1989) defines the Risk Reduction Leverage factor (RRL) as RRL = (REbefore – REafter) / Risk reduction costs), where REbefore is the risk

exposure measured by likelihood x impact before response, REafter is the risk exposure after

response and Risk reduction costs are the costs involved by response. The response strategy is effective when the outcome of the RRL is larger than one. The consideration of choosing a strategy can be determined by comparing the outcomes of the RRL of the different strategies.

2.1.3. Control activities

(18)

of an organization, controls would not be needed. This is not the reality and so controls are needed to control the actions of employees.

Merchant (1982) developed a Control Tool Classification Framework that distinguishes three types of controls. These classifications will be applied specifically to risk mitigation, instead of to control employees to achieve the organizations’ objectives in the broad sense. The types of control are (1) action controls, (2) results controls and (3) personnel controls. Action controls are controls to ensure that employees perform certain actions, or prevent that employees perform undesirable actions. Results controls are controls that hold the employee responsible for certain results. They attempt to motivate employees in the sense that their efforts will be rewarded in a significant way. Personnel controls are controls to make it more likely that employees will perform their tasks satisfactorily. Merchant added in 2003 a fourth control; cultural controls, which can be listed under the control environment of the organization. Table 2.1 shows the elements of the three types of control. These elements will be discussed shortly.

Table 2.1. A Control Classification Framework (Merchant, 1982)

Action controls Results controls Personnel controls

Behavioural Constraint:

 Physical (e.g. Locks, Security guards)  Administrative (e.g.,

separation of duties)

Action Accountability:

 Work rules

 Policies and procedures  Codes of conduct Pre-action Reviews:  Direct Supervision  Approval Limits  Budget review Results Accountability:  Standards  Budgets  Management by Objectives (MBO) Upgrade Capabilities:  Selection  Training  Assignment Improve communications:  Clarify expectations  Provide information for

coordination

Encourage Peer Control:

 Work Group  Shared Goals

(19)

which can result in different levels in which employees are allowed to approve expenditures (Merchant and Van der Stede, 2003).

Action accountability means that employees are responsible for their actions. A requirement of the implementation of action accountability is that acceptable actions are defined and communicated to employees. Work rules, policies and procedures can make these acceptable actions visible and is a way to influence employees’ actions (Merchant and Van der Stede, 2003).

A third element of actions control is pre-action reviews. In this case, actions of employees are being controlled by a reviewer, who can approve or disapprove the proposed actions. A form of pre-action review is documents that have to be signed by two employees (Merchant and Van der Stede, 2003).

Merchant (1998) distinguishes action controls in controls that have a purpose to prevent and controls that have a purpose to detect. Most of the action controls used in organizations are aim to prevent undesirable actions, however sometimes it is difficult to measure the desirable actions of employees coming from the preventative action controls. Therefore detection controls can be useful to gather information on which the appropriate actions are taken. Such detection action controls are internal audits or peer reviews (Merchant and Van der Stede, 2003).

The use of results controls is a way to make employees only accountable for the output. Their rewards are based on the output. Results control can motivate employees to behave appropriately. A requirement of results control is that the dimension on which performance is measured is defined clearly. This output-oriented measurement can influence the behaviour of employees and can be seen as a control activity to mitigate risks (Merchant and Van der Stede, 2003).

The third type of control is personnel control. Personnel controls are designed to ensure that employees will perform the desired tasks satisfactory on their own. Personnel controls provide assistance for employees as necessary. Identified risks can be reduced by upgrading the capabilities of personnel by training them or tightening hiring policies. Another personnel control is the improvement of communication to clarify the expectations of the organization and to ensure that employees know their role better (Merchant and Van der Stede, 2003).

(20)

controls can be used in every situation (Merchant, 1982). If an organization wants to be in control, and therefore wants to arrange a set of control activities to mitigate risks, it is important to understand the aspects of an organization’s processes. Ouchi (1979) measures these processes, using two dimensions; (1) knowledge of the transformation process and (2) ability to measure outputs. Merchant (1982) combines this model with the three types of control, shown in figure 2.4.

Figure 2.4. Key Control Object Feasibility Determinants (Merchant, 1982)

Knowledge of The Transformation Process

Perfect Imperfect

Ability to Measure Outputs

High Actions control or

Results control Results control

Low Actions control Personnel control

When there is imperfect knowledge of the transformation process, but the ability to measure outputs is high, results control is the most suitable control type. Vice versa, when the knowledge of the transformation process is perfect, but the ability to measure outputs is low, action control is more suitable. Personnel control is the most suitable when both knowledge of the transformation process and the ability to measure outputs are low. In other words, to apply this model on the mitigation of risks, using these types of control, actions controls are most suitable in situations where it is easy to define precisely the required behaviour on a production line, but it is difficult to measure the outcome of the production line.

2.1.4. Information & Communication

(21)

First of all, information has to facilitate proper control and can be subdivided in financial information and non-financial (often operational) information. Both information categories, developed from internal and external sources, are relevant to the three objectives, COSO mentioned. Information is captured in information systems and has to deal with information about external events, activities and conditions as well as internal operating activities. Also information is needed to provide a reliable risk reduction leverage factor for identifying the balance of effectiveness and costs. In this case, information is a means to control. Information should meet certain quality criteria to facilitate proper control. Chaffey and Wood (2005) distinguished four attributes in which information is of value to those who use it and the organization as a whole. In other words, these attributes influence the information quality. The attributes are:

 Relevance: The information must directly support the decisions that need to be made.  Presentation: The information must be presented in an understandable form.

 Timeliness: The information needs to be up-to-date. The timeline can differ per situation.

 Availability: The information has to be accessible for those who need it.

The second objective is the use of information as a subject of control. An example is an information system that initiates, authorizes, records, processes and reports transactions relevant to the financial reporting (Eilifsen et al, 2010).

The third objective is to communicate the information according to ERM timely at all levels of the organization that are involved in managing the internal control activities (Ballou & Heitger, 2005). But communication must take place in a broader sense. COSO (1992) distinguishes internal communication and external communication. Internal communication is needed to let individuals understand their roles and responsibilities in the internal control system. Therefore people need to know what behaviour is acceptable or not. Also personnel need to communicate information upstream in an organization. Not only within the entity, but also outside the entity, appropriate communication is needed. Communication channels with suppliers and customers can provide information on the functioning of the internal control system, such as the audits from external auditors.

2.1.5. Monitoring

(22)

over time and (2) to identify deficiencies and communicate them to the responsible parties for taking corrective actions.

In the COSO report (2004) the distinction is made between on-going monitoring activities and separate evaluations. On-going monitoring activities are the activities an organization performs to monitor the effectiveness of the different components on a continuous basis. Sometimes it useful to evaluate the enterprise risk management periodically. These are separate evaluations and are often broad-based, with a scope to the whole entity and all components. Internal audit reviews are often used as separate evaluations, where the risks and control activities of an entity will be assessed.

COSO (2008) developed a model for monitoring. This model, shown in Figure 2.5, consists of three components; (1) establishing a foundation for monitoring, (2) the design and implementation of the monitoring procedures and (3) the assessment and reporting of the results.

Figure 2.5. Model for Monitoring (COSO, 2008)

(23)

The design and implementation of monitoring procedures consists of a process of four phases. First, risks have to be prioritized to identify which risks are meaningful enough to be a subject of the control monitoring. Second, the most important controls (key controls) must be identified to support a conclusion about the internal control system’s effectiveness. Third, when key controls are noted, information has to be collected to determine whether the control system is working properly. As mentioned in the section of information and communication. This information has to fulfil some requirements. At least, when the information is collected, the decision can be made which monitoring procedures must be employed i.e. the implementation of the monitoring procedures that evaluate the effectiveness of the internal control system

The last component is assessing and reporting the results. First, control deficiencies have to be prioritized and determined to which level the deficiencies should be reported. Then the results have to be reported and communicated internally as well as externally. At least corrective actions have to be drawn to make improvements to the internal control elements. These improvements also have to be evaluated the next time, when the earlier mentioned baseline has shifted.

2.1.6. Summary of the COSO framework

COSO developed an internal control framework to help management better control their organization’s activities. The framework is designed to provide reasonable assurance of the achievement of three categories of objectives: (1) the reliability of financial reporting, (2) the efficiency and effectiveness of operations and (3) compliance with laws and regulations.

The framework from 1992 consists of five interrelated components; (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication and (5) monitoring.

The control environment can be seen as the core of the business and the foundation for the other components and consists of the philosophy of management, the ‘tone at the top’ and the tightness of control systems.

(24)

impact. At least management have to decide how to respond on the potential risks to choose from four response strategies.

The third component, control activities, consists of the outcome of the risk responses and are policies and procedures to take necessary actions to cope with risks. Some control activities are behavioural constraints, action accountability, pre-action reviews, detection controls, results controls and personnel controls.

Information and communication is the component of the COSO framework to facilitate proper control, to use information as a subject of control and to communicate the information of internal control timely to other levels in the organization.

The last component, monitoring, consists of on-going monitoring activities to monitor the effectiveness of the different components on a continuous basis and separate evaluations to monitor the effectiveness periodically.

2.2. Discussion of the COSO model

This section describes implementation benefits and limitations of the implementation of the COSO model.

2.2.1. Implementation benefits

As mentioned above, the COSO model is the most widely used tool for internal control. The question arises whether the application of the COSO framework adds value to an organization and whether the extent of the implementation of the framework contributes to the effectiveness of the internal control.

The COSO framework responds to the growing focus on corporate governance. According to Williamson (2007) the framework serves as a statement of what ERM is and gives a clear direction and guidance for the ERM implementation. It may come to be accepted as a standard for how ERM should be implemented. COSO sets out a framework for all entities, in non-financial as well as in the financial industry.

(25)

framework (Pitinanondha, 2008). McPhee (2003) explains that the common problems of implementation of the ERM framework are a lack of expertise and a unsupportive organizational culture. Research from Pagach and Warr (2010) emphasizes that there is also little evidence between the adoption of an ERM framework and better financial performance. Also, limited evidence is found of overall risk reduction after implementation of an ERM framework.

Above studies indicate that there is little or no evidence that the adoption of an ERM framework will result in organization’s benefits. Research of Hoyt and Liebenberg (2011) found a positive relation between the firm value and the use of ERM. This research is done by measuring the extent to which a specific firm have implemented ERM frameworks, and then the authors have made the assessment of the value of the specific firms. U.S. insurers are chosen as a sample for this research.

McShane et al (2011) has a different point of view. They acknowledge the positive relationship between the implementation of (traditional) risk management frameworks and firm value, but found that firm value does not increase further when firms implement ERM frameworks. According to this research, a strong ERM culture constraints the firm growth.

It is worth pointing out that above described studies emphasize that little research has been done in the field of risk management and in particular, the adoption of the ERM framework of COSO.

2.2.2. Limitations of the COSO framework

Several studies have been critical to the use of the COSO framework. This section explicates some limitations of the COSO framework.

First of all Shaw (2006) recognized the problem of gaming. Managers are attempting to anticipate what their auditors will look for. Sometimes, there is more focus on pleasing the external auditors, then providing an effective internal control system to reduce risks.

(26)

Also, there is no clear measurement of the effectiveness of the ERM process. COSO does not give an adequate criterion of effectiveness. COSO assumes that the effectiveness of an internal control system depends on whether all the components are present and working effectively. There is no clear definition given of the effective working of the components (Williamson, 2007).

(27)

3. Organization profile

In this section, the organizational profile of the organization where the research is conducted will be described. The first section will give an overview of the organization’s structure and the mission and ambitions of the Rabobank Group. The second section will describe the department Trade Services. On this entity level, the research is conducted. The third section describes the products and services Trade Services delivers.

3.1. Rabobank Group

According to its website, the Rabobank Group is an international financial services provider operating on the basis of cooperative principles. The financial institution offers a large scale financial products and services, such as banking, asset management, leasing, insurance and real estate services. The focus is on broad financial services provision in The Netherlands and primarily on the food an agribusiness internationally.

3.1.1. Organization structure

The Rabobank Group has a cooperative structure and is comprised of 141 independent local Rabobanks, added by their umbrella organization Rabobank Nederland. Overall, the local Rabobanks and Rabobank Nederland have an employee base of about 33.600 FTE’s and serve about 6,8 million retail clients and 800.000 corporate clients in the Netherlands, making it the densest banking network in the Netherlands. Because of the cooperative structure clients can become members of the local Rabobanks. The local Rabobanks, for their part, are members and shareholders of Rabobank Nederland.

Rabobank Nederland is a supportive organization and monitors, on behalf of the Dutch Central Bank, the business practices, outsourcing, solvency and liquidity of the local Rabobanks. In addition, Rabobank Nederland exercises a number of central staff functions for the local banks and the entire Rabobank Group.

(28)

a banking infrastructure in six developing countries by taking non-controlling interests in rural banks and offering them expertise and human capital.

3.1.2. Mission and ambition

The Rabobank Group puts the common interests of people and communities first. From commitment to those interests, the Rabobank wants to be a driving and innovative force that contributes to the sustainable development of wealth and prosperity. The goal is the achievement of current and future aspirations of people and communities. To achieve this goal, strengthening the cooperation and offering the best possible financial solutions are the means. The ambition is to be the biggest, best and most customer-driven innovative financial institution in the Netherlands.

3.2. Trade Services

Trade Services (TS) is a department within Rabobank Nederland that provides international trade solutions with regard to import and export. These solutions can help clients to reduce risks in their supply chain. Trade Services has an employee base of 90 FTE’s. The client base of Trade Services consists of only business clients of local Rabobanks or corporate clients of Rabobank Nederland. Trade Services consists of seven teams. These teams consist of three processing teams, broking down by product; Documentary Collections, Letters of Credit and Bank guarantees. Trade Services will be referred to as TS .

Besides these processing teams, TS has four supportive teams; Administration and Systems, Trade Service Desk, Trade Support and Process management. Administration and Systems supports TS in the field of systems and is responsible for the first stage of the processing of the various products; the registration of these products. The Trade Service Desk is a helpdesk for customers regarding to questions and complaints about TS. Trade Support is an overall supportive team, which gives support to extraordinary cases. Process Management is responsible for the facilitation and control of the processes to process the trade products.

3.2.1. Products and services

(29)

(30)

4. Research design

4.1. Introduction

This section gives a description of the research design which is needed to answer the following research question:

“To what extent does Rabobank Trade Services arrange an internal control system and to what extent is the internal control system effective?”

In this study, the case study method is used and attempts to explore multiple sources of evidence of the effectiveness of internal control mechanisms on entity level. A case study is characterized by giving a comprehensive understanding of a single case and it tries to consider a sufficient number of variables to give insights into this single case. The case study method also enables in-depth documentary analysis, extraction of data and specific (confidential) information from a single organization. The sources used in this study are: data collected through semi-structured interviews, observations and documentary analysis. The downside of a case study is the lack of generalizability. Because this study is based on one entity, the outcomes of this study cannot be applied automatically to other entities (Saunders et al, 2003).

(31)

4.2. Data collection

As described in Section 2, the model of COSO is an integrated model of internal control where the different control components cannot be seen as single events. However, in this study the five components will be explored independently. The presence and proper functioning of the independent variables at TS can provide reasonable assurance of proper functioning of the internal control system of TS and therefore finally meet the three organizational objectives described in Section 2.

From the theoretical framework of internal control, explicated in Section 2, a list of major and break-down components can be made. The five components of the COSO model are the major components. The individual break-down components will feed into and form the specific major component. The break-down components also arise from the literature review, explicated in Section 2. In this study the break-down components will be explored independently to ultimately explore the functioning of the major components. Table 4.1 gives an overview of the major and break-down components.

(32)

Table 4.1. Internal control components

Major components Break-down components

1) Control environment 1.1) Philosophy of risk management

1.2) Tone at the top

1.3) Control system tightness

2) Risk assessment 2.1) Appropriate objectives

2.2) Risk appetite 2.3) Risk tolerance

2.4) Tools to identify events 2.5) Criteria to assess risks 2.6) Inherent and residual risks 2.7) Use of responses

3) Control activities 3.1) Outcome of risk response

3.2) Behavioural Constraints 3.3) Action Accountability 3.4) Pre-action Reviews 3.5) Detection controls 3.6) Results Accountability 3.7) Personnel controls

4) Information and communication 4.1) Facilitation of control 4.2) Subject of control 4.3) Communication

5) Monitoring 5.1) On-going monitoring activities

5.2) Separate evaluations

4.3. Case selection

(33)

5. Findings (ERM design)

5.1. Introduction

The Rabobank Group claims that they have implemented a comprehensive system of internal controls to ensure that transactions are executed as authorized, to ensure that the financial reporting is accurate and reliable and to ensure that their assets are safeguarded. The internal control framework of the Rabobank Group is based on the ERM framework of COSO (Rabobank.com). In this section the translation of the ERM framework into a lower organization, in this case Trade Services, will be explored. Using the internal control elements described in Section 2, the observations of the internal control framework of Trade Services will be described in Section 5.2. Section 5.3. gives an analysis of the observed COSO elements.

5.2. COSO observations

5.2.1. Control environment

The central question to determine the control environment of Trade Services is to determine whether management created a culture in which ethical behaviour is encouraged (Lightle et al, 2007). This research attempts to focus on the employee perceptions rather than the management intentions.

In summary, three parts are important for the determination of the control environment; (1) philosophy of risk management, (2) the ‘tone at the top’ and (3) control system tightness. Through observations and semi-structured interviews these three elements will be discussed and evaluated.

(34)

A strong control consciousness is observed at the management of TS. This is characterized in weekly meetings, a special portfolio of the internal control tasks within TS, and the variety of procedures. The control consciousness is seen as important, because of the manual work that has to be performed by employees. The Trade business and the processing of the products are characterized by accurateness and cannot be seen as standard work. To reduce the risks involved with the Trade business, internal control mechanisms are seen as important.

The control system tightness can also be seen as strong. According to the origination of a strong control culture, because of the variety of manual tasks, control practices are arranged to ensure the tightness of the control system. Examples are process controls, the use of the four-eye principle, schedules and procedures to involve more employees in decision making. This will be discussed in more detail in the COSO analysis (Section 5.3.1.).

5.2.2. Risk assessment

This sub-section describes the actions with regard to the risk assessment. The implementation of elements regarding (1) appropriate objectives, (2) risk appetite, (3) risk tolerance, (4) event identification, (5) assessment of risks, (6) inherent and residual risks, and (7) risk response will be discussed.

Objective setting

With the aid of top-down objectives, Trade Services translated these objectives in an annual plan. This plan consists of specific objectives regarding efficiency, quality, compliance, cost reduction and monitoring of risks. This plan includes all the top-down control objectives and a schedule for taking the risk assessment processes and the control activity initiations. Also, a daily schedule is used in the processing teams to set objectives in terms of productivity. There is a strong focus on managing on productivity and turnaround time.

COSO (2004) states that a part of the objective setting is to determine the risk tolerance and the risk appetite. Operating within the risk tolerance can provide management greater assurance that the entity remains in the risk appetite. An example of risk tolerance at TS is the guarantee of processing products within the next day. TS set the target that 95% of the products have to be processed within 24 hours.

(35)

way. The overarching department has used monetary terms to set the risk appetite. The sum of the potential risks, based on risk analysis and in monetary terms, has to be lower than the predetermined level, otherwise management has to take actions.

The second element of the risk appetite is the determination of a limit for individual risks. When the identified risks exceed a certain level of exposure, management has to take measures. This form of risk appetite will be discussed further in the Risk Analysis Process.

Risk Analysis Process

To identify the risks dealt with the various products, two different formal event identification and risk assessment processes are observed. The first process is to focus on the product content risks and is called the Product Risk Analysis. The second process is to focus on the process related risks and is called the Risk Analysis Process. The Risk Analysis process is the process exercised by Trade Services, where the Product Risk Analysis is exercised by a product management department. This research is only focused on the internal control mechanisms of TS and therefore it will focus only on the Risk Analysis Process.

The Risk Analysis Process is a formal way for TS to identify and assess risks. The process is divided between the different teams and is exercised on a yearly basis. As mentioned in chapter 3, TS consists of seven teams. Except for Process Management, each team sets up a Risk Analysis Process in planned sessions, facilitated by a process manager and a risk manager.

The formation of the Risk Analysis Process begins with brainstorming to identify potential events. The potential events will be identified using process flows. For each stage of the process, events will be identified and the risks will be recognized.

(36)

Table 5.1. Likelihood scale

Likelihood Scale

1 (low) Likelihood that the risk occurs less than once a year

2 Likelihood that the risk occurs once a year

3 Likelihood that the risk occurs once a month

4 Likelihood that the risk occurs one or more times a month

5 (high) Likelihood that the risk occurs one or more times a day

Employees estimate the impact on a quantitative way, to determine the financial loss, or on a more subjective manner to measure the effect on customers. Table 5.2. gives an overview of the scale used at TS, to determine the impact.

Table 5.2. Impact scale

Likelihood Quantitative scale Qualitative scale

1 (low) Impact < EUR 500 Explainable

2 EUR 500 < impact < EUR 10.000 Damaging trust of internal customer

3 EUR 10.000 < impact < EUR 25.000 Damaging trust of customer

4 EUR 25.000 < impact < EUR 500.000 Leaving of customer

5 (high) Impact > EUR 500.000 Serious reputation damage

To determine the exposure, the likelihood is multiplied by the impact. For each risk, a certain number will be calculated. This number is important to determine whether control activities are needed. This will be explained in the Section 5.2.3.

First, the exposure of inherent risks will be determined. The inherent risks are the risks in the absence of management’s actions. For each inherent risk, the controls in place will be identified. The controls are often a risk response strategy and will be discussed below. When the controls are identified, the exposure of the residual risk can be determined. The exposure of the risks can be lowered due to the controls.

(37)

the likelihood multiplied by the numbers given by the estimation of the impact. A risk exposure of ‘1’ means that the likelihood as well as the impact is low. The maximum risk exposure is ‘25’, which means that the likelihood and impact is estimated as ‘5’. The risk appetite set at TS is ‘8’. This means it is not necessary to take actions when the outcome of the risk exposure is less than ‘8’. Rabobank decided that these risks fall into the risk appetite, however, when the outcome of the exposure of risks is ‘8’ or higher, management has to take action. These actions are risk response strategies, and will be discussed below.

Risk responses

As mentioned in Section 2, COSO (2004) distinguished four risk responses; (1) risk avoidance, (2) risk sharing, (3) risk reduction and (4) risk acceptance.

Observations of risk avoidance strategies are the procedures regarding to the countries on the ‘black list’ TS uses. Imposed by overarching departments, TS can decide not to undertake transactions with these certain countries. This can be seen as a risk avoidance strategy.

TS, also uses several Service Level Agreements to share risks. These so called SLA’s are agreements made with customers, vendors and other (internal) business partners, to share risks. There are agreements of the use of processes of other parties by TS and agreement where other parties make use of processes exercised at TS. To make use of processes exercised by other parties, the ownership and liability of the risks will be passed to a third party. Therefore, these agreements have to prevent uncertainties by making explicit contracts on paper and can be seen as risk sharing strategies.

The observed risk reduction strategies consist of a set of implemented controls, distinguished in three types of reduction controls. First, preventative responses are controls to reduce the likelihood of the risks. Detective responses are responses to detect the risks and therefore to reduce the impact of risks. At least, corrective responses are controls to recover the risks or the damage that the risk entails. TS uses many risk reduction responses. Examples of risk reduction controls are the use of four-eye principle, the use of several lists to detect errors and reconciliation practices. These risk reduction controls will be discussed by detail in the next Section 5.2.3.

(38)

benefits. In other words, risks will be accepted when the outcome of the Risk Reduction Leverage, mentioned in Section 2, is below 1. TS arranged specific residual risk forms for accepting residual risks formally. Depending on the exposure of the residual risks, higher management has to approve the risk residual form, to recognize the residual risk and to acknowledge that the decision is made not to take measures. An example of the acceptance of a risk is the decision not to arrange a server fallback of the processing system, because of the cost-effectiveness consideration.

5.2.3. Control activities

This section describes the control activities set up by management. The observations regarding to (1) outcome of risk response, (2) behavioural constraints, (3) action accountability, (4) pre-action reviews, (5) detection controls, (6) results accountability and (7) personnel controls will be discussed.

Actions controls

As described in the previous chapter, TS uses controls to reduce risks. The outcome of the risk assessment is important for the decision whether a risk has to be reduced or accepted. Formally, TS has to make this choice when the risk exceeds the risk appetite when the exposure is classified as ‘8’or higher. Besides the use of the residual risk form, the risk acceptance strategy, TS can choose for process controls. These process controls are ex post samples to test whether the measures for reducing risk have been performed correctly.

In the course of every year, and preferably after the Risk Analysis Process, process controls are implemented. In the beginning of 2012 TS uses twenty process controls, across several processes within TS. These process controls provide insight into the compliance of the measures to reduce risks and it could provide a basis for drawing up improvement actions.

(39)

systems. This can be seen as a preventative measure to avoid actions by employees where they are not entitled to.

Due to the separation of duties, an employee is not allowed to fulfil the whole route of processing a product. Besides the fact that knowledge and skills are important to fulfil some tasks, TS uses a separation of duties to prevent fraudulent activities. The so called four-eye principle is widely used at TS. This principle ensures that actions taken by one employee are always checked and approved by another employee. This approval is, in addition to the fact that it is documented in procedures, forced by the system and the roles arising from the role-based access control. In the processing of the products, a distinction is made between the register tasks and release tasks, which complete the processing of the products.

Other preventative measures to control employees’ actions include the documentation of (working) procedures. TS uses a broad set of working procedures to help employees and to ensure that employees perform their job in a desired way. Each team uses working procedures and these procedures are updated once a year. The use of procedures can influence the actions of employees. An important procedure which cannot be neglected, is the so called ‘sanction tool’. In order to prevent that business is done with undesirable parties, TS developed a tool which checks the manual input of names, on whether they belong to a special prepared black list of undesirable transaction partners. Due to the cost-effectiveness of this preventative measure, TS chose to remark several countries and to use this sanction tool only in the case of these countries.

Beside the separation of duties, there are also pre-action reviews implemented at TS. There are two different signature procedures observed. An internal signature procedure is arranged to make corrections in for example ledgers, only some managers are authorized to give this signature. The second procedure is the external procuration. Depending on the amount of money the product is involved, documents have to be signed with one or sometimes more signatures. There are several employees authorized to sign these documents. Due to the additional signatures, TS reduces the risk of fraudulent activities.

(40)

Also customers can choose to use key arrangements, wherein a key code ensure the authenticity of the customer.

Detection controls

It is not realistic or effective to prevent undesirable actions completely. TS has implemented several detection controls to gather information to which extent appropriate actions are taken.

The first detection control used at TS is a tool where complaints and errors are registered. Team Trade Service Desk receives complaints from customers that can be used as detection of mistakes and to take corrective actions. The list of errors which has been collected, is the list of errors after releasing the products. These lists of errors and complaints give an input for feedback to employees. There are structured sessions to give feedback regarding to these errors. This detection control works as a preventative measure to train employees and eventually as a corrective measure to correct the error.

TS performs actions of reconciliation. The objectives of these actions are twofold. First, reconciliation actions enable management to correct past mistakes; second, reconciliation actions are needed to achieve reliability of financial data. Three types of reconciliation can be distinguished. (1) Reconciliation on product liability to align the amount of outstanding liability regarding the products, between the booking system and the processing system; (2) reconciliation on customer liability to align the balances of the customer between the processing system and the booking system and (3) the reconciliation on bank and country risks, where an alignment has to be made between a bank and country system and the processing system. As a control activity, TS has to explain and solve non-matching balances. As a result of detection lists of these non-matching balances, TS manages a list of potential losses.

Results controls

(41)

Personnel controls

TS makes use of personnel controls. The use of personnel controls can result in a higher chance that employees perform the desired tasks satisfactorily. There is a distinction made in education level required for different jobs within Trade Services. Also, employees often follow a usual route within TS, where employees usually start at Team Administrative and Systems, subsequently moving on to processing teams.

Another personnel control is the on-the-job training for new employees. These employees receive an on-the-job training in order to learn about the products. Also trainings regarding to laws and regulation are given as well as specific Trade regulation trainings. Besides the trainings focused on improving skills of employees, there are also special computer exams which employees have to take. These computer exams are related to control and include exams about Security Awareness and knowledge of compliance subjects.

To improve the flexibility of employees, the so called Taskforce is created. This involves an exchange of employees from different teams. This will improve the versatility of the employees.

To improve the communication and feedback the teams within TS organize several meetings. These meetings have to improve the capabilities of employees and can be seen as preventative measures to reduce the risk of making mistakes. The stimulation of communication leads often to improvement plans.

5.2.4. Information and communication

As described in Section 2, the objectives of information and communication are threefold. Information has to facilitate proper control; information can be used as a subject of control; and there has to be a decent communication of the information. This sub-section describes the observations of information and communication at TS.

Information

Assessing the effectiveness of ‘In Control’