Monitoring internal control

(1)

Monitoring internal control

A research of the monitoring of internal controls and the possible consequences of less AFM supervision.

“We cannot direct the wind, but we can adjust the sails.” Bertha Calloway

University of Groningen

Faculty Economics and Business

Master of Science Business Administration

Specialization Organizational & Management Control

Author: Merijn Tillema Student number: 1401033

Date: 15-07-08

Supervisor KPMG: Maaike Ligthart

(2)

Preface

This thesis is the result of an internship of five months with KPMG and is meant to complete the master Organizational & Management Control. In early 2008 I started looking for an internship with the objective to complete my thesis and conduct the empirical research within a large organization and getting an insight view in the corporate life. I applied for an internship in February 2008 at the Governance & Compliance division of KPMG Advisory and started one month later. This division bundles specialistic knowledge on the area of financial legislation and internal control. While the change from being a student to ‘working life’ proved exhausting, I experienced my internship as interesting, exciting and highly informative.

I would like to thank KPMG for providing me with this opportunity and the necessary facilities. During my internship at KPMG my ‘colleagues’ did not only helped me with ideas and information for my thesis but also provided supervision and connections necessary to complete my thesis. Especially I would like to thank Maaike Ligthart, my supervisor at KPMG, for dedicating time for reviewing my thesis and supporting me with advice. Furthermore I would like to thank my thesis supervisor, Reggy Hooghiemstra, for his constructive feedback and useful tips. Finally, I would like to thank my parents and girlfriend for their continuous support.

(3)

Executive summary

Due to lack of capacity and the fact that supervision could be more effective, the AFM want to decrease their extensive supervision. In the beginning of 2008 the AFM started a pilot called “tailored supervision”. Supervision by the AFM will be adjusted to the organization. The emphasis lies on the own responsibility of the organization while the AFM only performs the necessary supervision. Organizations that are ‘in control’ will receive less supervision and are given more space to handle issues and incidents themselves. This pilot could have various consequences for the internal control of organizations. Because internal control is such a large concept this thesis focuses on the monitoring of internal controls. This thesis explores the effects of less external supervision using the following research question:

‘If an organization is given more responsibility for handling internal control, how can they arrange the monitoring of internal controls?’

To answer this question this thesis combines a theoretical research with empirical research. In the first part, literature is used to explain the development of internal control and the main control systems used. The empirical research explores the effects of less AFM supervision.

Two major internal control systems are the internal control framework and the enterprise risk management framework, both designed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Organizations can use this framework (and the elements within) as a background for designing their own frameworks. For instance, risk assessment and monitoring are recurring elements within every large organization. Monitoring is a process that assesses the functioning and performance of the internal control system. Monitoring control activities vary enormously between organizations but organizations can use the process designed by COSO to implement monitoring activities.

(4)

1. Introduction

1.1 Background

In the past decades a number of high profile corporate collapses have arisen despite the fact that the annual report and accounts seemed fine. The massive bankruptcies (and sometimes criminal behavior of company executives) of Enron, WorldCom and Barings as well as the corporate debacle at Ahold have had averse effects on many people: shareholders who have seen their financial investment reduced to nothing, employees who lost their jobs and pension, suppliers of goods or services to the failed companies and the economic impact on the local and international communities in which the failed companies operated (Mallin, 2004). It led to increased shareholder and governmental interest in corporate governance. Corporate governance contributes to managing an organization efficient, sufficient and responsible and can help to prevent corporate collapses and restore investor confidence.

A part of corporate governance concerns dealing with agency issues. For example, an agency problem exists when management and shareholders do not agree on how the company should be run. Further, conflicting interests may lead to managers not always acting in the best interest of shareholders. Managers want generous compensation schemes, large offices and expensive lease cars. Shareholders want the opposite because it will decrease profits and therefore their earnings. If all personnel always did what was best for the organization, control -and even management- would not be needed. Even if employees are properly equipped to perform a job well, some choose not to do so, because individual goals and organizational goals may not coincide perfectly (Merchant, 1982).

(7)

day-to-day oversight by managers, periodic reviews by auditors and other groups, and the processes management uses to address and correct known deficiencies (Hubbard, 2003). Monitoring should provide managers with information about the effectiveness of the control system for which they are responsible.

The AFM (Autoriteit Financiële Markten) is responsible for regulating behavior on the financial markets in the Netherlands. It supervises financial accounting and monitors if market participants are behaving appropriately. Due to lack of capacity and the fact that supervision could be more effective, the AFM want to decrease their extensive monitoring activities. Organizations will receive less external control and are given more responsibility for handling internal control themselves. Does less external control and more responsibility for the organization increase the possibility of agency problems? Will there be enough pressure to perform sufficient if companies will have to take own initiatives to improve internal control? This thesis will explore the effects of more corporate responsibility for internal control. It focuses on what the influence of more company responsibility is for the monitoring of the internal control framework.

1.2 Context

The AFM created the context for this thesis as it initiated a pilot called ‘Tailored supervision’. This section provides the general background for this thesis containing information about the AFM and the pilot.

1.2.1 AFM

As stated before the AFM1 is the body responsible for regulating behavior on the

financial markets in the Netherlands2. This means that the AFM regulates the

behavior of all parties involved with the savings, loans, investment and insurance markets. The AFM further monitors compliance of all market participants with the relevant legislation and develops and enforces regulations and policies in the area of the financial markets. It also advises the Ministry of Finance on matters concerning the development of new laws and regulations. Consultation with market players is an important instrument in this regard.

Objectives

The objectives of the AFM are to promote access to the financial markets, promote the efficient, fair and orderly operation of the financial markets and to ensure

confidence in the financial markets3. These objectives are not only in the interests of

customers of financial services and products, but are also in the interests of the economy as a whole. Inefficient operating markets and high discrepancies of information could lead to mistrust by investors, who would then invest less. Mistrust by investors would have large averse effects on the Dutch economy. The interest of the government to control the financial markets can thus be explained by the will to

1

The Authority for the Financial Markets (see appendix 1) is the successor of the Securities Board in the Netherlands (STE, Stichting Toezicht Effectenverkeer) and was set up in 2002. The AFM falls under the political responsibility of the minister of Finance but is an autonomous administrative authority. This means that the AFM operates autonomously but its powers are set by the minister of Finance.

2

http://www.afm.nl/publicdatabase/default.ashx?folderid=1635 consulted on 03-04-2008

3

(8)

ensure investor confidence in the financial markets. By supervising the conduct of the financial markets, AFM aims to make a contribution to the efficient operation of these markets. Examples of AFM responsibilities are enforcing the Act on Financial Supervision (Wet financieel toezicht), maintaining the prohibition on insider trading, enforcing the Act on the supervision of audit firms (Wet toezicht accountantsorganisaties) and granting licences for statutory audit.

Instruments available4

The AFM conducts its supervision by means of inspections, enforcement and transfer of standards, and in so doing expressly monitors signals originating from the market and findings from its own control organization. To reach its objectives the AFM uses the following instruments:

Transfer of standards

All parties that are active in the financial market sector must comply with the applicable rules and legislation. One of the most important activities in this regard is that of passing on standards. In other words, all parties must be made aware of the 'standards and values' that apply on the financial markets and know which rules and laws apply. This passing on of standards is achieved by providing information to financial companies and consumers.

Controls

The AFM performs its role as regulator by means of controls. For example, AFM employees visit financial institutions to see whether they are working in accordance with the applicable laws and regulations. The AFM also asks these companies to evaluate whether they are doing enough to comply with the rules. If financial institutions can regulate themselves to some extent, then they should do so. This is called self-regulation. Reports from the market, the media or consumers can also trigger an extra control or even an investigation.

Permits

Financial institutions need a permit from the AFM before they are allowed to offer certain services and products, e.g. securities services, investment services or consumer loans. Permits are not issued to just anyone - there are certain conditions that must be met. For example, an institution must be financially healthy, and the directors must have the required expertise and be trustworthy according to AFM standards.

Sanctions

The AFM can impose sanctions if it finds that companies or consumers are not following the rules. Whenever the law or rules are broken the AFM considers which of the various possible sanctions to apply.

The AFM can:

• issue an instruction or a public warning;

• impose undisclosed custody;

• withdraw a permit;

• cancel or refuse registration;

• report the case to the Public Prosecutor;

4

(9)

• impose fines and periodic penalty payments. Other regulators

The AFM is not the only institution guarding the financial markets. There are several other regulators, each with their own tasks, including the Dutch Central Bank (DNB) and the Netherlands Competition Authority (which contributes to effective competition and the proper functioning of markets).

Where the AFM is responsible for regulating behavior, the Dutch Central Bank is the body responsible for prudential supervision. This concerns ensuring financial soundness of financial undertakings and safeguarding financial stability. It contributes to defining and implementing monetary policy which main objective is price stability. DNB supervises financial institutions and the financial sector and exercises control over securities and collective investment schemes. DNB further regulates Dutch banks and advises the Dutch government by offering independent economic advice. During my research the influence of DNB on control activities of organizations became evident (e.g. the FIRM manual which provides a detailed description for risk analysis). Nevertheless, these regulators all have the same objective: to guarantee properly functioning markets that are accessible to all participants and ensure the confidence of those participants. Each institution focuses on different issues and uses different methods to achieve this objective.

1.2.2 Pilot “Tailored supervision”

Sufficient supervision by the AFM reduces market imperfections but at the same time introduces new inefficiencies. The AFM is trying constantly to strike the right balance between controlling compliance of standards and providing space to organizations to take their own responsibility.

Because of the aspiration for more effective monitoring and lack of capacity the AFM started a pilot called “tailored supervision” (toezicht op maat, further ToM)5. Efficient and effective supervision needs a supervisor who keeps the unique characteristics of the organization in mind. This means a more contingency based approach of supervision by the AFM. The form of supervision will be adjusted to the organization and the context in which they operate (Chenhall, 2003). In this case it beholds the transition from confection supervision to supervision tailored to the organization. This supervision is part of the control instrument of the AFM.

The emphasis lies on the own responsibility of the organization while the AFM only performs the necessary supervision. If organizations want to and can contribute to the monitoring process themselves this is preferred to monitoring by the AFM. Organizations that are ‘in control’ will receive less supervision and are given more space to handle issues and incidents themselves. As stated before self-reliance is preferred above the AFM performing control. Organizations whose performance is insufficient are stimulated to improve the internal control.

The AFM needs to be sure that the organization behaves correctly and wants to build a relationship with the organization based on faith. To accomplish good and effective supervision it needs information about the organization. The organization itself knows

5

(10)

more about their actions and operations than the AFM does, which means information-asymmetry is an issue here. The AFM can gather information themselves by inspections or acquire the information from the organization to solve this problem. This seems sort of a principal-agent relationship where the AFM is the principal and the organization the agent. The concept of principal-agent relationship will be reviewed later. Important is whether the performance of the organization changes if they receive less external control. Without the pressure of supervision by the AFM organizations may pursue their own agenda.

To define how much responsibility can be handled by the organization, the organization will be scored using various indicators.

ToM (AFM, 2007) distinguishes two aspects:

1. Openness, how positive, open and inventive communicates the organization

with the AFM about strategy, operation procedures, issues and handling these issues?

2. Control, is the organization ‘in control’? This depends on:

- Risks: How aggressive and innovative is an organization? Does it operate on the edge of what is legal?

- Lines of defense: Given the ambitions and external aspects, how effective are the safety measures within the organization? Indicators will be used to look at the structure of the organization, the employees, vision, strategy on internal control en the position of compliance and internal audit departments.

Based on openness and control of an organization the intensity of external control by the AFM can be tailored to the organization.

ToM in practice

In general, ToM works as follows:

a. Analysis: The AFM analyses organizations on openness and control. The organization could give input or provide their own analysis which then could be compared.

b. Customizing: The intensity of control by the AFM is tailored to the

organization based on openness and control. c. Improving openness.

d. Improving control.

Strive for improvement of control

The AFM aims at a certain minimum amount of control. If the risk of an organization can be defined as 10, the amount of control must also add up to 10. If the internal control of an organization is 6, an efficient AFM should provide a further 4 control. Supervision by the AFM is more expensive than internal monitoring by the organization. If an organization is better ‘in control’ it should be able to contribute more to the control aspect. AFM supervision is less necessary.

How can improvement of internal control be encouraged?

-The AFM can stimulate organizations to improve their control by making the effects of different intensity levels of supervision visible.

(11)

1.3 Research framework

In the previous section the general setting of this thesis has been explained. The research objective, problem definition and sub questions are derived from this introduction and presented in this section. This section will further discuss the relevance of this research and present a conceptual model that will further clarify the intentions with this thesis.

1.3.1 Research objective

This research is conducted to explore the effects of more corporate responsibility for internal control and handling issues. It focuses on the influence of more corporate responsibility for the monitoring of the internal control framework. The objective is to give a better understanding of what monitoring is and how it needs to be conducted given the fact of less external control.

1.3.2 Problem definition

In this paragraph the research objective will be translated into a problem definition. The problem definition or problem statement is a clear, precise and succinct statement of the question or issue that is to be investigated with the goal of finding an answer or solution (Sekaran, 2003). It is important for the formulation of sub questions.

Central question:

If an organization is given more responsibility for handling internal control, how can they arrange the monitoring of internal controls?

Sub questions

To be able to answer the central question in my thesis four sub questions have been formulated:

Why are control systems used in an organization and what are the main internal control systems being used?

How is monitoring arranged within the internal control framework of an organization and which instruments are available?

To which extent will the increase in responsibility for internal control result in more agency problems and risks for the organization and which role does monitoring have in this issue?

Will the pressure to perform sufficient change if organizations have more own responsibility for their internal control and receive less external control?

1.3.3 Definitions

To clarify the research objective and the problem definition it is necessary to define and clarify some of the used terms.

Internal control

(12)

‘Internal control is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• effectiveness and efficiency of operations;

• reliability of financial reporting;

• compliance with applicable laws and regulations.

Internal control framework

Internal control frameworks help organizations implementing internal controls and complying with corporate governance codes, laws and regulations. Examples of such frameworks include COSO’s framework for internal control and the integrated framework for ERM (Enterprise Risk Management).

Monitoring

The whole process of internal control and internal control systems must be monitored. Monitoring is a process that assesses the functioning and performance of the control system and its components over time6. By monitoring the organization ensures that the activities of internal control lead to the desired outcomes in an effective and efficient manner. It is necessary to assess the quality of the internal control system on a regular basis and perform modifications if needed to react dynamically to changes. 1.3.4 Relevance of thesis

In this section I will discuss the relevance of my thesis. We can make a distinction between theoretical (scientific) relevance and practical (social) relevance (Baarda, 2003). If a research has theoretical relevance it aims more at developing theory, enlarging theory or correcting existing theories. With theoretical relevance the goal is to increase scientific knowledge and it not necessary that research has any practical relevance. If research has practical relevance information is collected that can be used to solve a problem. It concerns changing a problematic situation in a more desired situation.

My thesis consists of a combination between theoretical and empirical research and has both theoretical and practical relevance. The literature used in this thesis concerns corporate governance, management- and internal control. A lot of books, articles and other publications exist about both corporate governance and internal control. But very few of these publications explore the relationship between these two concepts. Wallage (1995) acknowledges that internal control is a part of corporate governance. Organizations are exposed to risks and to achieve organizational objectives in an effective and efficient way an adequate internal control is needed. The people involved with corporate governance have a direct interest in the proper functioning of the internal control. Mouthaan (2000) mentioned the relation between corporate governance and internal control but does not explain it.

In my thesis I will try to explain the link between corporate governance and internal control and use the theories of corporate governance to explain the existence of internal control frameworks. Information about “the three lines of defense” will be presented. The three lines of defense are used for risk management and control and are not yet documented in literature. Internal control frameworks are well documented

6

(13)

but there is ample information about its use in practice. In my thesis I will explore one aspect of most internal control frameworks, namely monitoring, more thoroughly. Furthermore the link between the agency theory and monitoring will be explored. The literature is used as a background for the research. As stated in the research objective the goal of this research is to give a better understanding of what monitoring is and how it can be conducted given the fact of less external control. For KPMG this is relevant because they want to support these financial corporations in this process. For the financial corporations this is relevant because capacity problems of the AFM will result in more responsibilities and maybe more risks for their organization. My thesis will contain knowledge about the use of internal control frameworks and focuses on the monitoring aspect within the context of less internal control.

For the community at large the functioning of internal control frameworks is important. It should result in efficient markets, consumer protection and investor confidence. The role of the AFM, which is funded by community money, is also important. The community at large has interest in an efficient and effective AFM that still assures efficient, fair and orderly operation of the financial markets and contributes to confidence in the financial markets.

1.3.5 Conceptual model

In research there are interrelationships between various concepts. A conceptual model is developed to show the theoretical concepts and their connections. It must result in a better understanding of the problem statement. I will review the connection between corporate governance and control. The theory is used to explain the existence of internal control systems and show what has influenced their development.

Figure 1.1 Conceptual model Corporate governance

Agency theory Codes and best practises

Control

AFM

Pilot: “Tailored supervision” Management Control

Internal Control Systems

COSO ERM

Monitoring Corporate governance

Agency theory Codes and best practises

Control

AFM

Pilot: “Tailored supervision” Management Control

Internal Control Systems

COSO ERM

(14)

1.3.6 Outline

(15)

2. Corporate governance

Because of the significant influence it had on internal control and the development of internal control frameworks this chapter will discuss corporate governance. Some of the theories behind corporate governance can be used to explain the need for internal control frameworks.

Corporate governance concerns a combination of processes, policies, laws and institutions that affects the way corporations are managed and controlled. It contributes to managing an organization efficient, sufficient and responsible. Shleifer and Vishny (1997) stated that corporate governance deals with the ways in which suppliers of finance to corporations assure themselves of getting a return on their investment. The Cadbury (1992) committee defines corporate governance as ‘the system by which companies are directed and controlled’.

The organization for economic co-operation and development (OECD, 2004) uses a broader definition:

‘Corporate governance involves a set of relationships between a company’s management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined. Good corporate governance should provide proper incentives for the board and management to pursue objectives that are in the interests of the company and its shareholders and should facilitate effective monitoring.’

Looking at these and other definitions of corporate governance it seems that some aspects are emphasized. Corporate governance concerns amongst other things maximization of shareholder value, the relationship with stakeholders and helps the company to achieve its goals. Monitoring performance is also a key aspect in attaining objectives. An important part of corporate governance is to ensure the accountability of employees and the organization and to make sure various individuals all behave in the best interests of the shareholders. After numerous debacles corporate governance became more interesting for share- and stakeholders because good corporate governance can help prevent corporate collapses.

2.1 Main theories of corporate governance

Many theories have affected the development of corporate governance but the main theories include (Mallin, 2004): agency theory, stakeholder theory and transaction cost economics and are discussed below. Within my thesis the focus lies on the agency theory which will be discussed first. The other two theories will be briefly discussed.

Figure 2.1 M ain theories influencing the development of corporate governance Corporate Governance Transaction cost economics Stakeholder theory Agency theory Corporate Governance Transaction cost economics Stakeholder theory

Agency theory Stakeholder theory

(16)

2.1.1 Agency theory

According to Hart (1995) corporate governance issues arise in an organization whenever two conditions are present:

• First, there is an agency problem or conflict of interest involving members of the

organization.

• Second, transaction costs are such that this agency problem cannot be dealt with

through a contract.

In the same article he takes it one step further by claiming that corporate governance does not matter in the absence of agency problems. In the absence of agency problems all employees carry out their instructions because they have no interest in the outcome of the organization’s activities. Incentives are not required and no governance structure is required to resolve disagreements because there are none. This is a firm statement but the fact is that the agency theory has been very important in the development of corporate governance. The main function of corporate governance structures and codes is to mitigate or resolve agency issues. In this section the agency theory will be reviewed.

The agency theory concerns the relationship in which one person, the principal, delegates work to another person, the agent. The principal wants to induce the agent to perform some task that is in the principal’s interest but not necessarily the agent’s (Heath, 2004). In the context of an organization, the shareholders (financiers) are the principal and management and directors are the agents. The agency relationship can have a number of disadvantages relating to the opportunism or self-interest of the agent; for example, the agent may not act in the best interests of the principal, or the agent may act only partially in the best interests of the principal (Mallin, 2004). The essence of the agency problem is the separation of ownership and control. An entrepreneur, or a manager, raises funds from investors to put to productive use within the organization. The financiers need the manager’s specialized human capital to generate returns on their funds (Shleifer & Vishny, 1997). The ownership of shareholders is thus separated from the control of the organization that lies with management. Smith (1937) initially identified the problem as he noted that the directors in a joint-stock company could not be expected to be as vigilant and careful with other people’s money as they are with their own. In general, the employees, managers and shareholders (investors) of a firm all have a common interest in the success and continued existence of the organization. Still, individual interests may deviate.

According to Eisenhardt (1989) agency theory is concerned with resolving two problems that can occur in agency relationships (Eisenhardt, 1989).

• The first is the agency problem that arises when (a) the desires or goals of the principal and agent conflict and (b) it is difficult or expensive for the principal to verify what the agent is actually doing. The problem here is that the principal cannot verify that the agent has behaved appropriately. Examples of this agency problem are shirking (investing less effort in a task than possible) and abusing power for monetary or other advantages.

• The second is the problem of risk sharing that arises when the principal and agent

(17)

agent may prefer different actions because of the different risk preferences. Principals are considered risk neutral because they can diversify their investments across multiple firms. In contrast, agents are likely to be more risk averse because their employment security and income are dependent on a single firm.

To solve the problem of goal conflicts and different attitudes towards risk the agent’s intentions towards performance must be aligned with that of the principal. This can be achieved by moral suasion but an incentive scheme is likely to be more effective. Information asymmetry is an important aspect of the agency theory. The principal and the agent have access to different levels of information. The principal is normally at a disadvantage because the agent knows more about the firm and its operations than the principal does. Such asymmetry gives the opportunity for opportunistic behavior by management. The can use their intimate knowledge of the firm to enrich themselves at the expense of the shareholders. In the formal literature two aspects of the agency problem are defined (Heath, 2004):

• Moral hazard arises when the agent’s actions, or the outcomes of that actions, is

only imperfectly observable to the principal. A manager, for example, may exercise a low level of effort, waste corporate resources or take inappropriate risks.

• Adverse selection refers to the misinterpretation of skills and ability of the agent by the principal before she is hired. The principal cannot verify if the agent has the actual ability that the agent claims he has.

Moral hazard problems can be extremely severe. The Barings bank collapse of 1995, in which Nick Leeson lost $1,4 billion through speculating without being stopped, is but one example that shows that managers can destroy millions of corporate assets when they are given the opportunity.

The principal has two options in the case of unobservable behavior. One is to discover the agent’s behavior by investing in information systems such as budgeting systems, reporting procedures, boards of directors and additional layers of management, Such investments reveal the agent’s behavior to the principal (Eisenhardt, 1989). The idea behind this solution is that if the principal has more information about the behavior of the agent it is more likely that agent will act in the best interest of the principal. Investments in information systems can thus control agent opportunism. The other option is to contract on the outcomes of the agent’s behavior.

Besides aligning the interests of principals and agents, monitoring is also an important aspect of dealing with agency issues. Monitoring does not only provide information to principals about the actions of managers but also send a signal to managers. If managers know that they are being monitored they will less likely induce to unwanted behavior. Monitoring management is the primary task of the board of directors; it is the most explicit form of corporate governance. Several publications support the

importance of monitoring to reduce agency issues. Blair (1996) states that managers

(18)

corporate control, agency theory views corporate governance mechanisms, especially the board of directors, as being an essential monitoring device to try to ensure that any problems that may be brought about the principal-agent relationship are minimized (Mallin, 2004). The costs of monitoring management, implementing control systems and disciplining them to try to prevent abuse have been called monitoring costs. Together with the costs resulting from managers misusing their position these are ‘agency costs’.

2.1.2 Stakeholder theory

Stakeholder theory takes account of a wider group of constituents rather than focusing on shareholders (Mallin, 2004). Shareholders are but one of the important stakeholder groups. Like shareholders, stakeholder groups such as customers, suppliers, employees, government and the community at large have a stake in the company’s success or failure. Companies may strive to maximize shareholder value whilst at the same time trying to take the interests of the stakeholders into account. Obligations towards stakeholders often go beyond those required by law. Shareholders and stakeholders may favor different corporate governance structures. Shareholders will favor a structure in which their value is maximized whilst stakeholders have interests in continuity, representation and ethics. Where there is an emphasis on stakeholders then the governance structure of the company may provide for some direct representation of the stakeholders groups.

The current debate and theorizing on corporate governance has been divided in a shareholder perspective and a stakeholder perspective. Letza (2004) researched the link between the shareholder and stakeholder perspectives. Although the perspectives are different, common to both models are the notions of profit maximization, an increasing market value and economic and rationality and efficiency. Both shareholder and stakeholder perspectives claim superiority of their models respectively; however, in reality there has been a dynamic shift with both models becoming increasingly mutually attractive all over the world in the last two decades. Letza criticizes the fact that the current analysis focuses on evaluating and judging the superiority of either model. While the two main perspectives are deliberately duplicated in many studies, the theorems, origins, assumptions and theoretical contexts embedded in or behind the perspectives are less well examined and articulated in the literature. “Rational” arguments and “ideal” models are build on traditional assumptions and theories that were generated and/or constructed in centuries-old societal contexts, far removed from the current modern business environment. He claims that the split between shareholding and stakeholding in current theorizing of corporate governance is less valuable, since both material conditions and ideological perceptions have changed significantly in recent times. 2.1.3 Transaction cost economics (TCE)

(19)

TCE can be related to the agency theory. Where TCE views the firm as a governance structure, the agency theory views the firm as a nexus of contracts. This means that there are multiple contracts between the various parties because it is impossible to have one contract which perfectly aligns the interests of principal and agent in a corporate control situation. Contracts are thus typically incomplete. Because of this incompleteness parties who invest in relationship-specific assets expose themselves to a hazard (Shelanski, 1995). One way to safeguard these risks is through integration. This means that a firm will be less dependent on others. Both theories assume opportunism (self-interest seeking) and bounded rationality (satisfice rather than maximize profit) of managers. With TCE the choice of an appropriate governance structure can help align the interests of directors and shareholders (Mallin, 2004). 2.2 Linking corporate governance to internal control

Despite the existence of the agency problems mentioned above diffused share ownership, which leads to these conflicts, only increased in popularity amongst managers and outside investors. Internal monitoring devices, which are aimed at controlling such problems, contributed to this development. Besides giving recommendations about the composition and role of the board of directors, financial disclosure and the rights of shareholders most corporate governance literature acknowledge the importance of internal control. Major financial law and best practices of corporate governance refer to the importance of internal control and internal control systems. Some examples:

Sarbanes-Oxley act of 2002 (SOX)

The Sarbanes-Oxley act is a United States federal law, applied to companies that are listed on the US stock exchange, in response to a number of corporate collapses and financial scandals. SOX must guarantee sound company management and restore investor’s confidence.

SOX section 302: Corporate Responsibility for Financial Reports

This section mandates a set of internal procedures designed to ensure accurate financial disclosure. It states that the signing officers are responsible for establishing and maintaining internal controls. Furthermore, they must evaluate the effectiveness of internal controls.

SOX section 404: Management Assessment of Internal Controls

This section requires management to report about their responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting. This report should contain an assessment of the effectiveness of the internal control structure and procedures for financial reporting.

The Dutch corporate governance code (Code Tabaksblat) Best practice provision II.1.3:

(20)

and the procedures to be followed in drawing up the reports; and (d) a system of monitoring and reporting.”

Best practice provision II.1.4

“The management board shall declare in the annual report that the internal risk management and control systems are adequate and effective and shall provide clear substantiation of this. In the annual report, the management board shall report on the operation of the internal risk management and control system during the year under review. “

The combined code on corporate governance (2003) states that “The board should maintain a sound system of internal control to safeguard shareholders’ investment and the company’s assets.”

If we review the link between corporate governance and internal control it becomes clear why corporate governance codes highlight the importance of internal control and see an internal control system as a requirement for an organization. Some important features of corporate governance are: maximization of shareholder value, stakeholder

relationships, monitoring performance and improving transparency and

accountability. Looking at the definition of internal control it becomes evident that internal control is an instrument of corporate governance.

COSO (1992):

Internal control is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• effectiveness and efficiency of operations;

• reliability of financial reporting;

• compliance with applicable laws and regulations.

The important features of corporate governance and the definition of internal control are intertwined. For example shareholder value can be maximized by improving effectiveness and efficiency of operations. In the same way transparency and accountability can be achieved through compliance with laws and regulations and the reliability of financial reporting.

(21)

Effectiveness and efficiency of operations: Agency issues logically reduce the effectiveness and efficiency of operations. An agent that is shirking or is not acting in the best interest of the principal will reduce the effectiveness and efficiency within the organization. Achieving objectives in this category means few agency problems. Reliability of financial reporting: It is not always in the best interest of the agent to produce reliable reports. In the case of bad performance or if bonuses and salary depend on it, managers may present information to reflect their best interest. Within the agency theory this stems from the problem of information asymmetry. Improving the reliability of financial reporting results in more transparency and accountability and thus in diminishing information asymmetry and fewer possibilities for agents to commit fraud.

Compliance with applicable laws and regulations: Organizations have to comply with financial law and regulations. These laws are developed to ensure effective and fair trading and can reduce possible agency problems. This will reduce information asymmetry and leaves less room for fraud. Principals are given more rights and have more options to intervene themselves.

Internal control is thus an important instrument for corporate governance. It is a part of corporate governance by helping organizations to reduce agency problems and comply with financial law and rulings. After all it contributes to the organization achieving its objectives. Internal control frameworks help organizations implementing internal controls and complying with corporate governance codes, laws and regulations. It can be concluded that corporate governance codes, internal control and internal control frameworks are intertwined concepts.

2.3 Chapter summary

This chapter reviewed corporate governance and its underlying theories. Corporate governance concerns a combination of processes, policies, laws and institutions and contributes to managing an organization efficient, sufficient and responsible. Good corporate governance can help prevent corporate collapses and ensure investor confidence. Important aspects of corporate governance are the maximization of shareholder value, the relationship with stakeholders, achieving company objectives and monitoring performance.

Three main theories that affected the development of corporate governance are the agency theory, stakeholder theory and transaction cost economics. The agency theory is the most influential and involves managers pursuing their own agenda instead of acting in the best interests of shareholders. Monitoring managers is a possible solution because it identifies managers’ actions and managers who know that they are being monitored will less likely induce to unwanted behavior.

(22)

(23)

3. Control systems

An organization must be controlled; that is, devices must be in place to ensure that its strategic intentions are achieved (Anthony, 2001). After setting strategies and making plans the most important task of managers is to ensure that the plans are carried out or adjusted if needed. This is the control function of management. It consists for a large part of making sure that other people behave as they should (Merchant, 1982). Control is not a goal itself but it should contribute to the organization achieving its objectives. In this chapter I will explain why organizations use control systems. After this I will asses the link between management and internal control. Finally the main internal control systems will be presented.

3.1 Why organizations use control systems

An organization is susceptible to various risks. These risks can be dealt with through a control system. A control system is used to maintain actual performance close to desired performance. For example an organization has to deal with agency costs. Merchant (1982) stated that control- and even management- would not be needed if personnel always did what was best for the organization. But personnel will not always behave in the best interest of the organization. In this case a control system can be used to make sure that employees behave as they should.

The causes of the needs for control can be classified into three main categories (Merchant & Van der Steede, 2003): personal limitations, lack of direction and motivational problems. Personal limitations exist if employees cannot perform a task because of person-specific shortcomings. For example the lack of knowledge, information, skills, experience or training. Lack of direction means that employees simply do not know well enough what is expected of them. But even if the employees have the right skills and know what is expected from them they will sometimes opt not to act in the best interest of the organizations. Goal conflicts, which are evident within the agency theory, can lead to motivational problems. A set of controls are needed to protect the organization from undesirable behavior and give the right incentives to personnel. Inadequate control can lead to higher risks and poor performance.

(24)

Ouchi (1979) describes three control mechanisms. The market mechanism beholds perfect markets and no information asymmetry. If the market fails as the mechanism for control it is most often replaced by a bureaucratic form. A bureaucratic mechanism is carried out through rules. Managers must monitor the performance of employees and compare these with the rules stated. Control systems, which are bureaucratic mechanisms, can be used if the market does not provide enough control. The clan mechanism relies upon a socialization process which effectively eliminates goal conflicts between individuals.

It can be concluded that control systems are used in the case of information asymmetry, involves dealing with risks and have the main purpose to make sure employees do what should be done. It is obvious that the agency theory has had its influence on control systems. Almost every piece of literature about control systems mention the problem that employees act in their own interest. Control systems are used to secure the continued existence of the organization. But control systems come at a cost and perfect control is not always economically desirable. Organization should implement control systems only if this is cost efficient. This depends on the trade-off between profit and control. Managers should opt for that level of control where the benefits of implementing controls exceed their cost.

3.2 Linking management control to internal control

This paragraph will review the link between internal control and management control. In modern literature this link is not often explained. Management control concerns strategy and incentives for employees where internal control focuses more on accurate information and detailed processes. Still there are several similarities between the two concepts. The most used definition of management control is given by Anthony (2001):

‘Management control is the process by which managers influence other members of the organization to implement the organization’s strategies.’

If we look at this definition the resemblance with the definition of internal control becomes clear. Both definitions involve a process in which management tries to achieve organizational goals. Mouthaan (2000) explains this:

‘The definition of internal control is a combination of the vision on internal control from the accountancy viewpoint and the vision on management control from management theory. The vision of management theory becomes evident in the COSO-definition through describing internal control as a process that is effected by the board of directors, management and other personnel.’

Management is thus responsible for internal control. This is because management has the most influence on the aspects of internal control. If managers want to use internal control frameworks they should accept that controlling is their responsibility.

Management control involves a variety of activities including (Anthony, 2001):

• Planning what the organization should do;

• Coordinating the activities of several parts of the organization;

• Communicating information;

• Evaluating information;

• Deciding what, if any, action should be taken;

(25)

Management control functions only if the reported data is accurate and complete (Simons, 1995). Internal control has the function to assure the reliability of data. Internal control is thus an important part of the effective functioning of management control. Management control and internal control are processes, or intertwined activities, that have to ensure that an organization becomes or stays ‘in control’ (Vaassen, 2003).

In the last decades there has been a development from internal control that focuses on the reliability of information towards internal control that focuses on effective

processes within the organization. Management control as well as internal control focuses on the detection and prevention of deviations from organizational objectives. Internal control and management control are thus starting to look alike. From the above we can conclude that internal control is a part of management control. Effective management control calls for effective internal control. Where internal control used to focus on reliable and accurate information it has become a broader concept. The following sections will discuss to main frameworks used for implementing internal controls and complying with corporate governance codes, laws and regulations. 3.3 Internal control systems

3.3.1 Internal Control – Integrated Framework

In 1992, COSO7 published the report “Internal Control-Integrated Framework, which

is widely known as the COSO framework. The objective of this report was to create a common understanding of internal control and to provide a practical way for companies to asses and improve their control systems. This report includes the most broadly accepted internal control framework which organizations can use to assess or design their internal control systems (e.g. Marinos, 2004, Putrus, 2005, Mouthaan, 2000, pag. 26).

The COSO definition of internal control reflects certain fundamental concepts (Intosai, 2001):

• Internal control is a process. It is a means to an end not an end itself. Internal control is not a single event or circumstance, but a series of actions that flow throughout an entity's activities. The internal control system is intertwined with an entity's activities and is most effective when it is built into the entity's infrastructure and is an integral part of the essence of the organization.

• Internal control is affected by people. An organization’s people include

management and other personnel. The implementation of internal control requires significant management initiative and intensive communication by management with other personnel. Management has the overall responsibility for the internal control system but it concerns people at every level of the organization.

• Internal control can be expected to provide only reasonable assurance to the

management and board of an organization regarding the achievement of operational, financial reporting and compliance objectives. No matter how well

7

(26)

designed and operated, internal control cannot provide management absolute assurance regarding the achievement of objectives.

• Internal control is geared to the achievement of objectives in several overlapping

categories. This may concern objectives specific to the organization but also objectives shared over different organizations. Complying with law or achieving a positive relation are objectives applicable to all organizations.

The COSO framework has three categories of objectives which are incorporated in the definition of internal control:

• Operations objectives, are related to effective and efficient use of resources;

• Financial reporting objectives, concerns reliability of financial reporting and

financial statements;

• Compliance objectives, requirements from laws and regulations have to be

incorporated.

The COSO framework consists of five interrelated components which are (COSO,1992):

Control Environment

The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Elements of the control environment are:

• the integrity, ethical values and competence of management and staff;

• tone at the top (management's philosophy and operating style);

• organizational structure;

• human resource policies and practices.

Risk Assessment

Every organization faces a variety of risks which can be a threat to attaining objectives. Risk assessment is the process of analyzing and identifying these relevant risks and determining how risks should be managed. Elements of risk assessment are: • risk identification;

• risk analysis (estimating the significance and assessing probability of occurrence);

• assessment of risk of the amount of risk acceptable by the organization;

• development of appropriate responses.

Because the economy, financial laws and operating conditions will continuously change, mechanisms are needed to identify and deal with the special risks associated with change.

Control Activities

Control activities are the policies and procedures established and executed to address risks and to achieve the entity’s objectives. They help to ensure that management directives are carried out. Control activities occur throughout the organization, at all levels and in all functions. To be effective, control activities must be appropriate, function consistently according to plan, cost effective and understandable, reasonable and directly relate to the control objectives. Examples are:

• authorization and approval procedures;

• controls over access to resources and records;

(27)

• reviews of operating performance. Information and Communication

Information and communication are essential for realizing all internal control objectives. Relevant information must be collected and communicated to support managers and employees completing their tasks. Information systems can be used to produce reports that contain operational, financial and compliance-related information. Information systems should also include externally generated data (e.g. market conditions) needed for decision-making and reporting. Quality information should be (O’Reilly, 1982):

• timely

• accurate

• reliable

• relevant

Information is needed within all levels of the organization to achieve organizational goals and have effective internal control. Communication is also important for internal control. All personnel should understand their role in the internal control system. There also needs to be effective communication with external parties, such as customers, suppliers, regulators and shareholders.

Monitoring

The whole process of internal control and internal control systems must be monitored. Monitoring is a process that assesses the functioning and performance of the control system and its components over time. By monitoring the organization ensures that the activities of internal control lead to the desired outcomes in an effective and efficient manner. This can be done through ongoing monitoring activities, separate evaluations or a combination between these two. It is necessary to assess the quality of the internal control system on a regular basis and perform modifications if needed to react dynamically to changes. Monitoring concerns all personnel of the organization. Deficiencies of internal control should be reported upstream. Monitoring will be more thoroughly reviewed in chapter four.

Relationship between components and objectives

The COSO-framework could be graphically reflected by the following figure:

(28)

The five components which are defined above are shown at the front of the cube. These components clarify what is needed for achieving operational, financial reporting and compliance objectives. It is essential that internal control is incorporated throughout the entire organization. Therefore the right side of the cube consists of several activities and business units.

Some comments on the framework

As stated before COSO’s Internal Control-Integrated Framework is an important and the most commonly used framework for evaluating internal control. Its objectives were to create a common understanding of internal control and provide a standard against which organizations can assess their control systems and determine how to improve them. The COSO definition on internal control is now widely accepted and being the most used internal control framework you could say that COSO has achieved its goals. But the COSO-framework also has its shortcomings. The COSO framework is too broad and overly complicated. The framework has three key objectives mapped across five components in a manual that runs 353 pages. Some claim that COSO is too complicated for middle managers (Shaw, 2006).

The COSO report is divided in five components that explore points of interest for evaluating internal control. Nevertheless, the COSO report does not contain hard criteria to evaluate internal control (Renes, 2003). Neither does the COSO report give recommendations or guidance about implementation of this framework (Visser, 2006). Another limitation is that the COSO-model is a closed system. It does not take into account the external conditions that apply to an organization or a changing environment. In the article of Kelley (1993) it is advocated that for the first time, there exists an established, accepted standard, which helps management identify basic weaknesses in operating, financial reporting and compliance controls and take actions to strengthen them. In the same article criticizers state that the report does not recognize the important role of the external auditor in evaluating internal controls and encourages limited reporting of internal control deficiencies.

Others state that COSO does not leave room for entrepreneurship and does not pay attention to risk management. Finally, Internal Control-Integrated Framework is an outdated concept (Shaw, 2006). Therefore COSO expanded this framework introducing the ERM framework in 2004.

3.3.2 ERM

(29)

Enterprise risk management is defined as follows (COSO, 2004):

Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

This definition reflects certain fundamental concepts. Some of these concepts are the same as in the COSO definition of internal control. Enterprise risk management, as well as internal control, is a process affected by people that provides reasonable assurance regarding the achievement of objectives. The definition of ERM differs in the following concepts. Enterprise risk management:

• Is applied in strategy setting. This beholds an oversight view of the organization,

the big picture must be taken into account. In setting strategy, managers consider risks relative to alternative strategies.

• Is applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk. To apply ERM successfully, activities at every level of the organization must be considered and it requires a portfolio view of risk.

• Is designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite. Risk appetite is the amount of risk an organization is willing to accept. ERM helps management to select a strategy that is consistent with the risk appetite of the organization.

The ERM framework is geared to achieve an entity’s objectives, set forth in four categories:

• Strategic objectives are related to high level goals, supporting the realization of the

entity’s mission.

• Operations objectives are related to effective and efficient use of resources.

• Reporting objectives are related to the effectiveness of the reporting of the organization. It includes internal and external reporting which consist of financial and non-financial information.

• Compliance objectives are related to the requirements from laws and regulations that have to be incorporated.

Enterprise risk management consists of eight interrelated components which are (COSO, 2004):

Internal Environment

(30)

Objective Setting

Within the context of the mission and vision, management establishes objectives and selects strategy. Enterprise risk management ensures that management has a process in place to set objectives and that the chosen objectives support and align with the entity’s mission/vision and are consistent with the entity’s risk appetite. Objectives must exist before events can be identified that are possible threats to achieving objectives.

Event Identification

Management recognizes that uncertainties exist, it cannot know with certainty whether and when an event will occur. Internal and external events that could possibly affect the organization achieving its objectives must be identified. Events can be identified distinguishing between risks and opportunities.

Risk Assessment

Risk assessment provides the organization with information about the affect on achieving organizational objectives that events might have. Risks are analyzed to provide a basis to determine how they should be managed. Risk should be assessed on both likelihood and impact. Likelihood concerns the possibility that an event will occur and the impact concerns its effect.

Risk Response

The risk responses are the actions management develops. Management should select a response that brings risk and impact within the organization’s risk tolerance. This response also depends on costs and benefits. The consideration of risk responses and selecting and implementing a risk response are integral to enterprise risk management. Possible responses are risk avoidance, reduction, accepting and sharing risks.

The remaining components are identical to the last three components of the COSO-framework: control activities, information & communication and monitoring.

Relationship between components and objectives

(31)

The eight components on the horizontal row represent what is needed for achieving strategic, operational, reporting and compliance objectives. There is a clear sequence of activities. This means that the process starts with assessing the internal environment and concludes with monitoring on an ongoing basis. The right side of the cube outlines the different levels of the organization. As stated before ERM is applied across the enterprise. It starts with the broadest level (the entire entity) and ends with the subsidiary level.

3.4 Chapter summary

Control is important for the continued existence of the organization. It should contribute to the organization achieving its objectives. The control function of management beholds that management is responsible for carrying out and adjusting plans to ensure the achievement of organizational goals. It consists for a large part of making sure employees behave as they should behave. A control system is used to arrange control within the organization and has the purpose to maintain actual performance close to desired performance.

Monitoring internal control