Times of Rapid Growth: Crucial Factors in the Design of an Internal Control System to Change the Organizational Culture and Work Towards the Organizational Mission

Times of Rapid Growth: Crucial Factors in the Design of an

Internal Control System to Change the Organizational

Culture and Work Towards the Organizational Mission

Master Thesis

Business Administration

Organizational and Management Control

University of Groningen

January 2014

Name: H.J. de Jong Student number: s1770403

Study: Organizational & Management Control Supervisor: drs. M.M. Bergervoet

2 ABSTRACT

3

Management Summary

The organization faces a rapid growth due to a win of two major concessions. This has implications for the organization. With rapid growth, there is an increased need to minimize risks, minimize control weaknesses and increase the segregation of duties. An example is the prevention of fraud.

In this summary a redesign of the Internal Control System will be focused on three main pillars: Growth, culture and mission. The research question in this study is: What are the

crucial factors in the design of a new Internal Control System to help a growing organization create a change in organizational culture and succeeding to achieve its organizational mission?

After analyzing the data from interviews with the responsible managers of all departments in the organizations some conclusions can be drawn up that the ICS has to be designed in a certain way. The recommendations following from this conclusion are that the ICS should: - Cover all departments. Every department is aware of the growth and the mission of the

company. Therefore all departments should be involved in the design of the ICS and every department has its share in making audits on the ICS to a success.

- Have proper process descriptions and procedures. The organizational has the ultimate

goal of becoming the largest player in the market. The ICS can help to achieve this. It starts with having proper procedures for the different departments and its processes. When new employees arrive at the company they are able to work quickly on their job. Not all departments have proper process descriptions and procedures yet, so this should be covered.

- Be ready for change in duties, guarantee limited authorization and the four-eye principle (growth purposes). In case of winning new major concessions in the future the

ICS will be exposed to potential weaknesses. Change in duties and authorization responsibilities should be clearly written down in not only the already mentioned processes and procedures, but also in job descriptions. Limited authorization to sensitive data should be ensured. The four-eye principle should also be ensured. The management may expect positive feedback on implementing this in the design of the ICS since the managers are positively towards a shift in the culture of the company.

- Culture change, clear reporting but no exaggeration. The company relied a long time

4

Table of contents

1. Introduction 5

1.1 Problem statement & Purpose of the study 6

1.2 Significance of the study 7

1.3 Research questions 8

1.4 Questions to the literature 8

2. Theoretical Framework 8

2.1 Internal Control Systems 8

2.2 Link between management and internal control 9 2.3 (Rapid) Organizational growth and the role of Internal Control 10

2.4 Organizational Culture 13 2.5 Organizational Mission 13 2.6 Conceptual model 14 3. Research Method 15 3.1 Research Design 15 3.2 Data collection 16 3.3 Research population 16 3.4 Data analysis 17 3.5 Reliability 18 3.6 Validity 18 4. Results 19

4.1 General analysis of the interviews 19 4.2 Analysis: Rapid Organizational Growth 24 4.3 Analysis: Organizational Culture 25 4.4 Analysis: Organizational Mission 26 4.5 Coherence between growth, culture and mission 26

4.6. Discussion 26

4.6.1 Rapid Organizational Growth 26

4.6.2 Organizational Culture 28

4.6.3 Achieve Organizational Mission 28

4.7 Redesign 29

5. Conclusion 30

5.1. Theoretical implications and Research limitations 31 5.2. Practical implications for Arriva 32 5.3. Suggestions for further research 32

6. References 33

5

1. Introduction

The public transport sector in the Netherlands has changed with the ‘Wet Personenvervoer 2000’. Since the year of 2000, this law has created more liberalization on the market. The regional public transport is subject to a competitive market with around 18 competitors. When a particular region of public transport is available for ‘bidding’, all competitors may submit their bid to the province of that region. The province decides which bid of which company is the best with respect to price and quality and may offer that company the concession: the right to offer its service of public transport in that particular region for a fixed amount of years, sometimes with an option for some extra years (regularly 8 and 2, respectively). This may create a fluctuation in organizational size: you are able to win major concession and grow, or probably lose one when the province does not grant your company another contract. Lately, in December 2012, Arriva has won two major concessions which made them around twice as big as they were with respect to revenue. This organizational change has its influence on the internal control of a company. In this study, this organizational phenomena of rapid growth, which is inherent to this industry, and its influence on the internal control system is the main issue why this research has been conducted.

The company where the research has been conducted is Arriva. Arriva has a mission. This ultimate organizational goal is to become the largest player on the market. The reason when the mission will be reached should be simple: because they are the best. This has its implications for the strategy of Arriva, which focuses on two main pillars. First, Arriva wants to take advantages of the liberalization of the public transport market. To make this more specific: Arriva wants to win and keep the available concessions on the market. This growth strategy must contribute to a company objective set by the mother company of Arriva, Deutsche Bahn. This points out that the financial turnover in 2017 must be twice as high as it is today. Second, because this strategic objective would be worthless in case that along with the turnover doubling, the overhead costs also double, there is a strong focus on conducting effective and efficient business activities. Standard methods or best practice for internal processes are more and more about to be implemented by Deutsche Bahn in order increase efficiency among all their companies, including Arriva.

6 the company with regard to internal control and an internal control system. Examples from other companies where for example fraud occurred in times of growth, should absolutely be prevented in the eyes of the management.

First, the management meetings were more focused towards questions which seem to embrace the design of a new ICS. The management were looking for ways in which this could be beneficial for Arriva itself instead of just ‘’being loyal’’ towards Deutsche Bahn. Questions that came up during these meetings were like the following:

‘’Can an ICS help us to minimize risks in our organization? Is a culture shift needed?’’;

‘’Can an ICS help us in these times of organizational growth with regard to procedures and processes and new employees?’’;

‘’Can an ICS help us to reach organizational goals, and ultimately our mission?’’;

‘’Can an ICS keep our organization a trustful company, now we will have a higher impact on the society?’’.

Arriva made a first start to define what their ICS should cover. Their definition is the following: An ICS is defined, according to Arriva, as all by management established principles, procedures and measures, designed to provide reasonable assurance regarding the achievement of organizational objectives with respect to:

 The effectiveness and efficiency of business activities  Compliance with applicable laws and regulations;

 Correctness and reliability of the internal and external accounting.

This study during the design period of an ICS of slightly more than half a year, and will focus on how the ICS will be designed in times of rapid growth, if a culture change is needed and how the organizational mission can be achieved using the ICS. The ICS should be a business-oriented tool, which is in line with the view of the management, especially after winning the major concessions. What are the crucial factors in the design of an ICS?

1.1 Problem statement & purpose of the study

7

1.2 Significance of the study

This study is unique in the sense that up until this time no research has been done to the design of an ICS in a company which operates in the public transport sector. More specific: Most studies so far have researched the internal control of companies in a more static manner. These studies focused on how an internal control system do operate in an organization. This study will focus especially on the growth perspective. The company wants to grow further, succeeding in its mission, minimize risks and make a shift in the organizational culture. The influence of these factors on the design of an ICS will be investigated. Doyle & Mcvay (2006) already concluded that weaknesses in an ICS occur more in organizations that are rapidly growing, but does not link it to the design of an ICS. In this study, it will be investigated if rapid growth can play a vital role in the design of the ICS.

Previous studies have investigated the implementation of COSO already (Beasley et al., 2010; Vandervelde et al., 2012 and Kleffner et al., 2003). This study will not just investigate the implementation of COSO, but will take a look at the design of a whole new ICS with the help of the COSO-model with a strong focus on the achievement of organizational objectives and minimizing risks due to rapid growth.

In a paper written by Hermanson et al (2012), the writers suggest further research in the factors that decide the strength of internal control based on other research methods then they did, for example qualitative research (the writers used quantitative research). This study will use qualitative research.

With regard to the mission of the company, previous research (Bart (1998); Kirk & Beth (2010)) focused especially on an organizational mission with regard to have a framework for decision making and increase firm performance but a link of a mission to an ICS could not be found. This study will try to research whether the organizational mission can be taken into consideration in the design phase of an ICS.

The organizational culture with regard to risk has in previous papers often been studies as creating a positive risk culture (i.e. Atkinson, 2013 & Krivkovich, 2013). In this case study the current organizational culture will be discussed. The question is whether this culture is sufficient enough, and whether or not it is too risky.

8 discussion the results will be presented in a detailed redesign for the company. This paper will then have a conclusion. At the end, a list of references and the appendices can be found.

1.3 Research Question

The following research question will be addressed in this study:

What are the crucial factors in the design of a new Internal Control System to help a growing organization creating a change in organizational culture and succeeding to achieve its organizational mission?

1.4 Questions to the literature

In order to answer the research question, addressed in 1.3., the main concepts of this study should be explored by investigating the literature. The main subjects that will be examined in are internal control system, the link of internal control within the field of management control, the influence of (rapid) growth on internal control (system), risks minimization & goal/mission achievement through internal control and organizational culture.

1. What is an internal control system?

2. What is the link of internal control within the field of management control?

3. What is the influence of (rapid) growth on an organization’s Internal Control (system)?

4. How can organizational risks be minimized with an Internal Control System?

5. What is the influence of an organizational culture on a company?

6. Which factors are important to succeed in organizational goals / mission?

2. Theoretical Framework

2.1. Internal Control Systems

To start off with a very general question but of influence on how we perceive an ICS: What is the goal of an ICS according to literature? The important reasons are: Effective enterprise governance, the fulfillment of management objectives, and minimizing the opportunity for fraudulent activity. These factors are positively associated with the strength of the internal control system of a company (Peterson and Zikmund, 2004).

9 control represents an organization’s plans, methods, and procedures used to meet its missions, goals, and objectives and serves as the first line of defense in safeguarding assets and preventing and detecting errors, fraud, waste, abuse and mismanagement. Internal control provides reasonable assurance that an organizations’ objectives are achieved through (1) effective and efficient operations, (2) reliable financial reporting, and (3) compliance with laws and regulations.

An Internal Control System is an important component in an organization structure used to monitor activities of the entity by the management to ensure good governance. (Vijayakumar & Nagaraja, 2012). Thus, the board of directors are responsible for providing good governance, guidance and oversight for senior management and ensuring that an appropriate internal control system is in place to achieve organizational objectives.

Figure 1: Internal control framework (From: Vijayakumar & Nagaraja, 2012)

Thus, internal control is one of the several factors influencing the performance of an organization. It plays a vital role in achieving enterprises intended objectives. Internal control is pre-requisite andfundamental to the successful operations. It is a broader concept, which includes all controls relating to strategic governance and management process, business activities and operations extending to the overall performances of business organization. Here we see common ground between internal control on the one hand and management control on the other hand. This brings us to the field of management control and management control systems.

2.2 The link between management control and internal control

In this study in the field of organizational & management control it is interesting and useful to see the link between management control and internal control. According to Mouthaan (2000) is internal control a combination of the vision on internal control from the accountancy viewpoint and the vision on management control from management theory. The vision of management theory becomes evident in the COSO-definition through describing internal controls.

10 function of the internal control: to assure the completeness and reliability of the data. Internal control as well as management control are processes that ensures organizations to stay in control (Vaassen, 2003).

Besides the function of reliable and complete information, nowadays the function moves more towards the achieving of organizationat objectives. And therefore, detect and prevent on the deviations that prevent organizations from reaching their objectives. Since management control also focuses on this aspect the link between management control and internal control becomes thinner.

2.3. (Rapid) organizational growth and the role of Internal Control

In this section we want to elaborate on how organizational growth influences the internal control of an organization. In more detail the link between rapid growth and internal control will be discussed.

Pressure on existing controls

According to Colbert (2008), internal controls are critical for an organization to function effectively. And if an organization has these an effective system, it can minimize the risks. Fraud should be minimized as much as possible which is up to auditors to control that the internal control works well and an organization will not be startled by fraud or financial scandals.

Financial scandals played a quite large role in the history of some companies. Very common examples are Enron, WorldCom and more recent Bernie Madoff ‘Ponzi’ scheme. It is very arguable that these scandals were because a fail of their internal control in times of organizational growth. The ICS they had, did not work well in practice (Schneider & Becker, 2011).

Risk management forms an integral part of internal control (Vijayakumar & Nagaraja, 2012). Thus, risk assessment forms a central part in judging an ICS and prevent an organization from any scandals. On a less extreme level, risk can lead to not achieving the goals of the strategy that a company has implemented, because the control on these goals is weaker. Increased control can increase this.

Internal control according to Atwood et al. (2012) is designed to enhance the following factors:

- Financial reporting reliability

11 If factors like organizational size change occur and monitoring shows that the internal control system is no longer appropriate it is necessary to adjust the controls. If not, the system is exposed to risk or even further to fraud, waste and abuse.

After making this more general point about growth, it will be interesting to see if especially rapid growth has a particular influence on Internal Control. A research conducted by Doyle & McVay (2006) about determinants of weaknesses in internal control, conclude that weaknesses in internal control is more likely for firms that are, along with other factors, rapidly growing. Here we see that not just growth as a single factor, but rapid growth of a business is a determinant of weaknesses in Internal Control.

Managing (new) risks: The COSO-model

While building a theoretical framework about the subject, the COSO was a model that has been mentioned often. The COSO-model has been developed by the American The Committee of Sponsoring Organizations of the Treadway Commission, first in 2002 and with an extended version in 2004 (Coso.org, 2013). This was done after some large accounting scandals and fraud. It consists of a group of five private sector organizations. Their model gives organizations the opportunity to become critical towards their governance, internal control, risk management, business ethics, fraud and financial reporting.

COSO defines the role of internal control monitoring as ensuring that internal control continues to operate effectively by promoting good control operations and enhancing the process of assessing the design and operation of controls (Masli et al., 2010).

The COSO-model is a common model used for better internal control and management, which is the main issue in this study. It has to contribute to strategic objectives set by the organization.

12 The COSO-model includes the following factors (The COSO-model, 2005):

 Monitoring: ICSs need to be monitored on the quality of the system and its performance over time. This can be done through evaluations and/or monitoring activities. Serious matters should be reported to top management and the board  Information & Communication: Pertinent information must be identified, captured,

and communicated in a form and time frame that enables people to carry out their responsibilities. Information with regard to operational, financial and compliance-related information that make it possible to run and control the business. The role of every member must be clear and communicated by top management.

 Control activities: The procedures and policies that helps to ensure management directives are carried out. Risks should be addressed to the achievement of a particular entity’s objective. Control activities examples are approvals, authorization, segregation of duties, etc.

 Risk assessment: Every organization faces internal and external risk. These risks must be assessed. It is important to set objectives in order to determine the risk associated with those objectives, also in times of change.

 Control environment: This sets the tone of an organization. It influences the consciousness that organizational members have of control. It is the foundation of the other component of the model and provides structure and discipline. Examples are integrity, ethical values, management philosophy etc.

As soon as an organization has designed and implemented an ICS, management must continue to monitor effectiveness of the system, lest it become outdated due to changing business environments and operations (Tsay, 2010). This reflects the monitoring part of the COSO-model. The five aspects mentioned in the COSO-model (see figure 2), can be monitored by auditors and by management as self-reflection.

With respect to the COSO-process, the first step is to start with financial statements of a company which leads to certain assertions (step 2) . Along with assertions there arise risks (step 3). Step 4 is to define control objectives in order to mitigate the risk and finally, step 5, the necessary controls to meet the control objectives are determined (Ramos, 2009).

Change in segregation of duties

13 implement previously unnecessary internal controls. For example, as an organization grows, duties formerly handled by an owner/manager will need to be assigned to other people. The new distribution of duties demands internal control adjustments, such as a need for authorization controls, surety bonds, and proper documentation of essential policies and processes. Additionally, restrictions will likely need to be placed on employee access to information. Responsibility for internal control compliance may begin to span multiple departments, frequently creating organizational silos and limiting communication. Some internal controls may become illusionary solely based on an “it’s the other guy’s responsibility” attitude.

A study conducted by Gramling et al. (2010) revealed that a clear segregation of duties is a fundamental element in effective internal control. This means that a process is divided among several people. In that case, no single person can take advantage for personal gain or other impropriety.

2.4. Organizational culture

Risk may probably arise from an organizational culture (Shahzad et al., 2013). The culture in how people behave to each other and how they process information to each other. Choo (2013) proposes four types of information cultures. A result-oriented, where the goal for the company is to succeed in a market/sector. Second, a rule-following culture. In such a culture the information to manage internal control is important. Third is a relationship-based culture. Here the information is managed to encourage communication, participation and a sense of identity. Last, a risk-taking culture is a culture where information is used to encourage innovation, creativity and exploring new ideas. Other studies (Atkinson, 2013 & Krivkovich, 2013) emphasize how an organizational culture can create a positive risk management and culture.

2.5 Organizational goal/mission

14 industry, showed that internal control knowledge integration, regulation compliance awareness and risk control effectiveness has a positive effect on the value of a firm. Besides, they conclude that an increase a firms’ value has a positive effect on goal achievement. Bart (1998) found a positive significant relationship between the performance of a firm and mission statements with which managers were satisfied with. Kirk and Beth (2010) explained furthermore that a mission statement is a framework for i.e. decision making and influence over staff..

2.6 Conceptual Model

The conceptual model gives a schematic overview of the main crucial factors influencing the design of the ICS. From the problem analysis of the company and the literature elaborating on the subjects arising from the problem analysis, there are three main factors which will be investigated in this study. These three are rapid growth, with the characteristics increased control pressure, increased new risks and increased differences in duties. What is the influence of these three factors on the design of a new ICS? Second, the organizational mission and its influence on the design of a new ICS. Third, the organizational (information) culture. The information culture shows characteristics on the way how information is processed towards each other. How does a particular information culture influences the design of a new ICS? This will be investigated as part of the overall culture of the organization.

Figure 3: Conceptual Model

The sub-questions are:

1) Rapid organizational growth:

15 1b. What is the effect of the amount of new risks on the design of an internal control system?

1c. What is the influence of the increased change in segregation of duties on the design of an internal control system?

2) Organizational culture

2a. What is the influence of the organization (information) culture on the design of an internal control system?

2b. What is the influence of a new ICS on the organizational (information) culture?

3) Achieve organizational mission

3a. What is the influence of the organizational mission on the design of an internal control system?

3. Research Method

3.1 Research design

This research adopts a business problem solving approach. This is due to the fact that the organization of interest is experiencing a business problem. For this approach, the regulative cycle of Van Strien (1997) is used as described by Van Aken, Berends, and Van der Bij (2007). This cycle has five basic process steps (Appendix 1). The business solving project has 3 parts which covers the five steps of the regulative cycle. The first part, the design part, provides a redesign of the business problem and covers the first three steps of the cycle: problem definition, analysis and diagnosis, and a plan of action. This phase is addressed in this study. The next two parts include the change part and the learning part. In the change

part, the redesign is realized though changes in the organization and also covers the fourth

step of the cycle, intervention. The learning part, in which the organization learns to deal with the change, covers the fifth step of the cycle, evaluation. Unfortunately these very important phases are beyond the scope of this research .

16

3.2 Data collection

For the theoretical framework, the online databases of Business Source Premier, Elsevier and ScienceDirect were used. High quality literature can be found in these databases. The search terms were: Internal Control, Internal Control Systems, Internal Control AND (rapid) growth, Internal Control AND organizational culture, Organizational culture AND risk, Internal Control Systems AND (crucial/important) factors, Internal Control AND (minimize) risk, Internal Control and Organizational goal(s).

Beyond this theoretical part, the data itself has been collected at the company. It includes information from their website, meeting minutes, procedure descriptions and interviews. In order to conduct a study on the business problem, preliminary interviews were held. These were conducted with the Financial Director, the Concern Controller, the Controller (unit Bus), the project manager assigned to fulfill the ICS-task and a financial manager who worked already for a very long time at Arriva and knew a lot about the organizational and its culture. For the in-depth case study, besides these interviewees, other interviews were held with head of all departments. See 3.3 Research Population for a detailed overview.

During the phase of the design of a new ICS, semi-structured interviews (using a form with questions. Nevertheless there was enough opportunities to ask more about a particular subject and the feeling of the manager), were held with these (see 3.3) responsible managers. The reason for conducting semi-structured interviews was to gain more knowledge. With completely structured interviews there was a risk that the interviewees would not tell more than just answer on the question. Conducting semi-structured interviews there was a chance to gain more and broader understanding of what the crucial factors of an ICS within Arriva are. The interviews were held in a certain order. First, there were interviews held which focused on general questions about the company and an ICS, and the growth of the company and its influence on the internal control. Second, the subject of risk minimization was the main topic of the interviews. Third, the design of an ICS was discussed in a detailed manner with the responsible managers which includes the previous aspect as well. Besides, the achievement the organizational mission was discussed.

All interviews were conducted at the office of Arriva in Heerenveen, mostly at the office of the responsible manager. The interviews had a wide variety in means of time. On average they were around one hour, but some lasted longer (sometimes two hours) or shorter (30 minutes).

3.3 Research population

17 - 1 Business Administration (Concern Controller / (PA of) CEO)

- 2 Board communication ((PA of) CEO) - 3 Compliance (Compliance officer)

- 4 Accounting (Controllers / Concern Controller / CFO) - 5 Planning, Reporting & Controlling (Concern Controller)

- 6 Investment and Project Controlling (Project Controller)

- 7 Risk Management (Concern Controller / Project Manager) - 8 Finance / Financing (Concern Controller / CFO)

- 9 Procurement (Head of Procurement)

- 10 HR (HR Director)

Overall responsibility for the ICS is the Project Manager. The research population gives a great opportunity to investigate the ICS throughout the whole organization. Every department with its responsible manager which is of importance will be interviewed according to the data collection mentioned in 3.2. The research population has been studied and interviewed throughout the whole period of end of 2012 until July 2013. In total there were eight people interviewed. The CEO could not be interviewed, however his Personal Assistant (PA) did this several times in name of the CEO.

3.4 Data analysis

Interviews were held using a questionnaire. First some general questions about the ICS itself were asked with regard to their department, and what the view of the responsible manager is. These questions were for all different parts (see 3.3) the same in order to get a clear view on the ICS. To get a deeper understanding of each own practices, there were more questions asked for each responsible manager in his or her own field of work.

18 achieve organizational objectives. The aim was to get a view on the relationships between the main topics and labels.

After these three steps, the validity has been investigated. It is important that the labeling has been conducted in a way that all relevant information has a label. In this study, new labels were created when new, relevant, information was derived in order to increase the validity.

3.5 Reliability

In order to get a well structured study, there were general questions for all responsible managers. Questions were used using the factors from the COSO-model. This is due to the fact that it is a relatively new model which can help the organization to obtain better internal control and management. In the beginning of the study around five interviews were conducted in each week. In the end this was more, around eight. All interviews were conducted at the office of the responsible managers or another room, in case the responsible manager had to share his or her office with someone else, in order to guarantee privacy. Answers were written down and after summarizing these answers they were always send back to the responsible manager in order to increase the punctuality of the answers.

Some of these questions are with regard to the specific ‘department’, and some are related to an ICS as a whole.

3.6 Validity

As I was not involved in this company and had not worked with ICS in organizations before, I had the idea that the interviewees were completely free is their answers. In my opinion, they were not forced into certain ideas or a certain kind of answers. Besides, since the interviews were semi-structured there was allowance for the interviewee to go beyond the question itself and express all their feelings, ideas and know-how about a subject.

19

4. Results

In the first paragraph of this section the answers and outcomes derived from the interviews will be discussed in general using quotes and general findings. Each subject of the conceptual model (rapid growth, culture and mission) will be discussed. Then, the answers will be related to the assumed relationships, shown in the conceptual model and the sub questions, in an analysis (from 4.2. and onwards).

4.1. General analysis of the interviews

The main topics rely on three main pillars. The rapid growth, the organizational culture and the organizational mission in relationship to the design of an ICS. Besides, some general question about an ICS were asked. A general question asked was about the need for a new ICS. Seven out of ten managers found that there was a need for a new ICS. The departments of Investment & Project controlling, Procurement and H.R. did not find it necessary. These three departments do have more often different opinions in contrast to the other departments. They already find their existing process and procedures sufficient enough to secure the internal control. Five departments think that the content of the ICS should be (very) strict. Eight out of ten departments believed the new ICS should not be too exaggerated. The main opinion was pretty much the same. The manager of the planning, reporting and controlling summarized this very clear as follows:’’ There should be some

freedom in the ICS it and I am afraid I should assure every little piece of action in my department, which will cost me or someone else a lot of time and money, without having a satisfied result. You can sign off every piece of action which is successfully conducted, but I would rather stay focused on the important procedures in my department.’’ Only two

departments did not agree on this question about exaggeration. The responsible manager of these departments is the CEO. The answers on the question if more should be signed off was, apart from the Investment & Project Controlling, Procurement and H.R., positively answered by all other departments. The three departments who disagreed had the same reasons as on the questions of there is a need for a new ICS. Every department believed a clear segregation of duties should be taken into consideration in the design of a new ICS.

Increased control pressure

Detailed questions about the main subjects of this study were asked in order to get a view on how the different departments think about the subjects of interest and how they behave.

Every department felt the growth on their department and said that the growth should play a role in the design of an ICS. The concern controller explained further: ’’The design

20

We have to realize ourselves that with our goal to grow and grow more, our internal control system should help to realize the objectives. That we are able to minimize risks coming along with growth and that we therefore can maximize our profit and minimize deviations from reaching objectives through a good ICS which can handle the current rapid growth and further growth.’’

More detailed questions were asked to get a better view what the influence of the rapid growth is. All managers said that the rapid growth leads to more workload. The manager of the investment and project is one of the people who is most engaged in the winning of tenders. He is the one is responsible for planning, preparing and monitoring the investments. About the rapid growth on his department he says inter alia:’’ We won more

concessions so there is more to be controlled by us every period. We make comparison between budget / forecast and the actual numbers. If we would not have won the concessions there was no need to control the tenders anymore.’’ A second question if

more external pressure could be felt by the managers, only two departments answered yes. These were the departments owned by the CEO. The management of Arriva has to

report to the supervisory board in periodically meetings. The supervisory board wants to be informed about the ongoing issues of the company. The rapid growth is something which should be managed narrowly. The PA of the CEO explained:’’ As Arriva is one of the largest

companies in Northern Netherlands with 4000 employees we have to be a trustful partner. With our rapid growth we have to be accountable towards our supervisory board. They must see that we have an organization which is capable of dealing with rapid growth.’’. On the

other hand, the other departments were less involved by external pressures.

The rapid growth has also big influence on the amount of employees at the company. Eight

out of ten departments believed they need more employees in the times of growth.

New employees should be trustful and loyal towards the company. The compliance officer is responsible for this subject and she explained: ‘’Growth means more people, more

information, more process streams which means also a higher risk that people do not comply with the rules and regulations. It is therefore important that the ICS guarantees that the new employees are reliable towards our company, for example with the competition compliance forms which most managers must fill in. It is my job to ensure that. Having an ICS obligation to actually to do so, gives me even more motivation and gives in my opinion the right sense of urgency that more employees should fill in the competition compliance forms.’’ Only board

21

New Risks

According to literature, new risks may harm the internal control of a company due to growth. Different questions about this subject were asked. First, the responsible managers were asked if the processes of their departments have formally written down process descriptions.

The half of them had so, the other half did not have real process descriptions. With

regard to standard procedures, so if processes are done in a standardized way, seven

out of ten did so. The manager of the accounting department told: ‘’all the work which has

to be done is conducted in a standardized manner, however, no process descriptions were formally written down.’’ This was a typical answer for the departments with no process

descriptions. Other departments do have more standardized way of working and were able to show clear process descriptions are procedures they followed. Board communication, investment & project controlling, procurement and H.R., did have both clear process descriptions and procedures formally written down. The other departments lacked either process descriptions or standard procedures, or both like compliance and risk management. Three questions with regard to financial, reputational and fraud risks were asked. These questions are related to the concept of COSO. Avoiding financial risks was a theme that

was a lot mentioned (eight out of ten departments). The compliance officer declared for

example:’’ We want that relevant staff gets compliance training. However, we are waiting for

Arriva plc. (England) to receive the training in the Dutch language, since not all employees may be sufficient familiar with the English language. A compliance training in the Dutch language should be part of the ICS upon which we must agree, and therefore minimize the risks with potential financial losses and reputation damage.’’ Also the head of procurement

saw the advantages of a new ICS in combination with purchasing benefits, he stated: ’’With

our growing organization, and our more international based procurement procedures, it can be very efficient to create an ICS which helps to generate purchase benefits with other companies of Deutsche Bahn. However, without proper internal control and procedures, we cannot be easily able to work together with these other companies.’’. Again, only the

procurement and H.R. department thought that the current control system on their departments worked well enough to avoid financial risks. On the question if the new ICS

should be able to minimize reputational damage for the company, every single department found that is should do so. Especially from the management perspective this

was also an important thing to mention, because they were also looking towards the general view of the company by the outside world. The PA of the CEO stated: ’’The management

22

shareholders, the government and your mother company for instance’’. On the question of

a new ICS should be able to minimize the fraudulent activity eight out of ten believed this should be. Nowadays some habits of the way people work is not ensuring that fraud

can be prevented to its maximum. The head of procurement had an example: ‘’Below a

certain amount of money, the requisitioner of a good may also give the approval of that particular order.’’ The H.R. and Procurement department were the two departments who

already found that their procedures and processes already prevent fraudulent activity. The head of FA / Salary Administration (H.R. department) explained furthermore: ’’It is difficult to

minimize every risk. For example, we have a lot of personnel files here. The boards are locked, but the key to open them is hidden on a place which is not locked. It is hard to cover every potential risk. It may cost a lot of money too.’’ A question about the relationship

between risks in the public transport sector itself (operational level; busses/trains/ferry) and a new ICS was not positively related to each other.

Increased change in duties

Segregation of duties were clearly written down in five out of ten departments. The

managers with no clear segregation of duties on their department saw that this could increase risk in times of growth. A controller (accounting department) stated: ‘’We miss the

segregation of duties in our stock procedures. We can make a wrong declaration of stocks.’’

Some managers (accounting, planning, reporting & controlling) also told that some tasks were transferred to other employees when the responsible person did not have enough time.

Organizational culture

On the question if the culture can be described as loose and if the ICS should lead to a change in organizational culture, seven (same seven on both questions) out of ten departments answered yes. The risk manager had the most clear explanation which

represents the common idea among the seven departments: ’’In our company we relied for a

long time on a taken-for-granted culture. A lot of things were not formally written down and everyone believed each other because the departments were uncluttered. This becomes now more and more cluttered so we should work in a more secure manner.’’. Investment &

Project Controlling, Procurement and H.R. did not see a need to change their culture and way of working. They already find their culture strict, rather than loose. The see a change in culture going from a strict culture to an even more strict culture, which is not necessary in their opinion.

All departments found the information culture result-oriented. The organization is a

23 organization must be profitable. All departments found the information culture relationship-based. The concern controller explained:’’ We have a communication style which is

experienced as pleasantly by most employees. In my opinion, this makes them feel like being of real importance for the company. For relatively smaller companies as we were this worked, but with our organization size change this is dangerous. ’’. Four departments found

the information culture rule-following. These four departments have already strict processes and procedures which obligates them to act in a certain way. Three departments found the information culture risk-taking. These are especially the departments who have a lot to do with tenders (concessions), on which they can make a bid.

Organizational mission

’’With our present, rapid, growth, we see a positive aspects of a new ICS. It can give us opportunities to structure our organization in a way which is suitable for growth purposes. This is in line with our mission, to become the biggest player in the market.’’, as stated by the

Concern Controller. On the question if the interviewee is familiar with the mission of the

company all departments answered positively. ‘’Becoming the largest player on the

market’’.

On the question if a manager felt that his or her department is financially or strategically contributing to the mission of the company, the half answered that they were more strategically involved and the other half financially. The head of procurement

explained why he thinks he has a more financially contribution: ’’Our company grows, the

companies of Deutsche Bahn (DB) also grow. We need to focus to reduce the costs on the products we buy. We should make more use of procurement advantages with other DB companies. We need more products. For example, busses. We should get purchase advantages which are at the end more profitable. We make use of master agreements, however they are not formally written down, but we stick to them anyway.’’ Also a controller

of the accounting department has a financial contribution. He does not only look at the revenues, but also at the costs in his reasoning: ’’Along with the financial turnover going up,

we also make more costs. It would be useless if the overhead costs will rise in the same speed as we grow in terms of turnover. Since this is also a part of our objectives, we have to make sure that we keep doing our work more effective and efficient. The ICS can help to achieve that by giving signals to our organizations where there are problems which may lead to more costs. In that manner we should be able to keep our costs low and become more profitable in order to reach our mission.’’

The Concern Controller is closer related to the management and has a more strategic view:

24

They are related. Our mission is to become the biggest player on the market. There is already the role of growth described. It is very important to us. Now we have to realize ourselves that we cannot come away with a too much informal culture. The ICS is very important to give that realization to everybody in the company that we should formalize procedures and report on our activities very detailed.’’

On the question if an ICS will help to motivate to keep giving that particular contribution to the mission of the company, seven out of ten said it would do so. From

the departments who answered more or less no on this answer they explained that the current control processes are already giving the right contribution to the mission. Other departments felt they could use more control to be more motivated to do their work in a way which is working towards a real organizational mission. They feel more important. Four managers made an additional note on this question which had the content of the following quote of the Manager Planning, Reporting and Controlling: ‘’I am familiar with the mission. It

is a healthy mission for a competitive company as we are. However, certain parts of an ICS as it may become could be too detailed in my opinion.

4.2. Analysis: Rapid Organizational Growth

In the conceptual model, three statements were made with regard to the rapid organizational growth and its influence on the design of an ICS.

First, increased control weaknesses due to growth was an assumption which was made. From the interviews most departments had a need for more employees. New employees should have a proper job description to work as quickly and efficient as possible on their job. A company does not exactly now what kind of person the new employee will be. There is a potential weakness. The compliance officer has the job to ensure that all employees are trustful and loyal towards to company, for example by filling in the competition compliance forms. Assuring this should in a new ICS lower the control weaknesses on new employees. Besides, from the interviews appeared that process descriptions and standard procedures were not there on every department. The company realized that this is not wishful in times of rapid growth and could increase control weaknesses. Therefore, they already started to minimize these risks. The head of accounting said: ‘’With our growth we have an consultancy

25 accounting process, and not yet in all departments where there were no process descriptions and/or standard procedures yet. The need to give growth a vital role in the design of an ICS was positively answered by all departments, therefore there is a willingness to decrease control weaknesses.

The second assumption in the conceptual model was about new risks emerging from the rapid growth. The main risks were financial, reputational and fraudulent activity. These characteristics derived from the COSO-model is supported by most departments. Decreasing the reputational risks was even supported by all managers. Every department found that the reputation of the company should be high in order to prevent the company from reputational damage by the outside world. Preventing financial risks and fraudulent activity was supported by eight departments. Only the procurement and H.R. did not. Committing to the COSO-model therefore, can rely on support throughout almost the whole company. According to the managers, these risks can be prevented to use the COSO-model in the design of an ICS.

The third assumption was the influence of a change in duties on the design of an ICS. The results from the interview showed a variety of segregation of duties in the departments nowadays. Managers realized that rapid growth will lead to a higher pressure on certain duties and therefore a clear segregation should be part of the design of a new ICS. Ensuring that all processes are conducted in times of growth by a responsible person is important according to the managers.

4.3 Analysis: Organizational culture

26

4.4 Analysis: Organizational Mission

Every department is familiar with the mission of the company. This shows the involvement of the managers and their departments to the company. Half of the departments see their contribution more as strategically, the other half as financially. Giving the organizational mission, becoming the biggest player on the market, a central role in the design of an ICS, is supported by seven out of ten managers. All managers want the mission to succeed and find it important that the company strives for this ultimate goal. The departments of investment & project controlling, procurement and H.R. do not think that a new ICS will give them a different attitude toward the mission. This is in line with other outcomes based on the interviews. These departments have already strict processes and procedures and do not have the feeling a new ICS will change a lot for their particular department. The ICS therefore should not have huge changes for their departments.

4.5 Coherence between growth, culture and mission

In this study it appeared that the management and responsible managers found that the rapid growth was the absolute basis of a new era of internal control in the company. The management found it important that a new ICS was not only functional for audits, but also to prevent new potential risks and be more profitable and thus be functional for the overall mission of the organization. From preliminary interviews, the organizational culture was the biggest issue on the current internal control. Because these three factors correlate in this study, these were the main issues of investigation.

4.6 Discussion

In this section the questions that followed the conceptual model will be shortly answered using the results from the case study and discussed in the context of the theoretical framework.

4.6.1 Rapid organizational growth

- Questions: 1a. What is the influence of increased pressure on internal controls on the design of an internal control system?

1b. What is the effect of new risks on the design of an internal control system?

27 From this case study emerged that the rapid growth could be felt throughout every department of the organization. Every department felt more work pressure and most of the departments had the need for new employees. Every department believed that the rapid growth and further growth must be taking into consideration in the design of a new ICS. Other departments wanted to be ready for growth because their work pressure became higher. If the ICS guarantees that some processes should be conducted in standardized ways, for example ensure the four-eye principle in order to prevent making mistakes by one person, the managers had some kind of certainty that the management will take care of new employees or new ways of working in times of rapid growth. These outcomes are in line with the findings by Doyle & McVay (2006) who stated that weaknesses in internal control is more likely for firms that are, along with other factors, rapidly growing. The company feels that the organizational size change and the current internal control is no longer appropriate. This is consistent with findings by Atwood et al. (2012), who stated if factors like organizational size change occur and monitoring shows that the internal control system is no longer appropriate it is necessary to adjust the controls. If not, the system is exposed to risk or even further to fraud, waste and abuse. This results of this study, however, makes a link between rapid growth and the design of a whole new ICS.

It appeared that on the departments a very variable percentage of the existence of clear process descriptions (50%), standard procedures (70%) and segregation of duties (50%) was present. According to the literature found (Gramling et al., 2010), the segregation of duties may be a problem since this is a fundamental element of effective internal control. The results in this study showed a commitment of the management and managers to have clear process descriptions, procedures and segregation of duties.

The financial risks should be minimized according to most managers (80%), reputational risks (100%) and minimize fraud (80%). The COSO-model (coso.org, 2013) gives an opportunity to become critical towards their governance, internal control, risk management, business ethics, fraud and financial reporting. Thus, committing (in a certain extent) to COSO is something which is according to literature to prevent these risks, and according to this case study important in the design of an ICS. An important note is that most managers (80%) do not want an ICS which is too detailed, too exaggerated. Management should be aware that some risks are not seen as real risk, because of organizational culture.

28

4.6.2. Organizational culture

- Question: a. What is the influence of the organization (information) culture on the design of an internal control system?

b. What is the influence of a new ICS on the organizational culture?

Most managers admit that the current culture in the organization is not giving the right security in times of growth. The company relies on a taken-for-granted culture. They believe each other in the work they do, the processes that are conducted. Not much is officially signed off or documented. The risks of these particular characteristics are not found as risks or as crucial factors on the design of an ICS. However, it is in line with the statement from Shahzad et al. (2013) that risks probably may arise from an organizational culture. The information culture is seen by all managers as result-oriented, which is beneficial for achieving the organizational mission (see 5.3). The positive factors from the relationship-based, i.e. creating sense of identity, can be used to keep employees loyal and committed to the organization and agrees with Choo (2013) who proposes in total four kind of information cultures. This study proposes the influence between culture and the ICS.

4.6.3. Achieve organizational mission

- Question: How can a design of a new ICS help to achieve the organizational mission?

29 transparency have a positive influence on the audit quality, which, in turn, has a positive correlation with goal achievement. In case of changes in the ICS, the participation of the managers should be high, in order to keep an ICS which is supported by the managers who have to deal with it.

4.7 Redesign

The organization faces a rapid growth due to a win of two major concessions. This has implications for the organization. With rapid growth, there is an increased need to minimize risks, minimize control weaknesses and increase the segregation of duties. An example is the prevention of fraud.

In this summary a redesign of the Internal Control System will be focused on three main pillars: Growth, culture and mission. The research question in this study is: What are the

crucial factors in the design of a new Internal Control System to help a growing organization create a change in organizational culture and succeeding to achieve its organizational mission?

After analyzing the data from interviews with the responsible managers of all departments in the organizations some conclusions can be drawn up that the ICS has to be designed in a certain way. The recommendations following from this conclusion are that the ICS should:

- Cover all departments. Every department is aware of the growth and the mission of the

company. Therefore all departments should be involved in the design of the ICS and every department has its share in making audits on the ICS to a success.

- Have proper process descriptions and procedures. The organizational has the ultimate

goal of becoming the largest player in the market. The ICS can help to achieve this. It starts with having proper procedures for the different departments and its processes. When new employees arrive at the company they are able to work quickly on their job. Not all departments have proper process descriptions and procedures yet, so this should be covered.

- Be ready for change in duties, guarantee limited authorization and the four-eye principle (growth purposes). In case of winning new major concessions in the future the

30 - Culture change, clear reporting but no exaggeration. The company relied a long time

upon a culture that was described by most managers as taken-for-granted, an informal culture. A lot of actions were not formally written down. For example, minutes of meetings. This makes decision making more difficult. To achieve the ultimate organizational objective of being the biggest player on the market, the ICS should be designed in a way that fraud will be prevented and otherwise, can be more easily detected. A result-oriented culture is preferable above the more relationship-based, although a sense of identity is important to keep employees loyal. However, from the data obtained from the managers, the amount of reporting should not be exaggerated too much. To sign off every little piece of work can lead to less motivation and laxity. The recommendation therefore is that more should be reported and signed off, but critical choices on each department should be made whether something should or should not be signed off.

5. Conclusion

In this section of the paper the conclusion will be given along with the academic contribution. According to de Leeuw (2001) a contribution can be: adding something new; improvement of an existing phenomena or finding relationships in certain phenomena (i.e. two theories).

In this study the following research question was addressed: What are the crucial factors in

the design of a new Internal Control System to help a growing organization creating a change in organizational culture and succeeding to achieve its organizational mission?

This study has tried to answer this research question by giving meaning to the design of the purpose, goal and the crucial factors of an ICS.

The research so far did not have any information about this specific topic. There was literature about internal control, internal control systems, but the link with a railroad company was not there yet. Also, the literature showed that growth had its influence on the internal control of a company. However, literature did not show how the design of an ICS could be in order to be ready for growth.

31 Interviews were held with the responsible managers about four main topics: ICS in general, the influence of growth in the ICS, including control weaknesses, new risks and segregation of duties, the influence of organizational culture on the design of an ICS, and the influence of the organizational mission on the design of an ICS. The organization 1) wants to grow further, 2) should create a change in organizational culture and 3) wants to succeed in its organizational mission.

Purpose. The ultimate purpose for the organization is to have an ICS which provides a certain contribution in achieving the organizational mission: to become the biggest player on the market.

Goals. The ICS should carry some main goals to support the ultimate purpose. It should be ready for growth. If the organizational and its internal control is not ready for growth, serious risks may emerge when the organization grows more and more. This study showed examples as financial risks, reputational risks and fraudulent activity. Second, the culture should be ready for change and risks as fraudulent activity should be minimized. Third, the ICS should give the opportunity to become efficient and effective in its processes in order to be more profitable and reduce (overhead) costs.

Crucial Factors. From the interviews, data was collected in order to answer the research question. The main suggestions for the design are that the ICS should cover all departments, that every department should have proper process descriptions and procedures, should report clearly but no exaggeration, ensure clear separation of duties, job descriptions, limited authorization and the four-eye principle. Besides the ICS should create a shift in the organizational culture.

With these outcomes in mind this studies will hopefully make the design of internal control system for other companies easier who faces similar circumstances. Although this study has only been conducted in one single organization, the concepts are quite general and may therefore be applicable to more organizations.

5.1. Theoretical implications and Research limitations

32 be found in the time spend within the company in order to obtain data for this case study. This has been six months, which may be enough to detect the crucial factors, but too short to investigate the subject more deeper. Second, although the company was willing to share a lot of information, not all could be used for this paper because of confidentiality. Some quotes could not be literally written down in this paper. Nevertheless, this was not of influence on the outcomes.

5.2. Practical implications for Arriva

Arriva is facing a new era of internal control. It will have impact on the way of working and therefore the change may be quite radical. It will be important for Arriva to keep all responsible managers committed to stick to a new kind of culture. A culture where not much should be taken-for-granted, more should be signed off and all processes should be written down. The mission of the organization is very clear and known by every responsible manager. Therefore, it can be very useful to link the mission to the ICS in order to keep managers more motivated. An ICS can help achieving the mission of the organization. Keep the responsible managers committed to the ICS, also in times of change.

5.3. Suggestions for further research

33

6. References

Applegate, D. and Wills, T. 1999. Integrating COSO. Internal Auditor. Vol. 56, Issue 6, p60, 7p.

Atkinson, P. 2013. Managing Change and Building a Positive Risk Culture. Management

Services. Vol. 57, Issue 2, p9-13.

Atwood, B. Rainborn, C.A. Butler, J.B. The illusion of internal controls. Strategic finance. Vol. 94, Issue 4. P31-37.

Baarda, D.B., De Goede, M.P.M., &Teunissen, J. 2005. Basisboek kwalitatief onderzoek, Groningen: Wolters-Noordhoff bv.

Bart, C.K. 1998. The Relationship Between Mission Statements and Firm Performance: An Exploratory Study. Journal of Management studies. Vol 35, Issue 6, p823-853.

Beasley, M.S., Bruce, C., Hancock, B.V. 2010. Are you identifying the most significant risks?

Strategic Finance. Vol 92, Issue 5, p29-35.

Choo, C.W. 2013. Information Culture and organizational effectiveness. International Journal

of Information Marketing. Vol. 33, Issue 5, p775-779.

Colbert, J. 2008. How to monitor internal controls. Journal of corporate Accounting &

Finance. Vol. 19, Issue 4, p41-45.

Van der Bij, 2012. Slides college 3, Research & Skills. [Last visit: Feb 3th 2013]

The COSO-model. 2005. The COSO-model. Internal Auditor. Vol. 62, Issue 2. 1p. COSO, www.coso.org. [Last visit: Jan 3th 2013]