Corporate Compliance as One of the Most Critical Issues of Modern Organisations - Coursework Example

Introduction Corporate governance is one of the most critical issues faced by most of the modern organizations. With the sad demise of corporate giants such as Enron and World Com, its importance as well as significance has greatly increased. Apart from that the increasing complexities of the modern businesses as well as deficiencies of accounting treatments to effectively disclose important information in financial statements necessitated that a framework must be developed which can effectively cater to the internal control requirements of the organizations. In order to address such questions, Committee of the Sponsoring Organizations of the Treadway Commission (COSO) developed a model for internal controls in 1992. The generally adopted standards of internal controls, as provided in that model serve as the definitive standards for implementing internal controls in any organization. This model was basically implemented in order to improve upon the effectiveness and efficiency of organizational operations, increase the credibility and reliability of financial information as well as insuring compliance with regulatory laws and regulations. The Committee aimed to achieve above by implementing a uniform set of standards which provided best practices to be used in order to create an environment of internal control which involve board of directors and higher management of the firms so that the potential risk elements associated with weak internal controls can be effectively controlled. This report will outline a plan to implement the enterprise risk management in Apple Computers. This plan will however, be based on the recommendations of COSO in order to ensure compliance with the model. Effective Internal Control System According to COSO descriptions, an effective control system with an organization is based on following five components. These are: (COSO, 2003) 1) Control Environment which comprises of elements such as integrity and ethical values, commitment to competence, board of directors and audit committees, Management's Philosophy and operating style, Organizational structure etc. 2) Risk Assessment includes company wide objectives, process level objectives, Risk Identification, Managing Change etc. 3) Control Activities include Policies and Procedures, Security, application change management etc. 4) Information and Communication includes quality of information 5) Monitoring includes On-going monitoring, Separate Evaluation as well as reporting deficiencies. COSO model on internal controls roughly covers above parameters and attempt to outline different policies and procedures which must be adopted in order to effectively monitor and manage internal control environment within the organization. It is also important to understand that the firms may not need to implement the whole document verbatim however the same may have studied and customized to suit the organizational needs and structure while at the same time keeping the real essence of the model intact. The above mentioned components also work to produce a combine impact on implementing a better and more efficient internal control environment within an organization and laid the foundations for the development of systems and procedures which ensure that the organization not only meet the requirements of the model but also put in place a systematic environment within the organization which ensure transparency within different functional and operational areas of the organization. Enterprise Risk The above prelude suggested that the COSO was active in implementing effective internal controls within the organizations however as the complexities of the business grew, COSO developed a separate framework for enterprise risk management for organizations. According to COSO, an enterprise risk management is "a process effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. This process necessarily involves both individual units within an organization and the organization as a whole."(COSO, 2003). The above definition suggests that the enterprise risk management requires the involvement of the top brass of the organization, and that it is a strategy which must be implemented until the individual unit level within an organization. The potential benefit is to manage risk and to remain with the accepted risk appetite level in order to gain reasonable assurance regarding the achievements of the objectives of the organization. This definition is broad in the sense that it requires a greater degree of involvement from the higher management of the organization to implement and ensure the compliance of standards set out in enterprise risk management framework. For Apple, we intend to implement the above process of enterprise risk management as a phased process and would involve following processes: Internal Environment At this initial stage of enterprise risk management implementation within Apple, we intend to form a generalized concept of what risk management is and how our overall tone to the whole issue of enterprise should be on the organizational level. Since establishing an internal environment conducive to the overall risk management falls within strategic activity therefore Apple will view it generally entity level and would first take up the issue with its boards of directors to set up the overall tone and orientation of the organization towards this process. (Olson & Wu, 2005). Thus at this level, the top management including board of directors will be involved in setting up the basic philosophy of the risk management within the organization as well as create a risk management culture and design the overall risk management structure within the organization. Since this would be an entity level activity with strategic orientation therefore lots of emphasis would be on how the overall environment of risk management at enterprise level will help organization to avoid the external as well as internal risk shocks. This stage would also involve defining and setting the tone for the future activities to take place within the organization in this regard. Objective Setting This stage of implementation would involve the objective setting. Before initiating any further process of implementing ERM, Management would define the overall objectives to be achieved from this process, and it would be checked and decided if these objectives are in alignment with the overall strategic objectives of the firm or not. It is also important to understand that above two internal controls i.e. top management oversight of the whole process and identification of the objectives for enterprise risk management would serve as the preventive internal control mechanism for the firm i.e. this would allow Apple to put in place a proactive preventive system in place which would allow it to foresee and prevent risk events to take place. Event Identification This stage of implementation would involve management to identify the risk events. The operation managers of the different departments would be responsible for identifying individual risk events within their department including their frequency as well as cost involved i.e. how much they can deter the interests of the firm and their respective departments. It is also important to understand that at this level, since management has already put in place a control environment and have defined the overall objectives, therefore it would require operation managers i.e. respective departmental heads to accurately determine and identify the breadth and depth of the risk events to take place. This would also involve the clear identification of different risk events such as what could go wrong, How might we can fail, what areas are more vulnerable than others, which assets are prone to more or higher risks and need to be protected etc. (UCLA, 2008). It is also critical to understand that this step would be a detective internal control as it at this stage that the potential risk events will be detected. Risk Assessment This stage would also include the detective stage as at this stage, strategies available to manage risk would be identified. At this stage, the respective departmental heads, along with the central team, would assess the frequency and probability of the risk events to occur i.e. the effort would be made to assess the likelihood of the events occurring as well as their potential impact would be assessed. Further it would also be decided as to how the different risk events, categorized according to their frequency of occurrence can be managed. Control Activities, Information & Communication These two would be the corrective internal control mechanisms because at this stage, it would be clearly determined as to what control activities should be adopted to mitigate the risk events defined and identified. It is also critical to note that the cost of the overall response to the risk events will also be assessed at this stage of the implementation. Further, when control activities are in place, the next step would require Apple to communicate the steps taken to the stakeholders as well as ensuring that the information systems have the capability to measure and report the risk. (Gauthier, 2005) Monitoring This stage would also serve as a preventive stage where the overall effectiveness of the implementation of the enterprise risk management plan would be monitored as well as checked as to whether it has been able to achieve its objectives or not. This stage would also involve evaluating the actual risk events with the estimates of probability of occurrence as well as cost involved in framing the overall risk response to the event. Monitoring would be a separate and an independent function and would not report to any of the functional departments but would rather report directly to the board of directors of Apple. Conclusion Enterprise Risk Management is one of the most demanding and complex jobs. At Apple this job will be performed in accordance with the approved guidelines as well as recommendations of COSO and would be implemented in a phased process. The overall objective is to achieve regulatory compliance as well as put in place an environment which increases the overall capacity of Apple to bear different risk shocks. Bibliography 1. California, U. o. (2008). Understanding Internal Controls. California: University of California. 2. COSO. (2003). COSO Framework Description. Retrieved November 17, 2008, from http://www.knowledgeleader.com: http://www.knowledgeleader.com/KnowledgeLeader/Content.nsf/Web+Content/ChecklistsGuidesCOSODescription!OpenDocument 3. Gauthier, S. J. (2005, April). From internal control to enterprise risk management. Retrieved November 17, 2008, from Government Financial Review: http://www.entrepreneur.com/tradejournals/article/131788474.html 4. Olson, D. L., & Wu, D. D. (2005). Enterprise Risk Management. New York: World Scientific. Read More