At the core of business management are the rules, practices and processes that define how your organization is directed, operated and controlled. This system, known as corporate governance, is aimed at creating more ethical business practices by aligning the interest of your organization’s stakeholders. In today’s business environment, the more ethical-and transparent-your organization is about its corporate governance practices, the more financially viable it will be.
One of the most important components of effective corporate governance is enterprise risk management (ERM), or the program your organization puts in place to identify, analyze, prioritize and mitigate risks. Determining the level of risk that comes along with certain business operations is not only important, but it’s also mandatory in the case of regulatory compliance.
In this article, we’ll take a closer look at corporate governance, including some of the mechanisms your organization can implement to reduce any inefficiencies or incidents that might arise. Armed with this knowledge, your organization will be better positioned to start on the worry-free path toward an effective and efficient risk management system.
What are the Mechanisms of Corporate Governance?
Corporate governance is the act of directing, controlling, and evaluating your organization. It includes setting forth your organization’s governance structures and principles by a supervisory board to identify the distribution of rights and responsibilities among different stakeholders, and to cultivate a company culture of integrity.
At its foundation, corporate governance is necessary because it helps manage any potential conflicts of interest between shareholders and company management, or among shareholders. However, unlike the day-to-day operational management of the company by your full-time executives and employees, corporate governance has more to do with what the board members of your company do, including how the board sets the values of your company.
Establishing the values, rights and responsibilities of your organization is a critical step in decision making, but you also need to consider how you will enforce that code of conduct after you’ve created it. To do so, your organization should use both external and internal corporate governance control mechanisms designed to protect your assets from incidents, reduce any inefficiencies that might arise, and to support your overall business objectives.
External Mechanisms of Corporate Governance
External control mechanisms are those controlled by entities outside your organization such as regulators, governments, trade unions and financial institutions. Most of the time, the objectives of external control mechanisms are to assess adequate debt management and legal compliance and are often imposed on organizations by external stakeholders in the forms of union contracts or regulatory guidelines.
To determine regulatory compliance, many organizations must undergo an independent audit as part of the evaluation of the overall corporate governance structure.
Independent Audits
An important part of regulatory compliance and another important external mechanism is that of the independent audit. During an independent audit, an external auditor is responsible for reviewing the financial statements of your organization and issuing an opinion as to their reliability.
In most cases, an independent audit serves both your internal and external stakeholders by helping investors, employees, shareholders and regulators determine the financial performance of your organization. An external audit can also give you a broad view of your organization’s internal working mechanisms and its future outlook.
In addition to external audits, regulatory bodies may also suggest guidelines for best practices, and organizations can choose whether or not to follow them. Typically, organizations report their compliance status to external stakeholders. One such compliance regulation is the Sarbanes-Oxley Act (SOX), which was enacted in 2002 following the scandals surrounding Enron and MCI (formerly WorldCom).
SOX Compliance
Today, all public companies in the United States are obligated to comply with SOX, which was created to provide greater accuracy and transparency of corporate disclosures in financial statements and to safeguard investors from fraudulent accounting practices through effective risk management.
To demonstrate SOX compliance, your organization will need to submit proof, annually, of all risk controls during an external audit. While the cost of SOX compliance varies from organization to organization, you can expect to spend $500,000 to $1 million on compliance efforts and audits-an investment that’s much lower than the penalties associated with non-compliance.
Because SOX compliance is not optional for public companies in the US, ignoring the SOX compliance process can cause a variety of problems for organizations. Not only do SEC enforcement actions cost time and money, but they also potentially result in fines that run into figures in the millions of dollars.
In addition to avoiding legal fines and penalties, some of the benefits of SOX compliance include more robust internal controls and greater public confidence, and less opportunity for financial fraud or other suspicious activity by employees or stakeholders.
Internal Mechanisms of Corporate Governance
While external mechanisms of corporate governance are undoubtedly important, the foremost sets of controls for your organization are the internal mechanisms you use to monitor the progress and activities of your organization, and take corrective actions when your business goes off track.
Internal control mechanisms aim to serve the internal objectives of your organization and its internal stakeholders. Typically, these objectives include smooth business operations, clearly defined reporting lines and performance measurement systems.
Ideally, your internal corporate governance mechanisms will maintain your organization’s larger internal control fabric-the policies, procedures, and technical safeguards that protect your organization’s assets by preventing errors and inappropriate action.
In a similar fashion to the external audits used by regulatory bodies to determine compliance, your organization can also conduct internal audits to determine the effectiveness of internal controls.
Even if regulatory compliance isn’t required for your organization, assigning an internal auditor to assess whether your control mechanisms are meeting regulatory requirements is a good place to start.
Fortunately, your organization doesn’t have to come up with your own system of internal controls entirely on its own. The Internal Control-Integrated Framework, developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), defines five necessary components for designing a sound internal control structure:
- Internal control environment
- Risk assessment
- Internal control activities
- Information and communication
- Monitoring
Within COSO’s framework, each of these five key components of internal control includes principles with supporting points of focus to help with designing, implementing, conducting, monitoring, and assessing internal control processes.
In the next section, we’ll discuss how internal controls can help your organization improve its corporate governance and introduce some of the most effective internal controls for corporate governance.
What is the Role of Internal Control in Corporate Governance?
To refresh, internal controls are the policies, procedures, and technical safeguards that protect your organization’s assets by preventing errors and inappropriate action. They’re the more practical aspect of corporate governance-the ways in which your organization ensures compliance with its own moral code.
When it comes to corporate governance, internal controls can help your organization monitor activities and then take corrective actions to accomplish your organizational goals. Typically, internal control procedures are implemented by your organization’s board of directors, audit committee, management, and any other personnel to provide reasonable assurance that you’re meeting your objectives related to reliable financial reporting, efficient operations, and compliance with laws and regulations.
To ensure your organization adheres to corporate governance guidelines, internal control activities also help produce an audit trail that can be followed during both internal and external audits. Ultimately, both money and information should have a clear path through your organization-with good internal controls, that path can easily be re-traced.
For example, one of the compliance requirements for SOX compliance specified in Section 404 is that of the Management Assessment of Internal Controls. 404(a), which applies to all publicly traded companies, requires management to certify whether internal controls over financial reporting (ICFR) are or are not effective and, if not, why.
A clear audit trail will not only help your organization achieve and maintain SOX compliance, but it will also allow your shareholders to feel more confident about their investments and your customers to feel more confident about the goods or services they’ve purchased. When organizations can show proof of good corporate governance via internal controls, they’re often more successful.
The goals of internal corporate governance controls usually include:
- Safeguarding assets: internal controls help prevent asset loss due to mistakes or fraud.
- Minimizing errors: internal controls ensure that financial information is carefully reviewed to reduce errors.
- Promoting efficiency: internal controls prevent mistakes, which improves efficiency in the long run.
- Minimizing risk: internal control procedures may include regular risk assessments to find areas where inaccuracies are occurring to improve those areas.
To meet these goals and more, your organization may engage in several internal control activities, which fall into three broad categories: preventative, detective, and corrective. While detective controls seek to understand incidents once they have occurred, corrective controls take corrective action to remedy those vulnerabilities, and preventative controls actually attempt to prevent those risks from occurring in the first place.
Now that we’ve established how internal controls play a role in corporate governance, it’s time to introduce the types of internal controls that can best help your organization with its corporate governance.
What are the Procedures for Internal Control of Corporate Governance?
To be most effective, internal corporate governance controls rely on the responsibilities of your organization’s stakeholders for proper execution. While the board of directors are responsible for setting the values, rights and responsibilities and the corresponding internal controls that will help promote these activities; management is responsible for maintaining the system of internal control and communicating the expectations and duties to staff. In return, staff and operating personnel are responsible for carrying out those internal control activities set forth by management.
Here are some of the most common procedures for internal control used in corporate governance today:
Authorization
Authorization is a process that involves establishing a basis by which various employees have the authority to execute certain types of transactions and serves as a proactive approach for preventing invalid transactions.
This includes approval authority requirements which require specific managers to authorize certain types of transactions, adding a layer of responsibility to your records systems by providing that the transactions have been seen, analyzed, and approved by the appropriate authorities.
Documentation
Documentation includes paper and electronic communication that supports the completion of the transaction lifecycle. It’s anything that provides evidence of a transaction, who has performed each activity pertaining to the transaction, and the authority to perform such activities.
Documents provide a financial record of events and activities, and therefore, they ensure the accuracy and completeness of transactions. This includes expenses, revenues, inventories, personnel, and other types of transactions. The proper documentation can provide evidence of what has transpired as well as providing information for researching any discrepancies.
Standardized documentation used for financial transactions can help your organization maintain its consistency in record keeping over time, and it can also make it easier to review past records when searching for the source of a discrepancy in your system. Ultimately, a lack of documentation standardization can lead to overlooking or misinterpreting important information.
Reconciliation
Reconciliation is the process of comparing transactions and activities with supporting documentation and involves resolving any discrepancies that have been discovered. Occasional reconciliation ensures that the balances in your system match up with the balances in the systems held by other entities, including banks, suppliers, and credit customers.
A good internal control system should provide a mechanism to verify that transactions and activities are for the correct purposes and amounts, and that they are allowable. Any errors or discrepancies, whether intentional or unintentional, should be detected, investigated and resolved as quickly as possible.
Security
The security of your assets and data includes three different types of safeguards: administrative, physical and technical. Administrative security focuses on the departmental processes that are put in place to protect assets and data. Physical security is the protection of physical data and assets from loss by theft or damage. Technical security is the protection of electronic data loss by theft, damage, or loss in transport.
Ideally, assets and data should be kept secure at all times to prevent unauthorized access, loss, or damage. The security of your assets and data is essential for ongoing operations, accuracy of information, privacy of personal and sensitive information, and in many cases is state or federal law.
Segregation of Duties
Segregation of duties is the means by which no one person has sole control over the lifespan of a transaction. According to the American Institute of Certified Public Accountants (CPA), segregation of duties means “shared responsibilities of a key process that disperse the critical functions of that process to more than one person or department” to reduce the risk of fraud and errors.
Ideally, no one person should be able to initiate, record, authorize and reconcile a transaction. All organizations should separate functional responsibilities to assure that mistakes, intentional or otherwise, cannot be made without being discovered by another person.
Primary incompatible responsibilities that must be separated are:
- Performing transactions
- Authorization or acceptance.
- Reconciliations.
- Asset custodianship.
The segregation of duties will ultimately depend on the side of your organization and its structure. Duties may be segregated by department or by individuals within a department, and the level of risk associated with a transaction should determine the method for segregating duties.
Improve Your Internal Controls with Reciprocity ZenRisk
Across industries, the only thing that all internal control schemes have in common is the arduous documentation and reporting that come with them. If your organization is using spreadsheets to manage your compliance requirements, it’s time to consider another option.
Reciprocity® ZenRisk is an integrated cybersecurity risk management solution designed to provide you with actionable insights to gain the visibility you need to stay ahead of threats and clearly communicate the impact of risk on high-priority business initiatives. Turn the unknown into quantifiable and actionable risk insights with built-in expertise that identifies and maps risks, threats and controls for you, so you can spend less time setting up the application and more time using it.
A single, real-time view of risk and business context allows you to clearly communicate to the board and key stakeholders in a way that’s framed around their priorities, keeping your risk posture in sync with the direction your business is moving.
ZenRisk will even notify you automatically of any changes or required actions, so you can be on top of your risk posture like never before. Eliminate time-consuming, manual work and streamline collaboration by automating workflows and integrating with your most critical systems.
Plus, Reciprocity ZenRisk is seamlessly integrated with Reciprocity ZenComply so you can leverage your compliance activities to improve your risk posture with the use of AI. Built on the ZenGRC, the Reciprocity product suite gives you the ability to see, understand and take action on your IT and cyber risks.
Now, through a more proactive approach, you can give time back to your team with Reciprocity ZenRisk. Talk to an expert today to learn more about how the Reciprocity Product Suite can help your organization mitigate cybersecurity risk and stay ahead of threats.