Corporate Compliance 1

Running Head: CORPORATE COMPLIANCE REPORT

Corporate Compliance Report

Corporate Compliance 2 Corporate Compliance Report This paper discusses a plan to implement enterprise risk management based on the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in to the General Services Administration (GSA), Public Building Service (PBS). The GSA/PBS does not currently have an enterprise risk management plan and will consider the recommendations made by COSO. While GSA/PBS is a federal agency and is not bound by the requirements of the Sarbanes-Oxley Act, they choose to comply with the requirements of the Act and recommendations of COSO. Background COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting. COSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance. COSO has studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors, for the Securities and Exchange Commission (SEC) and other regulators, and for educational institutions. COSO consists of representatives from the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Management Accountants (IMA), and The Institute of Internal Auditors (IIA). The Commission is wholly independent of each of the sponsoring organizations, and includes representatives from industry, public accounting, investment firms, and the New York Stock Exchange (Committee of Sponsoring Organizations of the Treadway Commission, 2007).

Corporate Compliance 3 COSO provides a definition of internal control that includes five elements: control environment, risk assessment, control activities, information and communication, and monitoring. Of the five, the control environment may be the most critical and the most difficult to manage and evaluate. COSO defines the control environment as setting the tone of an organization and influencing the control awareness of the people. An effective control environment supports and strengthens the other control elements. In an effective control environment employees will know that doing the right thing is expected and will be supported by senior leaders of the organization, even if it hurts the bottom line. In a weak control environment, control procedures are frequently overridden or ignored, providing an opportunity for fraud (Lightle, Castellano, and Cutting, 2007). Audit Approach Traditionally auditors assessments of the control environment have included questionnaires to senior management about whether management policies and procedures, such as a code of ethics, have been implemented. The problem with this approach is that it actually measures whether management has tried to create a sound environment, not its effectiveness in doing so. A more direct method of evaluating managements success in creating an environment of ethical behavior is for the auditors to survey the people who work in the environment. This approach places the focus on the message the employees are actually receiving, not the one management thinks it is sending (Lightle, et al, 2007). COSO defines internal control as a process, managed by the board of directors, management, and other personnel, to provide reasonable assurance objectives will be achieved. Controls should promote efficiency, reduce the risk of asset loss, and ensure

Corporate Compliance 4 accuracy of financial statements as well as compliance with relevant laws and regulations (Koutoupis, 2007). Internal controls include policies, procedures, and practices at all organizational levels. Both management and auditors must have a thorough understanding of controls to create processes to document the controls. Regulatory requirements, professional guidelines, and company mandates are all reasons for internal auditors to develop control documentation skills. Auditors can assist management to determine which documentation methods might best serve organizational needs. Controls are required for all five COSO components (Koutoupis, 2007). In addition to detailing risks and controls, control documentation needs to identify control objectives. These objectives are obtained from regulatory directives and organizational objectives. Control objectives can be published in a variety of documents including mission statements, strategic plans, business plans and budgets, and address objectives such as completeness, accuracy, validity, and restricted access (Koutoupis, 2007). Internal control documentation can take many forms including flowcharts, policy and procedure manuals, and narrative descriptions. Depending on the nature of the organization, control documentation may range from generic guidelines to detailed written policies and procedures. Risk and control matrices may be used for more specific analysis (Koutoupis, 2007). Enterprise Risk Management In light of the Enron case that led to Arthur Andersens collapse, or the futures trader Nick Leesons fictitious transactions in 1995 which single-handedly brought down

Corporate Compliance 5 the 200 year old Barings Bank, risk management today is regarded as one of the most critical corporate activities. While these highly publicized scandals may have contributed to making executives more risk averse, risk is a necessary part of executing business strategy. The challenge is how to align risk management with organizational strategy (Nagumo and Donlon, 2006). Risk is commonly defined as the likelihood that some factor or event will prevent an organization from achieving its objectives. Organizations face risks in the course of implementing strategy or operations (Nagumo and Donlon, 2006). Risk mitigation is part of the risk management plan which includes anticipating problems, assigning a probability of occurrence, and having a plan for avoidance or mitigation. In 2001, COSO initiated a project, and engaged PricewaterhouseCoopers, to develop a framework that would be readily usable by managers to evaluate and improve their organizations enterprise risk management. The need for an enterprise risk management framework, providing key principles and concepts, a common language, and clear direction and guidance, was developed by COSO to fill the widespread need for risk management tools (Steinberg, Martens, Everson & Nottingham, 2004). Among the outgrowths in the United States is the Sarbanes-Oxley Act of 2002, and similar legislation has been enacted or is being considered in other countries. This law extends the long-standing requirement for public companies to maintain systems of internal control, requiring management to certify and the independent auditor to attest to the effectiveness of those systems. The COSO Internal Control Integrated Framework, which continues to stand the test of time, serves as the broadly accepted standard for satisfying those reporting requirements (Steinberg, et al, 2004).

Corporate Compliance 6 This Enterprise Risk Management Integrated Framework expands on internal control, providing a more robust and extensive focus on the broader subject of enterprise risk management. While it is not intended to and does not replace the internal control framework, but rather incorporates the internal control framework within it, companies may decide to look to this enterprise risk management framework both to satisfy their internal control needs and to move toward a fuller risk management process. Among the most critical challenges for managers is determining how much risk the entity is prepared to and does accept as it strives to create value. This report will better enable them to meet this challenge. Enterprise risk management enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value. Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entitys objectives. Enterprise risk management encompasses: 1. Aligning risk appetite and strategy Management considers the entitys risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks. 2. Enhancing risk response decisions Enterprise risk management provides the rigor to identify and select among alternative risk responses risk avoidance, reduction, sharing, and acceptance. 3. Reducing operational surprises and losses Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated

Corporate Compliance 7 costs or losses. 4. Identifying and managing multiple and cross-enterprise risks Every enterprise faces a myriad of risks affecting different parts of the organization, and enterprise risk management facilitates effective response to the interrelated impacts, and integrated responses to multiple risks. 5. Seizing opportunities By considering a full range of potential events, management is positioned to identify and proactively realize opportunities. 6. Improving deployment of capital Obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation. These capabilities inherent in enterprise risk management help management achieve the entitys performance and profitability targets and prevent loss of resources. Enterprise risk management helps ensure effective reporting and compliance with laws and regulations, and helps avoid damage to the entitys reputation and associated consequences. In sum, enterprise risk management helps an entity get to where it wants to go and avoid pitfalls and surprises along the way (Steinberg, Martens, Everson & Nottingham, 2004). There is a direct relationship between objectives, which are what an entity strives to achieve, and enterprise risk management components, which represent what is needed to achieve them. The four objectives categories are strategic, operations, reporting, and compliance. The eight components are internal environment, objective setting, risk assessment, risk response, control activities, information and communication, and monitoring (Nagumo and Donion, 2006).

Effectiveness

Corporate Compliance 8 Determining whether an entitys enterprise risk management is effective is a judgment resulting from an assessment of whether the eight components are present and functioning effectively. Thus, the components are also criteria for effective enterprise risk management. For the components to be present and functioning properly there can be no material weaknesses, and risk needs to have been brought within the entitys risk appetite (Nagumo and Donion, 2006). When enterprise risk management is determined to be effective in each of the four categories of objectives, respectively, the board of directors and management have reasonable assurance that they understand the extent to which the entitys strategic and operations objectives are being achieved, and that the entitys reporting is reliable and applicable laws and regulations are being followed (Nagumo and Donion, 2006). The eight components will not function identically in every entity. Application in small and mid-size entities, for example, may be less formal and less structured. Nonetheless, small entities still can have effective enterprise risk management, as long as each of the components is present and functioning properly (Nagumo and Donion, 2006). Limitations While enterprise risk management provides important benefits, limitations exist. In addition to factors discussed above, limitations result from the realities that human judgment in decision making can be faulty, decisions on responding to risk and establishing controls need to consider the relative costs and benefits, breakdowns can occur because of human failures such as simple errors or mistakes, controls can be circumvented by collusion of two or more people, and management has the ability to override enterprise risk management decisions. These limitations preclude a board and management from having

Corporate Compliance 9 absolute assurance as to achievement of the entitys objectives ((Nagumo and Donion, 2006). Recommendations for GSA/PBS The GSA/PBS currently operates in an environment where statutory requirements apply and policies and procedures exist to guide the processes. What is lacking in the organization is an independent auditor with knowledge of the organizational legal requirements who can assist with development of documentation methods and controls. It is recommended that a team be identified with representatives from various parts of the organization with a mission of reviewing existing processes and ensure they are being complied with. This review should also address the measuring process to assess how success is assessed. Reports from the team will be provided to senior executives of GSA/PBS with the goal of ensuring compliance with strategic plans. Identification of risk, including measures of probability and mitigation should be included in the teams organizational assessment. This will require close coordination with senior leaders of the organization to ensure there is a clear understanding of what level of risk the organization is prepared to assume and to identify consequences. It will be important for all areas of the organization to be included in this assessment and resultant plan. Included in this risk assessment will be reviews of the decision-making process to identify at what levels decisions can be made for any exceptions to compliance. Conclusion In todays competitive environment, every organization must be sure compliance with statutory and regulatory requirements is part of the organizational structure. Oversight mechanisms are necessary to ensure the processes are working and adjustments may be

Corporate Compliance 10 required based on changes in the organizations internal and external environments. Accountability by employees at all levels of the organization is necessary and must be monitored. Auditors who are familiar with the requirements to be followed, as well as best practices to ensure compliance, should be utilized to be sure the plan is working.

Corporate Compliance 11 References

Committee of Sponsoring Organizations of the Treadway Commission (2007). Retrieved from http://www.coso.org/. Lightle, S.S., Castellano, J.F. & Cutting, B.T. (2007). Assessing the Control Environment. The Internal Auditor, 64(6), 51-54,56,8. Retrieved December 12, 2007, from ABI/INFORM Global database. (Document ID: 1397094121). Koutoupis, A.G. (2007). Documenting Internal Controls. The Internal Auditor, 64(5), 23,25,27. Retrieved December 12, 2007, from ABI/INFORM Global database. (Document ID: 1368717221). Nagumo, T. & Donlon, B.S. (2006). Integrating the Balanced Scorecard and COSO ERM Frameworks. Cost Management, 20(4), 20-30. Retrieved December 12, 2007, from ABI/INFORM Global database. (Document ID: 1081208531). Sarbanes Oxley Act. Public Law 107-204, 116 Stat. 745 (2002). Retrieved December 17, 2007 from http://support.lexis-nexis.com/lexiscom/record.asp? ArticleID=lexiscom_LEGIS_Sarbanes. Steinberg, R.M., Martens, F.J., Everson, M.E.A., & Nottingham, L. (2004). Enterprise Risk ManagementIntegrated Framework. Retrieved December 12, 2007 from http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf. Williams, K. (2007). COSO Releases Internal Control Discussion Document. Strategic Finance, 89(4), 15,19. Retrieved December 12, 2007, from ABI/INFORM Global database. (Document ID: 1371086051).