Research on Internal Control of China Enterprise Based on IT
by user
Comments
Transcript
Research on Internal Control of China Enterprise Based on IT
Research on Internal Control of China Enterprise Based on IT WANG Hailin Accounting School, Capital University of Economy and Business, China, 100192 [email protected] Abstract: This article has made research on the internal control based on Information Technology. It firstly analyzes the influence of information technology upon internal control, defines the IT control and control based on IT, introduce the enterprise internal control criterions of China. Then puts forward the internal control system based on IT, analyzes the components and the mechanism of this system, and give the conclusion. The innovation of the article includes the following: IT control is different from control based on IT, the internal control of enterprise in China should include internal control system, the project implementation of the internal control and the evaluation of the internal control. Keywords: Internal Control, Model, IT, Control System, IT control 1 Introduction The 17th National congress of communist party of China opened in October, 2007 indicated that informationization is the necessary choice for our nation to realize modernization and industrialization quickly, and informationization should be developed along with industrialization. With the new opportunity of accelerating informationization in our nation, the enterprises must raise their speed of informationization. When we have finished the IT infrastructure construction, basic application of IT in enterprises business process and management, the problem and risk brought by IT will come. The higher degree of informationization and more dependent on IT, the significant of these problems, and control and management based on IT become more important. In fact with the development of the application of informationization, the managers have already attached importance to this problem. In December, 1989 the Ministry of Finance of China released the first national administration statute about computerized accounting “some regulation of accounting calculation software management”. In June,1994 and June, 1996 management methods of computerized accounting , basic regulation of the function of accounting software, and regulation of computerized accounting work were released successively ,which made up of the comprehensive statute system about computerized accounting in China. In June, 2001 “the internal accounting control basic criterions” released by the Ministry of Finance of China makes it clearly that electronic information technology is one of the methods of internal accounting control. And it also asks enterprises to strengthen the control of accounting electronic information system. In June and October, 2006 Shanghai and Shenzhen Stock Exchange of China released guidelines on internal control of listed company respectively, which put forward some requirements of internal control of compute information system. In March, 2007 the Ministry of Finance of China released enterprise internal control criterions-draft, which sets up detailed criterions of compute information system control. In may,2008 enterprise internal control basic criterions of China was released, which asked that enterprises should strengthen internal control making use of information technology, set up information system correspondence with operation and management, promote the organic combination of internal control flow and information system, realize the automatic control of businesses and affairs, and reduce or eliminate artificial elements. The need for internal control of China’ enterprises and the external governance requirements have promoted the enterprises to consider and emphasize the impact of informationization. Of course we must notice that although the above criterions have make a great progress from only regulating operation of accounting calculation software in early time to comprehensive regulating computer information system control, they are nothing more than basic criterions which the enterprises should obey and being only one part of the internal control based on IT. In the time when informationization is deeply developed in enterprises it is necessary to research the internal control model comprehensively. 791 2 The General Concepts of internal control based on IT 2.1Internal Control Many institutions and scholars have researched internal control and give its definition.In1992, COSO (Committee of Sponsoring Organizations of the Treadway Commission)released the internal control integrated framework. It may be one of the most authoritative literatures about internal control nowadays. And it is generally accepted and adopted with the enterprises risk management framework (refer as ERM framework in the infra article) released by COSO in 2004[8]. COSO internal control integrated framework holds1 that internal control is applied by board of directors, manager and other personnel. It is a process which provides a reasonable insurance to achieve the objectives such as efficiency and effect of operation, reliability of finance statements, Compliance with applicable laws and regulations. This framework put forward that an effective internal control system should include five inter-relevant elements of control environment, risk assessment, control activities, information and communication, monitoring. Though ERM framework is the framework of enterprises risk management it covers internal control. It is the expansion and concretion of internal control. The ERM framework doesn’t redefine internal control but affirms the effectiveness of the definition and framework in1992. And it also puts forward eight elements of internal environment, objective setting, event identification, risk assessment, risk responses, control activities, information and communication and monitoring, which make up of enterprises’ comprehensive risk management. Summing up the two frameworks, we can find the basic features of internal control: (1)Internal control is a process, and it is a means of how to achieve the result but not the result itself. (2)Internal control is affected by persons at every level of an organization but not merely policy guidelines and forms. (3)Internal control should be set up on the base of risk analysis. And risk identification and risk analysis are the essential elements of an effective internal control. (4)Only reasonable assurance, not absolute assurance should be acquired from internal control. (5)Objectives are the driving factors of internal control. Internal control should be geared to the objectives needed to achieve. 2.2 The influence of IT to Internal Control From internal check to internal control system, internal control structure and then internal control integrated framework and enterprises risk management integrated framework the theory research and practical implementation of internal control has experienced the process from single scatter to comprehensive integration. There is no doubt that it has close relation with the change of social economy, management and technology environment. The rapid development of modern Information Technology (IT) no doubt accelerates the globalization of economy and makes the internal and external environment of enterprises operation and the risk the enterprises face up with more complex and changeable. Thereby it promotes the development of the internal control theory and practice forward. Many scholars in China have discussed the influence of IT to internal control. There are two representable views: Information technology change the enterprises’ internal and external environment and put forward new challenge for internal control[2][4]. Information technology will make a fundamental impact on the enterprises’ whole internal control. And the means of internal control will take place fundamental revolution[5]. This article holds that the impact on internal control made by IT is no doubt. The degree of the influence has close relation with the development of IT and changes with the change of IT. So we must analyze this problem comprehensively, dynamically and detailedly. 2.2.1Contol environment Control environment is a collecting of all kinds of elements that influence control. Environment is the 1 COSOconcept.htm www.coso.org 792 engine that can drive the enterprises’ development. And it is the base of setting up a control system for the enterprises. The application of information technology special internet technology not only changes the organization structure of enterprises and the distribution of responsibility and rights but also enables enterprises from closeness to openness and changes the company operation mode greatly. And because of it speed, flexibility, ability to respond have become the emphasis for enterprises evaluation, which will affect the managers management idea, operating style, honesty and moral evaluation of staffs and company culture in a long time. Of course the impact on control environment made by IT is different in different enterprises and the degree of it is also different too. 2.2.2Control Objects Control objects refers to what is controlled by internal control. It can be classified according to layer and types. The application of IT makes the IT source which is made up of IT infrastructure, application system, data and people a indispensable part of company management. And therefore the object of internal control in corporation is added new content 2.2.3 Control Objectives Control objectives refer to the objectives that internal control is intended to achieve. As IT resources are becoming control objects, on the one hand ,the enterprises are required to considered IT when they setting up internal control objectives at different layers such as the design of IT strategies ,managements of IT resource in operation, the uses of information resource in business deal and the legitimation of using information. On the other hand, the enterprises should consider making use of IT to enhance and improve the efficiency and effectiveness of the using of enterprises’ resource and the reliability of finance statement in order to that the control objectives can promote and guarantee the realization of the company strategies and management objectives well. 2.2.4 Risk Assessment Risk assessment is a process of identifying and analyzing the risk that influence the realization of control objective. And it is the key element of an effective internal control framework. The application of IT not only increased the risk of utilization and management IT resource but also have some new problems. For example, the negative impact on business operation caused by the interruption of information resource, the change in means of purchasing, marketing and service caused by technology development. At the same time information technology can also cause change in managements’ control mode, risk assessment mechanism as well as risk assessment deal in time. In all the impacts on risk assessment made by the application of IT are significant 2.2.5 Control Activities Control activities refer to the activities to realize control objective. They include policy, procedures, methods, means and so on. Control activities can help the managers implement their actions to achieve control objectives and deal with risk. The COSO internal control framework itself has consider the impact on control activities made by IT. The control activities put forward by COSO include computer control and it particularly analyzed the concrete information system control activities from the angle of general control and application control. The application of IT has influence other control activities in different degree besides increasing activities of information system control. The influence of IT application is most directly reflected in control activities. 2.2.6 Information and Communication Information and communication refers to the process to identify and acquire the internal and external information relevant to managing the companies in a certain time and a certain form and then communicate in the organization so that members can carry out control and other duties. The application of IT directly changes the form of information acquiring, processing, transmitting, storing and searching. So its influence on enterprises’ information and communication is very significant. It not only directly obtain information for decision-making, use the decision information to control, greatly improves the quality and quantity of information, change the channel and method of communication and expand the scope of management and control but also provide conditions and possibility for the integration of organization strategy and operation , thereby promote the realization of company goal. 2.2.7 Monitoring Monitoring means the tracking, supervision and regulation of internal control system and its running. IT 793 increases channels of monitoring, changes the way of supervision so that real-time tracking, monitoring and regulating become possible. That supply conditions for finding problems in internal control system and its implementation in time and then correcting and improving it. 2.3 General Concepts of internal control based on IT Although the impact on internal control by IT reflecting in various aspects, this article holds that even utilizing IT the impact doesn’t change the essence of internal control. So internal control based on IT still refers to the process implemented by boarder of directors, managers, and other staffs to provide reasonable guarantee for achieving control objective. But because of the matter of internal control having changed, now according to control objects internal control can be described in two categories: IT control and the control based on IT. IT control means the control to IT resource by the entity in order to ensure that the business objectives to met with manual or technical methods. The remainder part except IT control is regarded as control based on IT. According to this definition the following internal activities belong to IT control. (1)The control to IT resource by the entity with manual methods, technologies and procedures. (2)The control to IT resource by the entity with information technology methods, technologies and procedures. With the deepening application of information technology enterprises’ businesses depend on information system more and more. The status of IT control in internal control is becoming more and more important. What should be noticed is that the application of information technology has different stages, and in different stages IT control has different characteristics.2 (1)Orient to transaction. In this stage IT control is limited in a transaction or a department. And the manual control is the main control means. Most of the control occurred after risk event. In this stage the risks are comparatively simple and the risk assessment capability of information system is weak. So IT control is not very important. (2)Orient to management. In this stage the scope of IT control has expanded into the whole enterprise. The control methods emphasize the combination of automatic and manual control. The control occurred before event and real-time control have been realized. The risk factors that the enterprises face up with are complex. The risk loss becomes severe. The risk assessments of information system are very important. And In this stage the control flow are asked to integrate with business flow. The importance of IT control is improved. (3)Orient to decision. On the base of last stage IT control of this stage develops. The control scope has expanded from the internal of the enterprises to the external of enterprises. This stage emphasizes the random control with decision-supporting. The control environment has broken the boundaries of enterprises. The coordination among enterprises in one value chain and self-discipline of each enterprise become very important for achieving the control objectives. Based on last categories Enterprises should give full consideration to their own level of informationization development. The meaning is that enterprises can set up an appropriate control system according to their own condition so that they can avoid control excess due to pursuing comprehensive control or control defect due to pursuing simple control, both of which are unable to ensure that control objective to met. 3 Main criterions for China’s enterprises to carry out In May, 2008 the Ministry of Finance of China released enterprise internal control basic criterions with China Securities Regulatory Commission, Administration of Audit, China Banking Regulatory Commission and China Insurance Regulatory Commission. The criterion asked the listed companies to implement from July 1, 2009. And the non-public large and medium-sized companies are encouraged to carry out the criterion. The notice asked that the companies should evaluate the effectiveness of its internal control, disclose annual self-evaluation report and may engage accounting firm with securities 2 This paper adopt the view of James Martin 794 and futures business qualification to audit the effectiveness of the report. The criterion has learned from the COSO framework and it is the basic criterion for the public companies to implement. In fact any framework and criterion only supply a beginning of evaluating the internal control for every entity and of the future activities and educations for the rule-making institution. When enterprises set up their internal control they must first consider from the whole of the company, obey the laws and regulations about internal control and learn from the internal control framework and practical experience domestic and abroad. So they can build a series of comprehensive, systematic, standardized, auditable and sustainable improved internal control system based on IT. 4 The component of internal control system based on IT 4.1The Internal Control system Internal control system refers to an organic integration with specific function which consists of all the interaction and interdependent control elements according to certain rules and structures to achieve certain internal control objectives. The criterions the enterprises need to carry out belong to this system. What should be noticed is however high the automatic degree of IT environment the internal control system is not an absolute real-time control system on the whole. The system should be made up of four elements: standard subsystem, analysis subsystem of risk, diagnostic subsystem and interactive control subsystem. Figure 1 describes the mechanism of internal control. Figure 1 Components of supply chain control system and their working mechanism 4.2 The project implementation of the internal control The project implementation of the internal control is to implement and carry out the internal control system. If we said internal control system mainly solve the problem of what to do then the implementation of internal control system mainly solve the problem of how to do. Many internal control frameworks and criterions give operation guidelines or application directions as well. But only part of these can be regarded as references for implementation of internal control system most of these should be attributed into internal control system part. Whether the performance of internal control system succeeds or fails, it directly concerns the effectiveness of internal control and the achievement of internal control. We should accept that many problems of building the internal control is not from internal control system itself but from its performance. So for the enterprises the status of internal control performance is as important as that of internal control system itself. Both of them should be emphasized equally. This article holds that engineering should be introduced into the implementation of internal control system. To make use of engineering techniques and methods perform internal control system, so that to improve the quality of internal control implementation. 795 4.3 The evaluation of the internal control The evaluation of the internal control is implemented by the board of directors and managers. It is the process to evaluate the effectiveness of the enterprises’ internal control system and its implementation, form the evaluation conclusion and release the evaluation report. The effectiveness of the internal control system refers to that the internal control system designed by enterprises can provide reasonable guarantee for achieving the control objective. The effectiveness of the implementation of the internal control system refers to that the internal control system is carried out correctly and reaches the expected goal. The goal of control for evaluation should be detailed, refined and quantified into the detailed standard that can be performed. The evaluation organizations design detailed evaluation programs to evaluate the internal control system and its performance respectively. And then give the evaluation conclusion. In this course the evaluation organizations should analyze the risk level of the evaluation itself at the same time. Not all the enterprises’ internal control must and be able to reach the same level. So this article holds that the evaluation of the internal control should be based on the promise of different levels of internal control capability. Through classifying the internal control capability into different levels and set up its standard for evaluation we are able to know about and grasp an enterprise’ overall level of the internal control. 5 Conclusion This article holds that the impact on internal control made by IT is no doubt. Nut this influence doesn’t change the essence of internal control. The internal control of enterprise in China should include three parts: internal control system, the project implementation of the internal control and the evaluation of the internal control. The setting up of the internal control system can use laws and regulations, such as the Enterprise Internal Control Basic Criterions of China, COSO, COBIT, etc. for reference. The performance of the internal control should make use of the management thinking and the methods of engineering to improve the quality of the internal control. In order to know about and grasp the level of the enterprise’ internal control, the internal control capability level should be introduced into the evaluation of the internal control. References [1]. Wang hailin. Supply Chain Control Model: A Cybernetics Based Approach, 2008 IEEE International Conference on Service Operations and Logistics, and Informatics, vols1and 2:2469~2474 [2]. Yang zhounan. Discussing the ISCA Model of Accounting Management System, Accounting Research,2003(10):67~68(In Chinese) [3]. Yang zhounan. Research on the influence and countermeasure of computer information transact condition to accounting, Beijing: Chinese Finance and Economy Press, 2002:97 106(In Chinese) [4]. Liu zhiyuan, Liu jie. The internal control based on information technology, Accounting Research, 2001(12): 32 36(In Chinese) [5]. Zhang Tiesheng. The internal control criterions based on information technology: international practice and revelation, Accounting Research,2007(7):29 35(In Chinese) [6]. [ISO/IEC TR 17799:2000] Information security Management-Code of Practice for Information Security Management [7]. “Enterprise Risk Management – Integrated Framework”, COSO, 2004, www.COSO.org. [8]. Definition of Internal Control, COSO, www.COSO.org ~ ~ ~ 796