...

Research on Internal Control of China Enterprise Based on IT

by user

on
Category: Documents
47

views

Report

Comments

Transcript

Research on Internal Control of China Enterprise Based on IT
Research on Internal Control of China Enterprise Based on IT
WANG Hailin
Accounting School, Capital University of Economy and Business, China, 100192
[email protected]
Abstract: This article has made research on the internal control based on Information Technology. It
firstly analyzes the influence of information technology upon internal control, defines the IT control and
control based on IT, introduce the enterprise internal control criterions of China. Then puts forward the
internal control system based on IT, analyzes the components and the mechanism of this system, and
give the conclusion. The innovation of the article includes the following: IT control is different from
control based on IT, the internal control of enterprise in China should include internal control system,
the project implementation of the internal control and the evaluation of the internal control.
Keywords: Internal Control, Model, IT, Control System, IT control
1 Introduction
The 17th National congress of communist party of China opened in October, 2007 indicated that
informationization is the necessary choice for our nation to realize modernization and industrialization
quickly, and informationization should be developed along with industrialization.
With the new opportunity of accelerating informationization in our nation, the enterprises must raise
their speed of informationization. When we have finished the IT infrastructure construction, basic
application of IT in enterprises business process and management, the problem and risk brought by IT
will come. The higher degree of informationization and more dependent on IT, the significant of these
problems, and control and management based on IT become more important.
In fact with the development of the application of informationization, the managers have already
attached importance to this problem. In December, 1989 the Ministry of Finance of China released the
first national administration statute about computerized accounting “some regulation of accounting
calculation software management”. In June,1994 and June, 1996 management methods of computerized
accounting , basic regulation of the function of accounting software, and regulation of computerized
accounting work were released successively ,which made up of the comprehensive statute system about
computerized accounting in China. In June, 2001 “the internal accounting control basic criterions”
released by the Ministry of Finance of China makes it clearly that electronic information technology is
one of the methods of internal accounting control. And it also asks enterprises to strengthen the control
of accounting electronic information system. In June and October, 2006 Shanghai and Shenzhen Stock
Exchange of China released guidelines on internal control of listed company respectively, which put
forward some requirements of internal control of compute information system. In March, 2007 the
Ministry of Finance of China released enterprise internal control criterions-draft, which sets up detailed
criterions of compute information system control. In may,2008 enterprise internal control basic
criterions of China was released, which asked that enterprises should strengthen internal control making
use of information technology, set up information system correspondence with operation and
management, promote the organic combination of internal control flow and information system, realize
the automatic control of businesses and affairs, and reduce or eliminate artificial elements.
The need for internal control of China’ enterprises and the external governance requirements have
promoted the enterprises to consider and emphasize the impact of informationization. Of course we
must notice that although the above criterions have make a great progress from only regulating
operation of accounting calculation software in early time to comprehensive regulating computer
information system control, they are nothing more than basic criterions which the enterprises should
obey and being only one part of the internal control based on IT. In the time when informationization is
deeply developed in enterprises it is necessary to research the internal control model comprehensively.
791
2 The General Concepts of internal control based on IT
2.1Internal Control
Many institutions and scholars have researched internal control and give its definition.In1992, COSO
(Committee of Sponsoring Organizations of the Treadway Commission)released the internal control
integrated framework. It may be one of the most authoritative literatures about internal control
nowadays. And it is generally accepted and adopted with the enterprises risk management framework
(refer as ERM framework in the infra article) released by COSO in 2004[8].
COSO internal control integrated framework holds1 that internal control is applied by board of directors,
manager and other personnel. It is a process which provides a reasonable insurance to achieve the
objectives such as efficiency and effect of operation, reliability of finance statements, Compliance with
applicable laws and regulations.
This framework put forward that an effective internal control system should include five inter-relevant
elements of control environment, risk assessment, control activities, information and communication,
monitoring. Though ERM framework is the framework of enterprises risk management it covers internal
control. It is the expansion and concretion of internal control. The ERM framework doesn’t redefine
internal control but affirms the effectiveness of the definition and framework in1992. And it also puts
forward eight elements of internal environment, objective setting, event identification, risk assessment,
risk responses, control activities, information and communication and monitoring, which make up of
enterprises’ comprehensive risk management.
Summing up the two frameworks, we can find the basic features of internal control:
(1)Internal control is a process, and it is a means of how to achieve the result but not the result itself.
(2)Internal control is affected by persons at every level of an organization but not merely policy
guidelines and forms.
(3)Internal control should be set up on the base of risk analysis. And risk identification and risk analysis
are the essential elements of an effective internal control.
(4)Only reasonable assurance, not absolute assurance should be acquired from internal control.
(5)Objectives are the driving factors of internal control. Internal control should be geared to the
objectives needed to achieve.
2.2 The influence of IT to Internal Control
From internal check to internal control system, internal control structure and then internal control
integrated framework and enterprises risk management integrated framework the theory research and
practical implementation of internal control has experienced the process from single scatter to
comprehensive integration.
There is no doubt that it has close relation with the change of social economy, management and
technology environment. The rapid development of modern Information Technology (IT) no doubt
accelerates the globalization of economy and makes the internal and external environment of enterprises
operation and the risk the enterprises face up with more complex and changeable. Thereby it promotes
the development of the internal control theory and practice forward.
Many scholars in China have discussed the influence of IT to internal control. There are two
representable views: Information technology change the enterprises’ internal and external environment
and put forward new challenge for internal control[2][4]. Information technology will make a fundamental
impact on the enterprises’ whole internal control. And the means of internal control will take place
fundamental revolution[5].
This article holds that the impact on internal control made by IT is no doubt. The degree of the influence
has close relation with the development of IT and changes with the change of IT. So we must analyze
this problem comprehensively, dynamically and detailedly.
2.2.1Contol environment
Control environment is a collecting of all kinds of elements that influence control. Environment is the
1
COSOconcept.htm www.coso.org
792
engine that can drive the enterprises’ development. And it is the base of setting up a control system for
the enterprises. The application of information technology special internet technology not only changes
the organization structure of enterprises and the distribution of responsibility and rights but also enables
enterprises from closeness to openness and changes the company operation mode greatly. And because
of it speed, flexibility, ability to respond have become the emphasis for enterprises evaluation, which
will affect the managers management idea, operating style, honesty and moral evaluation of staffs and
company culture in a long time. Of course the impact on control environment made by IT is different in
different enterprises and the degree of it is also different too.
2.2.2Control Objects
Control objects refers to what is controlled by internal control. It can be classified according to layer and
types. The application of IT makes the IT source which is made up of IT infrastructure, application
system, data and people a indispensable part of company management. And therefore the object of
internal control in corporation is added new content
2.2.3 Control Objectives
Control objectives refer to the objectives that internal control is intended to achieve. As IT resources are
becoming control objects, on the one hand ,the enterprises are required to considered IT when they
setting up internal control objectives at different layers such as the design of IT strategies ,managements
of IT resource in operation, the uses of information resource in business deal and the legitimation of
using information. On the other hand, the enterprises should consider making use of IT to enhance and
improve the efficiency and effectiveness of the using of enterprises’ resource and the reliability of
finance statement in order to that the control objectives can promote and guarantee the realization of the
company strategies and management objectives well.
2.2.4 Risk Assessment
Risk assessment is a process of identifying and analyzing the risk that influence the realization of
control objective. And it is the key element of an effective internal control framework. The application
of IT not only increased the risk of utilization and management IT resource but also have some new
problems. For example, the negative impact on business operation caused by the interruption of
information resource, the change in means of purchasing, marketing and service caused by technology
development. At the same time information technology can also cause change in managements’ control
mode, risk assessment mechanism as well as risk assessment deal in time. In all the impacts on risk
assessment made by the application of IT are significant
2.2.5 Control Activities
Control activities refer to the activities to realize control objective. They include policy, procedures,
methods, means and so on. Control activities can help the managers implement their actions to achieve
control objectives and deal with risk. The COSO internal control framework itself has consider the
impact on control activities made by IT. The control activities put forward by COSO include computer
control and it particularly analyzed the concrete information system control activities from the angle of
general control and application control. The application of IT has influence other control activities in
different degree besides increasing activities of information system control. The influence of IT
application is most directly reflected in control activities.
2.2.6 Information and Communication
Information and communication refers to the process to identify and acquire the internal and external
information relevant to managing the companies in a certain time and a certain form and then
communicate in the organization so that members can carry out control and other duties. The application
of IT directly changes the form of information acquiring, processing, transmitting, storing and searching.
So its influence on enterprises’ information and communication is very significant. It not only directly
obtain information for decision-making, use the decision information to control, greatly improves the
quality and quantity of information, change the channel and method of communication and expand the
scope of management and control but also provide conditions and possibility for the integration of
organization strategy and operation , thereby promote the realization of company goal.
2.2.7 Monitoring
Monitoring means the tracking, supervision and regulation of internal control system and its running. IT
793
increases channels of monitoring, changes the way of supervision so that real-time tracking, monitoring
and regulating become possible. That supply conditions for finding problems in internal control system
and its implementation in time and then correcting and improving it.
2.3 General Concepts of internal control based on IT
Although the impact on internal control by IT reflecting in various aspects, this article holds that even
utilizing IT the impact doesn’t change the essence of internal control. So internal control based on IT
still refers to the process implemented by boarder of directors, managers, and other staffs to provide
reasonable guarantee for achieving control objective.
But because of the matter of internal control having changed, now according to control objects internal
control can be described in two categories: IT control and the control based on IT. IT control means the
control to IT resource by the entity in order to ensure that the business objectives to met with manual or
technical methods. The remainder part except IT control is regarded as control based on IT. According to
this definition the following internal activities belong to IT control.
(1)The control to IT resource by the entity with manual methods, technologies and procedures.
(2)The control to IT resource by the entity with information technology methods, technologies and
procedures.
With the deepening application of information technology enterprises’ businesses depend on information
system more and more. The status of IT control in internal control is becoming more and more
important. What should be noticed is that the application of information technology has different stages,
and in different stages IT control has different characteristics.2
(1)Orient to transaction. In this stage IT control is limited in a transaction or a department. And the
manual control is the main control means. Most of the control occurred after risk event. In this stage the
risks are comparatively simple and the risk assessment capability of information system is weak. So IT
control is not very important.
(2)Orient to management. In this stage the scope of IT control has expanded into the whole enterprise.
The control methods emphasize the combination of automatic and manual control. The control occurred
before event and real-time control have been realized. The risk factors that the enterprises face up with
are complex. The risk loss becomes severe. The risk assessments of information system are very
important. And In this stage the control flow are asked to integrate with business flow. The importance
of IT control is improved.
(3)Orient to decision. On the base of last stage IT control of this stage develops. The control scope has
expanded from the internal of the enterprises to the external of enterprises. This stage emphasizes the
random control with decision-supporting. The control environment has broken the boundaries of
enterprises. The coordination among enterprises in one value chain and self-discipline of each enterprise
become very important for achieving the control objectives.
Based on last categories Enterprises should give full consideration to their own level of
informationization development. The meaning is that enterprises can set up an appropriate control
system according to their own condition so that they can avoid control excess due to pursuing
comprehensive control or control defect due to pursuing simple control, both of which are unable to
ensure that control objective to met.
3 Main criterions for China’s enterprises to carry out
In May, 2008 the Ministry of Finance of China released enterprise internal control basic criterions with
China Securities Regulatory Commission, Administration of Audit, China Banking Regulatory
Commission and China Insurance Regulatory Commission. The criterion asked the listed companies to
implement from July 1, 2009. And the non-public large and medium-sized companies are encouraged to
carry out the criterion. The notice asked that the companies should evaluate the effectiveness of its
internal control, disclose annual self-evaluation report and may engage accounting firm with securities
2
This paper adopt the view of James Martin
794
and futures business qualification to audit the effectiveness of the report. The criterion has learned from
the COSO framework and it is the basic criterion for the public companies to implement.
In fact any framework and criterion only supply a beginning of evaluating the internal control for every
entity and of the future activities and educations for the rule-making institution. When enterprises set up
their internal control they must first consider from the whole of the company, obey the laws and
regulations about internal control and learn from the internal control framework and practical experience
domestic and abroad. So they can build a series of comprehensive, systematic, standardized, auditable
and sustainable improved internal control system based on IT.
4 The component of internal control system based on IT
4.1The Internal Control system
Internal control system refers to an organic integration with specific function which consists of all the
interaction and interdependent control elements according to certain rules and structures to achieve
certain internal control objectives. The criterions the enterprises need to carry out belong to this system.
What should be noticed is however high the automatic degree of IT environment the internal control
system is not an absolute real-time control system on the whole. The system should be made up of four
elements: standard subsystem, analysis subsystem of risk, diagnostic subsystem and interactive control
subsystem. Figure 1 describes the mechanism of internal control.
Figure 1 Components of supply chain control system and their working mechanism
4.2 The project implementation of the internal control
The project implementation of the internal control is to implement and carry out the internal control
system. If we said internal control system mainly solve the problem of what to do then the
implementation of internal control system mainly solve the problem of how to do. Many internal control
frameworks and criterions give operation guidelines or application directions as well. But only part of
these can be regarded as references for implementation of internal control system most of these should
be attributed into internal control system part.
Whether the performance of internal control system succeeds or fails, it directly concerns the
effectiveness of internal control and the achievement of internal control. We should accept that many
problems of building the internal control is not from internal control system itself but from its
performance. So for the enterprises the status of internal control performance is as important as that of
internal control system itself. Both of them should be emphasized equally.
This article holds that engineering should be introduced into the implementation of internal control
system. To make use of engineering techniques and methods perform internal control system, so that to
improve the quality of internal control implementation.
795
4.3 The evaluation of the internal control
The evaluation of the internal control is implemented by the board of directors and managers. It is the
process to evaluate the effectiveness of the enterprises’ internal control system and its implementation,
form the evaluation conclusion and release the evaluation report. The effectiveness of the internal
control system refers to that the internal control system designed by enterprises can provide reasonable
guarantee for achieving the control objective. The effectiveness of the implementation of the internal
control system refers to that the internal control system is carried out correctly and reaches the expected
goal.
The goal of control for evaluation should be detailed, refined and quantified into the detailed standard
that can be performed. The evaluation organizations design detailed evaluation programs to evaluate the
internal control system and its performance respectively. And then give the evaluation conclusion. In
this course the evaluation organizations should analyze the risk level of the evaluation itself at the same
time. Not all the enterprises’ internal control must and be able to reach the same level. So this article
holds that the evaluation of the internal control should be based on the promise of different levels of
internal control capability. Through classifying the internal control capability into different levels and set
up its standard for evaluation we are able to know about and grasp an enterprise’ overall level of the
internal control.
5 Conclusion
This article holds that the impact on internal control made by IT is no doubt. Nut this influence doesn’t
change the essence of internal control. The internal control of enterprise in China should include three
parts: internal control system, the project implementation of the internal control and the evaluation of
the internal control. The setting up of the internal control system can use laws and regulations, such as
the Enterprise Internal Control Basic Criterions of China, COSO, COBIT, etc. for reference. The
performance of the internal control should make use of the management thinking and the methods of
engineering to improve the quality of the internal control. In order to know about and grasp the level of
the enterprise’ internal control, the internal control capability level should be introduced into the
evaluation of the internal control.
References
[1]. Wang hailin. Supply Chain Control Model: A Cybernetics Based Approach, 2008 IEEE
International Conference on Service Operations and Logistics, and Informatics, vols1and
2:2469~2474
[2]. Yang zhounan. Discussing the ISCA Model of Accounting Management System, Accounting
Research,2003(10):67~68(In Chinese)
[3]. Yang zhounan. Research on the influence and countermeasure of computer information transact
condition to accounting, Beijing: Chinese Finance and Economy Press, 2002:97 106(In Chinese)
[4]. Liu zhiyuan, Liu jie. The internal control based on information technology, Accounting Research,
2001(12): 32 36(In Chinese)
[5]. Zhang Tiesheng. The internal control criterions based on information technology: international
practice and revelation, Accounting Research,2007(7):29 35(In Chinese)
[6]. [ISO/IEC TR 17799:2000] Information security Management-Code of Practice for Information
Security Management
[7]. “Enterprise Risk Management – Integrated Framework”, COSO, 2004, www.COSO.org.
[8]. Definition of Internal Control, COSO, www.COSO.org
~
~
~
796
Fly UP