Internal control matters...again: Motorola's senior vice president and controller tells Financial Executives Research Foundation (FERF) how "COSO" recommendations--published a decade ago--helped his firm improve its system. (Governance).
In 1979, following enactment of the Foreign Corrupt Practices Act (FCPA), the SEC proposed rules that would have required a company to annually disclose certain information about its internal accounting controls. This proposal was criticized, and the SEC backed down and allowed the private sector to develop its own initiative.
In 1988, following the recommendations of the Tread-way Commission, the SEC proposed rules mandating that companies include in their annual reports a section on management's responsibility for the company's internal control system, and an assessment of its effectiveness. But, again the SEC allowed the private sector to promote its own recommendations, which were published in 1992 by the Committee of Sponsoring Organizations (COSO) as Internal Control -- Integrated Framework.
Then, in 2002, Section 404 of the Sarbanes-Oxley Act directed the SEC to prescribe rules requiring annual reports to contain an internal control report. The SEC responded with proposed rule 33-8138, "Disclosure Required by Sections 404, 406 and 407 of the Sarbanes-Oxley Act of 2002." (The SEC approved final rules in late May.) The proposal referred to the COSO framework, which, in turn, drove many executives to purchase copies, while wondering how to implement the framework. (For more on COSO and its publications, see "Resources" on page 62.).
With internal control at the forefront again, one exemplary company is Motorola Inc. FERF has long had an interest in Motorola's management style, having featured the firm as a case-study company in a 1993 publication, Finance in the Quality Revolution. One of the earliest U.S. quality pioneers, Motorola -- a winner of the 1988 Malcolm Baldrige National Quality Award the first year it was offered -- remains one of the few large companies to have won the award for company-wide activities.
Motorola was again featured in FERF's 1995 publication, Reengineering the Finance Function, which described how Motorola applied Six Sigma principles to the monthly closing process. "Six Sigma" is a statistical measure of "virtual perfection" (picture the far-end of the tail of a bell curve), and represents a defect rate of only 3.4 errors per million opportunities.
Since the research studies referred to above were published while Ken Johnson was vice president and corporate controller, to gather some guidance on current internal control practices, FERF spoke with Tony Knapp, the senior vice president and controller who succeeded Johnson in 1998.
Knapp says the company has had a formal statement of company policy on internal control since 1979, when Motorola's Standards of Internal Control (known internally as "SIC") were developed to document its continued commitment to compliance with laws and regulations, reliable operational and financial reporting and integrity of business activities and records. He notes that the SIC are just one component of Motorola's system of internal control -- which also includes financial and human resource policies, audit and internal control functions, business ethics compliance committees, the audit committee of the board, financial and operating management, self audits and the Motorola code of business conduct.
"When Internal Control -- Integrated Framework was first published, we decided to integrate its self-assessment procedures into the SIC," explains Knapp. "Ken [Johnson] had been on a COSO advisory council, and he saw the value of the framework. We evaluated and made updates to include the relevant portions of COSO in the 1994 update of the SIC."
It is key to note that the SIC were already part of the Motorola culture and the basis for internal audits. The reissued controls, which incorporated COSO, were not just another management fad or a new level of bureaucracy. COSO just took the standards to the next level. After 1994, managers used the reissued SIC as a basis for their own self-audits.
The SIC of 2003 are not a static document, Knapp says. They have been updated regularly, and are now promulgated as a Web-based, 129-page document that provides standards for just about every business process at Motorola as the company continually looks to improve and update the SIC for changing business models.
For ease of implementation and evaluation, Motorola divides its processes into 13 business cycles (see chart). Each cycle includes a number of functions. Then, for each procedure (or transaction) within each function, both the standard and the corresponding risk (if the standard is not achieved) are spelled out. For example, order entry/edit is the first function within the revenue cycle - the first business cycle. The first standard for order entry/edit is: Orders must be recorded only on the basis of customer purchase orders or other evidence that documents the customer's initiation of the order. The corresponding risk (if the standard is not achieved) is: Products may be manufactured and shipped or services performed without a valid customer commitment.
Knapp is emphatic that the use of the SIC is good business, and not just another level of bureaucracy. "Because the SIC have helped us automate controls -- adding important checks and balances -- they have helped us cut costs and improve business processes."
Internal Audit's Involvement
Back in 1992, internal audit took the lead in revising the SIC based on the COSO framework. Today, Motorola's internal audit department is involved in the design of every major new system. From the design phase to planning to implementation, internal audit is asked to look at the standards and risks, and audit how controls are built into the system. Internal audit also supports the flowcharting and documentation.
With all of its SIC documentation in place, it appears that Motorola is well prepared for the internal control report that will be required by Section 404 of the Sarbanes-Oxley Act." While we have done a lot of the work, there is always room for improvement, and Sarbanes-Oxley requires another level of documentation, as well as more frequent testing," says Knapp.
"In addition, if you change a system, you will have to redo the flowchart, and you may need to add another control that will need to be documented," he adds. "Processes and systems are changed every time we reorganize, acquire a company or change our business model." For instance, when considering a function such as outsourcing, think of all the associated risks and all of the processes that need to be documented.
So, how is Sarbane-Oxley's Section 404 viewed by Motorola's finance team? "We are viewing 404 as an opportunity to enhance the value of our internal control framework and make our business processes more efficient. Ultimately, I think that this whole process will help us revitalize our commitment to Six Sigma quality," says Knapp.
RELATED ARTICLE: Business Cycles at Motorola Inc.
Computer Systems Controls
William M. Sinnett (email@example.com) is Manager of Research for Financial Executives Research Foundation (FERF).
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Committee of Sponsoring Organizations|
|Author:||Sinnett, William M.|
|Date:||Jul 1, 2003|
|Previous Article:||Integration strategy key to margin management: new methodologies allow companies to take a systematic approach to improving profitability without...|
|Next Article:||Getting more from an ERP investment: A financial analytics application can make a huge difference in justifying the expense of an ERP system and...|