Many businesses, enterprises, and other organizations often implement internal business controls to minimize risk of injury, damage, or other losses caused by business processes. For instance, to reduce the likelihood of potential fraud in financial reporting for public companies and external auditors, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) recommends that entities adopt internal controls to provide reasonable assurances regarding the achievement of various business objectives. The controls may be determined by an entity's board of directors, management, or other personnel, and may relate to the effectiveness and efficiency of operations, reliability of financial reporting, or compliance with applicable laws and regulations, among other things. In response to changing economic trends, highly-public corporate scandals, and increasing government regulation, controls become critical to running an efficient and effective enterprise. For example, in a sluggish economy, controls may be designed to reduce or minimize losses or overhead, so that profits can increase without substantial revenue growth. Further, controls may be used to alert managers, analysts, regulators, or shareholders when problems occur, such that the problems can be dealt with before metastasizing into a corporate scandal.
Furthermore, controls can be useful in ensuring availability of documentation and proof of compliance with government regulation. For example, under the Sarbanes-Oxley Act, senior managers must certify their responsibility for disclosure controls and procedures, produce a control report, provide real-time disclosures of material events, and certify the accuracy of financial statements, among other things. For many organizations, initial efforts to comply with Sarbanes-Oxley were often associated with large amounts of manpower, tedious manual processes, and other costly and time-consuming approaches. As such, the rigorous regulatory requirements have resulted in many organizations implementing new processes for documenting, testing, remediating, monitoring, and otherwise managing controls.
Implementing controls, however, presents a separate set of issues from subsequently ensuring actual control compliance. For instance, in many large businesses, enterprises, or other organizations, controls tend to apply within an organization (e.g., across organizational boundaries), as well as between organizations (e.g., between a company and its external auditor). As such, controls compliance can be viewed as a business problem with multiple stakeholders, including corporate executives, business process owners, internal auditors, and external auditors, among others. Although controls compliance is a business problem by nature, information technology plays a significant role when organizations manage controls using various enterprise systems or software applications (e.g., an organization may have systems or applications for Enterprise Resource Planning (ERP), Supply Chain Management (SCM), Identity Management (IDM), Business Process Management (BPM), or Customer Relationship Management (CRM), among various others).
The systems and applications used by any given organization, however, may be highly heterogeneous. For example, systems and applications for managing an enterprise may often be provided by different vendors (e.g., Oracle®, PeopleSoft®, Siebel®, SAP®, etc.), each of which may be associated with unique, complex, or proprietary aspects that require specialists to administer or decipher. An effective and successful cross-functional operation, however, requires an open and collaborative communication solution. When all parties operate with the same information and the same guidelines, the chances for efficiency and accuracy can be greatly enhanced.
Further, as outlined in COSO's Internal Control Framework, and as required by Sarbanes-Oxley, organizations must monitor and attest to the reliability of their internal controls. When organizations have multiple, complex enterprise systems or applications to assess, each of which may generate substantial volumes of data, ongoing regulatory compliance becomes costly and time-consuming, potentially introducing risks of significant drops in shareholder value, or even criminal liability.