TUTORIAL: BAP 71 AIS DISCUSSION QUESTIONS & PROBLEMS

Lecture Week: 7 Chapter 8: Internal Controls

DISCUSSION QUESTIONS

8.1 What is the relationship between corporate governance and IT governance?

IT governance is a subset of corporate governance. Corporate governance is the way that
organisations are managed and governed. Corporate governance should include the interests
of all stakeholders (not just shareholders), including individuals, organisations and society.
Corporate governance is about the many relationships in which an organisation is involved
and how those relationships, both internal and external to the organisation, are managed. IT
governance makes sure that the organisation uses IT in a way that is consistent with
organisational strategy.

8.2 Why is IT Governance so important?

IT Governance is more important than ever because of the reliance on IT by organisations for
achieving their organisational strategies and objectives. Organisations are facing increased
scrutiny from shareholders and other stakeholders about how they are inducing accountability
within the organisation. IT governance is important because IT underpins all functions and
processes of an organisation. IT governance should provide assurance that IT investments
generate the required business value and any risks associated with IT are mitigated.

8.3 Explain how COSO and COBIT work together to help organisations achieve their
objectives.
COBIT 5 is a business framework for the government and management of organisational wide
IT. COBIT 5 is designed to be used by organisations of all sizes, whether commercial, not-
for-profit or in the public sector. There are five overarching principles that are:

• Principle 1: Meeting stakeholder needs.

• Principle 2: Covering the enterprise end-to-end.
• Principle 3: Applying a single, integrated framework.
• Principle 4: Enabling a holistic approach.
• Principle 5: Separating governance from management.

These five principles enable the organisation to build an effective governance and
management framework under the leadership of the CEO.
COSO is a framework designed to manage enterprise risk, internal control and fraud. COSO
is used for financial controls and COBIT 5 is used for the IT control framework.

1
8.4 Explain who the stakeholders are in corporate and IT governance and why.
The stakeholders in corporate governance and IT governance include shareholders,
individuals, organisations and society. Shareholders are important stakeholders because they
invest in the organisation. Shareholders need to have timely, accurate and complete
information to make investment decisions. Shareholders need to have confidence that
corporate and IT governance is taken seriously by the Board.
Another key stakeholder is the individual (who may also be a shareholder), for example an
employee. An employee may feel compromised if they are working in an environment that
does not practice good corporate and IT governance. A recent example is Volkswagen and
the emissions scandal which was allowed to flourish because of a lack of corporate
governance (see http://www.nytimes.com/2015/09/25/business/international/problems-at-
volkswagen-start-in-the-boardroom.html?_r=0). Customers are impacted if the quality of the
service or product is compromised. Ethical values and customer service are important for
achieving competitive advantage.
Organisations and governments are stakeholders in corporate and IT governance.
Governments collect taxes and make regulations to protect other stakeholders and ensure an
appropriate competitive environment. Suppliers and partners rely on organisations for
providing services and products. Creditors such as banks provide credit so are exposed if
corporate and IT governance is not sufficient.
There are other stakeholders such as the community or society that rely on organisations for
jobs and contributions to the community such as providing grants to worthy causes or
volunteering.

8.5 Explain how COSO and COBIT 5 are complementary and compatible.
COSO and COBIT have recently undergone major revisions. Both COSO and ISACA worked
together on both frameworks to ensure that they were complementary and compatible. COSO
is used predominantly for financial frameworks and COBIT is used predominantly for the IT
control framework. There is more emphasis on IT in the COSO update than previously (with
good reason because IT is becoming much more important in organisations).

8.6 Summarise the drivers for developing COBIT 5.

The drivers for developing COBIT 5 were:
1. To provide more stakeholders with the opportunity to have a say on the benefits and risks
of IT as well as the value derived from IT.
2. To address the increasing dependency of organisational success on external business and
IT, including partners, suppliers, outsourcers, cloud and other service providers.
3. Be able to deal with the vast amount of information. How do enterprises select the relevant
and credible information that will lead to effective and efficient business decisions?
4. Deal with much more pervasive IT; it is more and more an integral part of the business.
More people in the business, regardless of their position, will be involved in IT projects. IT
should be integrated into the business. IT needs to be an integral part of the business projects,
organisational structures, risk management, policies, skills and processes.

2
5. Provide further guidance in the area of innovation and emerging technologies; this is about
creativity, inventiveness, developing new products, making the existing products more
compelling to customers and reaching new types of customers.
6. Cover the full end-to-end business and IT functional responsibilities, and cover all aspects
that lead to effective governance and management of enterprise IT, such as organisational
structures, policies and culture, over and above processes.
7. Get better control over increasing user-initiated and user-controlled IT solutions.
8. Achieve organisational value creation through effective and innovative use of enterprise IT.
Achieve business user satisfaction with IT engagement and services. Achieve compliance with
relevant laws, regulations, contractual agreements and internal policies as well as improve
relations between business needs and IT objectives.

8.7 Why does COBIT 5 clearly distinguish the terms governance and management?
COBIT 5 provides a clear distinction between governance and management. COBIT 5 defines
governance as follows:

• Governance ensures that stakeholder needs, conditions and options are evaluated to
determine balanced, agreed-on enterprise objectives to be achieved; setting direction
through prioritisation and decision making; and monitoring performance and
compliance against agreed-on direction and objectives.

Management is defined as:

• Management plans, builds, runs and monitors activities in alignment with the direction
set by the governance body to achieve the enterprise objectives.
• Good decisions can only be made when a systematic approach to governance and
management of IT is taken. Stakeholder requirements need to be evaluated to ensure
they are taken into account.

This means that there needs to be roles that decide the IT objectives to be achieved, the
prioritisation of projects and monitoring progress, compliance and the direction of IT. This is
IT governance. Management should plan, build and monitor. This distinction is important
because IT should not govern itself.

8.8 What are some current technology trends and why is it important for an
organisation to understand trends?
Technology trends include robotics, driverless cars, internet of things, cloud based computing,
big data and data analytics, 3D printing, wearable devices and more. The trend is moving
towards more ethical use of technology (see companies such as Patagonia) and mobility.
Management in organisation need to understand trends so that they can incorporate new
technologies to provide competitive advantage. Deploying new technologies successfully
needs a structured framework such as COBIT 5 to ensure organisational goals and objectives
are met .

3
8.9 Describe the importance of managing financial risks, including the possible
consequences to an organisation.
Risks could lead to material misstatement on financial reports and therefore lead to unreliable
financial reporting. Risks could be as particular as data entry errors at the transactional level
to, at a higher level, the impact of a major customer moving to another supplier, which could
bring inventory valuation into question. Other risks may impact on the operation of the
business processes and operations and on the organisation’s broader ability to achieve its
objectives. For example, the possibility of things going wrong in a business process (e.g. errors
in manufacturing) to higher level risks that may present themselves as a result of the
organisation’s strategy and structure, for example, a high reliance on IT and links with others
in the supply chain. There are four COSO principles relating to risk assessment:
1. The organization specifies objectives with sufficient clarity to enable the identification and
assessment of risks relating to objectives.
2. The organization identifies risks to the achievement of its objectives across the entity and
analyses risks as a basis for determining how the risks should be managed.
3. The organization considers the potential for fraud in assessing risks to the achievement of
objectives.
4. The organization identifies and assesses changes that could significantly impact the system
of internal control.

4
PROBLEMS:

8.1 Watch the following YouTube video on ‘The ABC of a Corporate Collapse’.
Answer the following questions:
(a) What factors led to the failure of ABC Learning?
(b) Could the failure have been avoided? If so, how?

(a) ABC Learning overlooked financial reality by chasing profit in an aggressive acquisition
strategy. ABC Learning started off well, slow and steady. However with a change of
regulations by the Australian Government, specifically the child care rebate in the early 2000s,
led to a higher demand for childcare. This in turn led to the company overleveraging in debt
and inflated intangible assets that could not be realized.
(b) Corporate governance was missing! If the accountants, creditors (banks) and auditors
(internal and external) should have seen the issues and advised management/the board on
an acquisition strategy that was sustainable and affordable. It is possible that Eddy Groves,
the CEO and founder, was advised but did not take the advice. Auditors refused to sign off the
financial reports before the collapse.

8.2 Read the article from The Economist, ‘Accounting scandals: The dozy
watchdogs’.
(a) Explain the key issue the article raises about the effectiveness of audits.
(b) What does the article suggest as a solution?
(c) Could the COSO framework be a solution? Why or why not?

(a) The modern audit in the US and in other places is only a standard one-page report that
provides “reasonable assurance” that a company’s statements “present fairly, in all material
respects, the financial position of [the company] in conformity with generally accepted
accounting principles (GAAP). “An auditor’s opinion really says, ‘This financial information is
more or less OK, in general, so far as we can tell, most of the time’,” says Jim Peterson, a
former lawyer for Arthur Andersen, the now-defunct accounting firm that audited Enron.
(b) The Sarbanes-Oxley act limited the consulting work American accounting firms could do
for audit clients, and set up the Public Company Accounting Oversight Board (PCAOB), a non-
profit intended to play Big Brother to the Big Four. James Doty, its chairman, says that “We
see [auditors] as professional people subject to pressures to compromise their independence.”
In 2004 Britain established a similar watchdog, which is part of the Financial Reporting
Council. The most elegant solution comes from Joshua Ronen, a professor at New York
University. He suggests “financial statements insurance”, in which firms would buy coverage
to protect shareholders against losses from accounting errors, and insurers would then hire
auditors to assess the odds of a mis-statement. The proposal neatly aligns the incentives of
auditors and shareholders—an insurer would probably offer generous bonuses for discovering
fraud. Unfortunately, no insurer has offered such coverage voluntarily. New regulation may be
needed to encourage it. Finally, the answer for free-market purists is to scrap the legal

5
requirement for audits. Today accountants enjoy a captive market, and maximise profits by
doing the job as cheaply as possible. If clients were no longer forced to buy audits, those rents
would disappear. In order to stay in business, the Big Four would then have to devise a new
type of audit that investors actually found useful. This approach would probably yield detailed
reports designed with shareholders’ interests in mind. But it would also allow hucksters to
peddle unaudited penny stocks to gullible investors. Whether government should protect
people from bad decisions is a question with implications far beyond accounting.
(c) COSO might be a good start. Auditors can use COSO as a framework to examine the
control environment, do a risk assessment, review control activities, and assess information
and communication as well as monitoring of internal controls to ensure that they are present
and functioning.