Picture yourself as the manager of customer sales and service at one of the insurance companies located in the World Trade Center. It is the afternoon of September 11. You are OK and have made your way across the Hudson River to New Jersey. Let’s say that you have been able to contact your family and friends and they are all OK. Now you want to reestablish customer services for your company; to provide customers with information about their coverage and to process claims. To do so you need an office, phones, computers, internal and external data networks, customer data, and customer service personnel.
Without the control processes that ordinarily exist, could you accomplish your objective of providing timely customer service? Perhaps; perhaps not. While we can argue that process objectives might be achieved in the absence of control, the primary reason for control is to help ensure that process goals are achieved. For example, you might be able to buy the infrastructure necessary to resume operations. But, unless you had a business continuity plan in place, you might not be able to locate key customer service personnel and restore your customer data. Thus, you may have a low probability of resuming operations in a timely manner.
Now assume that you are an employee (probably a former employee) at Enron. You were well paid and your retirement was secured with Enron stock. Now, after the bankruptcy declaration and resulting layoffs, you have no job and no financial assets. How did this happen? How could it have been prevented? Why didn’t Sherron Watkins’ memo result in changes to the accounting practices at Enron? Did Enron management really believe that these accounting practices would accomplish longand short-run Enron objectives? Why did Andersen employees shred documents? Again, internal control can provide the mechanisms to develop and achieve objectives.
The Committee of Sponsoring Organizations (COSO) of the Treadway Commission (National Commission on Fraudulent Financial Reporting) published a highly cited framework for internal control to help companies design effective control strategies. It says that “to effect control, there need to be predetermined objectives. Withoutobjectives, control has no meaning (emphasis added).” The COSO report also states that control “involves influencing someone and/or something—such as an entity’s personnel, a business unit or an entire enterprise—with the purpose of moving toward the objectives.” 1 In support of this point, a survey of 300 executives working for major companies based in the United States reported that executives who believed that their companies had strong internal control systems also believed that their companies were more likely to be successful in achieving corporate objectives, that their company’s return on equity had increased over the past three years, and that their company had been more profitable than its competitors. 2
Rather than express the purpose of control in terms of the good to be achieved, we can also state its purpose in terms of the bad to be avoided. For instance, in our WTC illustration, is there a risk of not being able to resume operations in the long run? Yes! Therefore, a second reason for controlling systems is to lessen the risk that unwanted outcomes will occur. We define risk as the possibility that an event or action will cause an organization to fail to meet its objectives (or goals). Organizations must identify and assess the risk that untoward events or actions will occur and then reduce the possibility that those events or actions will occur by designing and implementing systems of control.
Internal control has recently become more important because of the emphasis placed by shareholders on corporate governance, demands placed on boards of directors and executives to implement and demonstrate control over business processes. The events at Enron, and later WorldCom and others, will make this even more important. Enterprise systems help provide this control, because they can support global, comprehensive, and integrated information sharing. In a recent example, Boston Scientific uncovered fraudulent sales records in its Japan office soon after SAP, an enterprise system, was installed. The ability to track sales globally triggered a closer look at unusual sales return patterns in the Japanese operations. At least one high-ranking corporate officer resigned as a result of this $70 million loss.
Executives, in turn, must implement and demonstrate governance of IT operations. Indeed, technology often represents a major portion of an organization’s costs. On the other hand, without that technology an organization could not perform important operational processes, make decisions, or survive. In both cases—corporate and IT governance—frameworks for control, such as those introduced here and expanded upon throughout this text, will be key elements in this governance process. The events of September 11 forced all organizations to look more carefully at the strategies they had in place to recover from terrorist attacks and other such events. The Enron debacle will drive additional changes in the controls over the financial reporting process.
Let’s now examine a few of the added challenges that management must address when the organization is engaged in e-business. Organizations engaged in e-business must protect the privacy of any information that they may gather from their customers. They must install controls to provide assurance that their privacy-related practices comply with state and federal laws. Also, customers may choose to not do business with merchants that do not protect customer data consistent with their stated policies. The importance of privacy is illustrated by the rise of the Chief Privacy Officer, who is featured in Technology Excerpt 8.1.
Technology Excerpt 8.1
Chief Privacy Officers
Ronald Hoffman, the privacy issues manager at Mutual of Omaha Insurance Co., is in the forefront of a new breed of executives who are working with CIOs to set corporate dataprivacy policies. Hoffman is responsible for helping to establish privacy practices for Mutual of Omaha. His job has become a key part of the Omaha-based insurer’s overall corporate strategy in response to new privacy regulations and an ongoing debate over whether the government should set more rules or allow companies to self-regulate themselves.
For Mutual of Omaha, it’s a bottom-line issue. Creating data-privacy policies and then standing behind them is “something that is going to help build a trusting relationship with our customers that we hope will allow us to retain their business and acquire new business,” said Hoffman.
Hoffman is currently working with Mutual of Omaha’s information technology managers to document the way data flows through all of the company’s systems in order to learn exactly what happens to the information and who has access to it.
“We really didn’t have a good handle on information flows through the company,” Hoffman said. But the documentation project now under way should lead to better risk management and security assessments in addition to helping the insurer develop its privacy policies, he added.
Corporate privacy officers work with a variety of corporate departments, including information systems, legal affairs, governmental affairs, and employee training. But the most important thing they need is buy-in from top management, said Tatiana Gau, vice president of integrity assurance at America Online Inc.
“There’s no question in my mind that one of the most important roles of the Chief Privacy Officer (CPO) is to ensure that the whole company is adhering to a privacy commitment,” Gau said. At AOL, for example, the importance of data privacy has been “baked into all the lifecycles” of the company, she added.
Source: Extracted from “Chief Privacy Officers Emerge in Response to Data-privacy Concerns,” by Patrick Thibodeau, Computerworld, September 14, 2000.