Part of the CPA exam, the business environment and concepts (BEC) test’s content is similar to what you see in an undergraduate business school curriculum. The highest level of responsibility over a business is assigned to the board of directors. A business’s control environment — management’s view of the importance of controls — is also important.
You may see this concept referred to as “the tone at the top.” Control environment includes the policies put in place to ensure that financial reporting is accurate and that assets are used properly.
The board of directors
Nearly all businesses have a board of directors, whose purpose is to represent the stakeholders in company matters. In a not-for-profit entity, board members may be appointed to represent the donors. In a for-profit company, the shareholders elect board members. Every public company is required to elect a board of directors.
The board establishes management policies for running the business. If the company has a CPA firm perform an audit, the audit report is addressed to the board. Most public companies have an audit committee made up of board members. The group is a direct line of communication from the audit firm to the board.
The board also handles major decisions related to the business. Here are a few examples:
Hiring and firing senior executives, including the chief executive officer
Deciding whether to declare a dividend
Determining the amount and type of executive compensation for senior management
Board members must adhere to the duty of loyalty principle, which means that if a board member is presented with an opportunity that would help the company, he or she has an obligation to present that opportunity to the company first. In other words, the board member can’t put his or her own business interests ahead of the company’s interests.
Suppose a board member finds out that a warehouse is being offered for sale. The board member owns a business that could use more warehouse space. The duty of loyalty principle states that the board member should present the warehouse sale to the company first, before considering his own business interests.
Judging the firm’s control environment
The auditing and attestation (AUD) test covers the area of internal controls. However, internal controls also relate to corporate governance, which the BEC test covers.
Internal controls are policies put in place to help a company achieve these objectives:
Operations: Controls help a company produce a product or service efficiently. Effective internal controls ensure that company resources (raw materials, labor hours) aren’t wasted during production.
Financial reporting: Properly structured internal controls help a business generate reliable financial statements.
Regulatory compliance: An internal control system allows a company to comply with industry laws and regulations.
In addition to the controls themselves, management needs a system to communicate internal control policies to the entire organization. Management should also follow up to ensure that employees are implementing the controls.
The BEC test includes internal control concepts that are promoted by the Committee of Sponsoring Organizations (COSO). COSO provides internal control guidance to corporations and promotes ideas on risk management and fraud detection. COSO’s website explains that the entity is a joint initiative of five private sector groups, including the AICPA.
COSO separates internal controls into five components:
Control environment: This describes management’s view of the importance of internal controls. It addresses management’s ethics, values, and philosophy.
Risk assessment: Risk assessment is the process of evaluating risks that may prevent the company from achieving the objectives of internal controls. Risks may be internal, such as the risk that employees aren’t trained on controls effectively. There are also external controls, which relate to a company’s industry.
Control activities: Control activities are policies put in place to ensure that the control objectives are carried out. Policies may include written approval of purchases, which ensures that resources are used responsibly. Another policy, reconciliation of bank accounts, protects company cash from theft.
Information and communication: Internal controls must be in writing and communicated to everyone in the organization. All employees should be clear on their responsibilities related to internal controls. Updates need to be communicated company-wide.
Monitoring: Monitoring internal controls procedures helps management assess whether the procedures are effective. Suppose, for example, that every shipping document for a product sale needs to be matched with a copy of the client invoice. Management’s review indicates that 20 percent of the month’s shipping documents aren’t matched with an invoice. The company may conclude that the control isn’t effective. To improve the control, employees need proper training.