What is a “Key” Control?
It still surprises me that, after nearly 5 years of SOX history, many organizations I encounter still struggle with the question - “what is a key control?”.
Sarbanes Oxley requires the materially accurate reporting of financial results for publicly traded organizations. Consequently, the easiest way to identify which controls are key is to ask yourself - ”does this control impact an account in the financial statements or a disclosure in the footnotes?”. For many of the controls identified by my clients the answer is “no”.
As an example, let’s examine a control which obviously impacts the financial statements - the bank reconciliation. When an individual performs the monthly bank reconciliation, they are utilizing an independent, third-party provided document to ensure the existence and accuracy (and probably completeness and cut-off) of transactions related to the Cash account. There is little doubt that every organization executes this control and that it is essential to the accuracy of reported financial results.
As a counterpoint, let’s consider a control encountered time and again in the Human Resources or Payroll cycles of large organizations throughout the U.S - “Employee benefit requests and transactions are appropriately reviewed, approved, and validated to support”. In my estimation, this is not a key control for SOX purposes.
Although many have argued the point with me, I submit the following:
- How material is any amount related to these types of transactions at any point in time, especially at a quarter end?
- For balance sheet-related escrow/liability accounts, isn’t the periodic account reconciliation sufficient?
- For income statement-related expense accounts (employer 401k, employer portion of health insurance, etc) any variance from actual would likely be identified during a fluctuation analysis - current to prior or current to budget or both.
My point is this - what might be “key” to a process may not necessarily be key when looking at the financial balance being evaluated because multiple cycles/processes likely impact that balance and a control in another process may be sufficient for management to make assertions about that balance. In short, sourcing the account/assertion intersection from the top-down to a sufficiently robust and precise control should enable management to avoid testing controls that may be important to a process, but less so for getting the reported balance materially correct.
1 Comment »
Leave a comment
About
Ever since its first year of required compliance in 2004, Sarbanes-Oxley and Section 404 in particular has been criticized for the excessive cost and disruption it created for companies. The public debate about whether its been worth the effort has at times reached a fever pitch, as recently noted by the former Chairman of the SEC, Harvey Pitt[1], “As costs mounted, and auditors became defensive in their audits of internal control, a crescendo of criticism and despair arose, ultimately persuading the PCAOB and the SEC to revisit their prior guidance to make the beneficial purposes of the SOX 404 more obtainable, with lower costs and more focused efforts”. In this regard, certain statements from both the SEC and PCAOB December releases especially stand out[2]. At the same time, greater use of a risk based approach seems to reflect a return to the original principles of SOX and certainly of the COSO Framework.
[1] Compliance Week, March 2007 issue
[2] SEC Release # 33-8762, 34-54976 (12/15/06) and PCAOB Release # 2006-007 (12/19/06)
About the Author
Christopher D. Coigne CPA, CIA, CFE is the Senior Manager of Client Services and Product Development for BI International. For the past 5 years Chris has worked extensively with organizations seeking compliance with Sarbanes-Oxley (SOX). He has performed materiality planning and risk assessments, led facilitated control discussions, participated in client SOX Project Management Organizations, and overseen global control testing. Other projects have included managing outsourced Internal Audit activities, performing forensic and fraud investigations to aid in management’s deterrence and detection of fraud, and working to develop a web-based SOX and Internal Audit tool.
A graduate of Rowan University, Christopher’s experience includes public accounting financial audits, controllership in the insurance industry, internal audit management at Philadelphia-based ARAMARK, and consulting work for a variety of global organizations including McDonald’s, Sony, ING and Waste Management.
-
Archives
- August 2008 (2)
- July 2008 (2)
- May 2008 (1)
- April 2008 (3)
-
Categories
-
RSS
Entries RSS
Comments RSS
Based on my own consulting experience, I can certainly validate Mr. Coigne’s observations. I think his point re: “what might be ‘key’ to a process may not necessarily be key when looking at the financial balance being evaluated …” may be particularly relevant to much of the recent scrutiny relevant to TPA’s (third party administrators) and the ever so basic “user controls” found in the SAS 70’s. I also think many auditors get lost in the details and forget the most basic criterion of everything we do: costs versus benefits.