It still surprises me that, after nearly 5 years of SOX history, many organizations I encounter still struggle with the question - “what is a key control?”.

Sarbanes Oxley requires the materially accurate reporting of financial results for publicly traded organizations.  Consequently, the easiest way to identify which controls are key is to ask yourself - ”does this control impact an account in the financial statements or a disclosure in the footnotes?”.  For many of the controls identified by my clients the answer is “no”.

As an example, let’s examine a control which obviously impacts the financial statements - the bank reconciliation.  When an individual performs the monthly bank reconciliation, they are utilizing an independent, third-party provided document to ensure the existence and accuracy (and probably completeness and cut-off) of transactions related to the Cash account.  There is little doubt that every organization executes this control and that it is essential to the accuracy of reported financial results.

As a counterpoint, let’s consider a control encountered time and again in the Human Resources or Payroll cycles of large organizations throughout the U.S - “Employee benefit requests and transactions are appropriately reviewed, approved, and validated to support”.  In my estimation, this is not a key control for SOX purposes.

Although many have argued the point with me, I submit the following:

• How material is any amount related to these types of transactions at any point in time, especially at a quarter end?
• For balance sheet-related escrow/liability accounts, isn’t the periodic account reconciliation sufficient?
• For income statement-related expense accounts (employer 401k, employer portion of health insurance, etc) any variance from actual would likely be identified during a fluctuation analysis - current to prior or current to budget or both.

My point is this - what might be “key” to a process may not necessarily be key when looking at the financial balance being evaluated because multiple cycles/processes likely impact that balance and a control in another process may be sufficient for management to make assertions about that balance.  In short, sourcing the account/assertion intersection from the top-down to a sufficiently robust and precise control should enable management to avoid testing controls that may be important to a process, but less so for getting the reported balance materially correct.

We’re getting great traffic on this site, but the conversation is defintely one-sided.  Please leave some questions/comments and really make this site interactive!!

AS5 gave public company management license to “optimize” their control environments.  The top-down, risk-based approach directed management to lift their gaze from the maze of process level controls and, instead, ensure that the controls they were testing actually mattered when it came to getting reported financial balances right.  The way to do that was to match relevant financial statement assertions to material balances for in-scope locations.  Most companies were already getting the materiality calculation right, but what about the assertions?  What are assertions, exactly, and how can a refinement of the assertion list aid management in avoiding “over-optimization” and exposing themselves to a potential restatement of financial results?

Financial assertions have always existed but they tended to be implicit in nature.  For instance, reported Cash balances implicitly Existed and were adequately Safeguarded and Complete.  Proper Cut-Off ensured that all transactions were reported in the proper period and management appropriately Authorized those transactions.  Management possessed Rights to the asset and, if pledged or otherwise restricted, that fact was fully Disclosed.

However, due to the myriad financial reporting scandals - Enron, Worldcom, Adelphia, Tyco, ad nauseum - that occurred during the early part of this decade, Congress enacted Sarbanes-Oxley (SOX) which, among other things, requires senior management (CEO and CFO) to explicitly assert to the reported balances.  As a result, Assertions have recently received much more attention.

In my experience, companies typically utilize five assertions: Existence/Occurrence, Completeness, Valuation/Allocation, Rights/Obligations, Presentation/Disclosure.  The Risk and Control Matrices I’ve encountered generally have an abudance of check marks - usually over-associating controls and assertions - leading me to conclude that a lack of understanding of the basic definitions exists.  I’ve found that splitting those five into a broader list of thirteen assertions generally leads to a better understanding of what management is attempting to achieve with each control:

Existence/Occurrence

• Existence - Balance Sheet focused - Assets, Liabilities and Ownership Interests (Equity) exist as of the statement date and balances have a real world counterpart (i.e. customers, suppliers, employees, banks, etc).
• Safeguard Assets - Access to assets and critical documents that control their movement are suitably restricted to authorized personnel.  Often covered as part of Segregation of Duties review.
• Occurrence - Income Statement focused - Transactions and events that have been recorded actually occurred and pertain to the entity.

Completeness

• Completeness - All transactions and events that should have been recorded have been recorded.
• Cut-Off - Transactions and events have been recorded in the proper period.

Valuation/Allocation

• Valuation - Amounts based on estimates and judgementsare in accordance with US GAAP
• Allocation - Costs are allocated from the Balance Sheet to the Income Statement in the proper period (e.g. depreciation and amortization).
• Accuracy - Amounts recorded are mathematically accurate.

Rights/Obligations

• Rights - The entity holds the rights to the assets.
• Authorization - Transactions are executed in accordance with management’s general and specific authority.
• Obligations - Liabilities recorded are the obligation of the entity.

Presentation/Disclosure

• Classification - financial statement focused - transactions and events have been recorded in the proper accounts.
• Understanding - disclosure driven (generally footnotes) - financial information is appropriately described and understandable to users.

While this may initially seem like an esoteric exercise, splitting the five into thirteen actually achieves two things:

1. Reduce the overall amount of time needed to test the control environment.  Risk focused testing means the nature of the testing (Inquiry/Observation, Examination, Reperformance) can vary for two different controls providing assurance over two different assertions.  For instance, Completeness becomes Completeness and Cutoff and, consequently two different assertion risk scores.  If we combine the two, then the testing must satisfy the riskiest of the two.
2. Prevent over-reliance on a control.  An intersection of account/control/assertion on the Risk and Control Matrix could lead to incorrect conclusions regarding the assurance provided.  Once again utilizing Completeness as our example, it is possible that we would need two different controls to achieve assurance that all transactions have been recorded and that they have been recorded in the correct period.  If we do not adequately delineate between Completeness and Cut-Off, then we could inappropriately assume that a control mapped to the account/assertion intersection would enable management to explicity assert that the risk of misstatement has been mitigated.

The first point is important and, I believe as a result of AS5, has been seized upon by management to reduce the time required to test key SOX controls and make the process more efficient.  However, my concern is that the second point is often overlooked.  In the rush to “optimize” their control environment, management may inadvertantly “over-optimize” or fail to identify and test a control that will enable them to certify that all subsections of a particular assertion have been covered and, consequently, expose the organization to the arguably greater risk for restatement of reported financial results.  Therefore, management should consider the evaluation of accounts at the greater granularity of thirteen assertions to obtain an ”insurance policy” of sorts to reduce the risk of misstatement.

A significant body of academic research and opinion exists regarding the costs and benefits of SOX, with significant differences in conclusions. This is due in part to the difficulty of isolating the impact of SOX from other variables affecting the stock market and corporate earnings.^[5] Conclusions from several of these studies and related criticism are summarized below:

• FEI Survey: Finance Executives International (FEI) provides an annual survey on SOX Section 404 costs. For 200 companies with average revenues of $6.8 billion, the average compliance costs were $2.9 million, down 23% from 2005. Cost for decentralized companies (i.e., those with multiple segments or large divisions) were more than twice those of centralized companies. Auditor costs did not decline. When asked whether the benefits of compliance with Section 404 have exceeded their costs, 22 percent, on average, agreed, with 78 percent saying instead that the costs have exceeded the benefits. 34 percent agreed that compliance with Section 404 has helped prevent or detect fraud.^[6]

• Butler/Ribstein: Their book proposed a comprehensive overhaul or repeal of SOX and a variety of other reforms. For example, they indicate that investors could diversify their stock investments, efficiently managing the risk of a few catastrophic corporate failures, whether due to fraud or competition. However, if each company is required to spend a significant amount of money and resources on SOX compliance, this cost is borne across all publicly traded companies and therefore cannot be diversified away by the investor.^[7]

• Institute of Internal Auditors (IIA): The research paper indicates that corporations have improved their internal controls and that financial statements are perceived to be more reliable.^[8]

• Skaife/Collins/Kinney/Lefond: This research paper indicates that borrowing costs are lower for companies that improved their internal control, by between 50 and 150 basis points (.5 to 1.5 percentage points).^[9]

• Zhang: This research paper estimated SOX compliance costs as high as $1.4 trillion, by measuring changes in market value around key SOX legislative “events.” This number is based on the assumption that SOX was the cause of related short-duration market value changes.^[10] However, the S&P 500 index, a broad measure of U.S. stock value, increased 6% the day the law passed in Congress on July 24, 2002, and 1% the day after it was signed into law by President Bush on July 30. It then declined 7% in three trading days thereafter, regaining pre-signature levels by August 8.^[11] Measuring short-term fluctuations in market value is an acknowledged drawback in this study. One could have easily argued a $1.4 trillion benefit, using the 7% increase leading up to the day after signature, rather than the following 3-day decline.

• Iliev: This research paper indicated that SOX 404 indeed led to conservative reported earnings, but also reduced — rightly or wrongly — stock valuations of small firms.^[12] Lower earnings often cause the share price to decrease.

• The Lord & Benoit Report: Do the Benefits Exceed the Cost? It included a population of nearly 2,500 companies, which represented ALL of the calendar year accelerated filers. Lord & Benoit’s SOX research showed that companies with no material weaknesses in their internal controls, or companies who were able to identify and correct material weaknesses in a timely manner, experienced much greater increases in share prices than companies that did not.^{[13] [14]}, The report indicated that the benefits to a compliant company in share price (10% above Russell 3000 index) were greater than their SOX Section 404 costs. Lord & Benoit, a SOX compliance company, issued the report on May 8, 2006. It was also published by the Wall Street Journal.

Recent regulatory trends such as Basel II for fi nancial services and Sarbanes-Oxley (SOX) for publicly traded companieshave heightened the importance of better enterprise risk management (ERM). So have trends like globalization, integrated financial markets, the knowledge economy, and political uncertainty. Today, more than ever, how well you take and manage risks affects your cost of capital.

And yet, with the exception of industries such as banking and insurance, many companies fi nd the notion of ERM foreign and diffi cult to implement. The complexity of ERM at every level is daunting?

»How will you determine the universe of all your risks?
»How will you perform an assessment to prioritize which ones are most important?
»How will you design a system of controls that effectively mitigate the risk?
»How will you make sure the controls are working or your risks are at acceptable levels?
»How will you integrate all of this into the daily functioning of the business?

Change Is the Challenge

Anyone who has tried to initiate and gain adoption for an enterprise-wide program, such as Enterprise or Corporate Performance Management, knows that a key reason for failure is change. A fundamental challenge in implementing ERM is the ability to “sell” and “manage” the necessary change in behavior across the entire organization. Managing risk, like managing cost or revenue, cannot be done from the top alone— it must be “owned” by those closest to its occurrence, i.e. the process owners on the front line where managing risk must become just another part of their job. This paper lays out a pragmatic approach for addressing the challenge of change and establishing successful ERM through a series of bottom-up steps that build on existing functional capabilities. These should not be seen as replacing a top-down approach. They should be seen as acting in parallel, in an iterative, mutually re-adjusting and reenforcing manner.

SOX provides a great starting point for a bottom-up approach. When structured properly, the major investment for SOX compliance can now fi nally yield value far beyond an auditor’s attestation. The Internal Audit and IT departments can then integrate and build on this investment, each bringing longstanding experience for identifying and mitigating risk. Lastly, each Line of Business and its respective business functions also manage risk, which can be incorporated with the others together under one clear mapping. The five bottom-up steps below offer a simple, practical path that ensure that you get to this single viewpoint and that your ERM efforts are successful by leveraging existing strengths and gaining “ownership”
from the frontline.

STEP 1
Use Your 404 Documentation to Create a Common Map Section 404 of the Sarbanes-Oxley legislation created a single, consistent, and broad defi nition of the enterprise in contrast to existing fi nancial, operational, HR, or legal defi nitions. These defi nitions served a more narrow purpose and were therefore
not as comprehensive nor were they usually consistent. Until SOX, there was no “Rosetta Stone” to provide a common, universally applicable map of the business, in terms of organizational entities, transaction processes, systems, people, risks, and their overall relationship to fi nancial accounts. A common map is the foundation for identifying risks in a consistent manner across the enterprise. It also ensures alignment across different regulatory environments, risk types, and process owners who may have to address them.

STEP 2
Build on Your Top-Down, Bottom-Up Risk Assessment The new SEC guidelines and the PCAOB’s  Auditing Standard No. 5 have heightened the awareness for an integrated top-down and bottom-up risk assessment approach to SOX. The opportunity is to rationalize the number of key controls required and streamline their testing based on relative risk. Besides the effi ciency gains this yields in compliance itself, it creates a precedent for how to defi ne risks hierarchically and so be able to “cascade” and target your efforts where they are most valuable, i.e. where “top-level” assessments can be made based on consolidated views of risk and push “down” to lower levels of assessment, monitoring, and action.

STEP 3
Extend and Integrate With Internal Audit Internal Audit is the next practical step in providing a foundation for an enterprisewide view of risks. Internal Auditors have built up a history of assessing operational, financial, and compliance risks across the enterprise for prioritizing and planning annual audits. These risks and audits share the same core elements of the map— companies, locations, and processes. Of course, the shared Audit Universe created by integrating SOX with IA will also result in greater resource effi ciencies and speed.

STEP 4
Align With IT Governance Practices Sarbanes-Oxley requirements highlighted many existing good governance practices in IT, notably those represented by the COBIT framework. Beyond the general computer and application-level controls required for SOX, IT manages multiple risks on a daily basis, such as Business Continuity Planning, Disaster Recovery, and management of businesscritical projects to name a few, but these typically all can fi t into the structure in the same way as the SOX IT controls already have.

STEP 5
Engage and Leverage Your Process Owners and LOBs The upfront disruption SOX had on process owners enlisted to create documentation, identify controls, provide self-assessments, and perform tests has largely been reduced. Initially overwhelmed in terms of both the time and learning curve required, many process owners are now far more aware of fi nancial misstatement risks within their areas. This “culture” of managing risk locally is a valuable asset, where new types of risks can be layered onto the same risk culture and framework. Finally, risk management is more than tracking and assessing threats. When risks are tracked against a common map of the business, it is easier to establish the relationship between business performance and risk, like fl ip sides of the same coin. How these risks are managed is critical to sustaining the goals in revenue growth, expense management, and longterm investment.

The Right Information Is Critical
Underlying each of these steps is the need for a single, integrated view on enterprise- wide risks that is aligned with and supports each of the functional constituencies above. Furthermore, the nature of this information requires a fairly complex structure to effectively capture the fl exible hierarchies and many-to-many relationships it must convey, e.g. risks need to be dynamically categorized, assessed, and tracked by different “families” and “types” and associated to more than one location, process, activity, event, people, systems, and more. Such complexity is best addressed when the information source is based on business intelligence design, because if the information is in right, the job of slicing and dicing out what you need, when you need it, becomes a much more straightforward task that can be captured by your people and delivered into your culture in a much more expedient and powerful way.

Roland Mosimann, CEO and co-founder of Business Intelligence International is an industry pioneer in helping drive initiatives around risk and performance management that are anchored in business intelligence design. In 2004, he drove the launch of the Aline™ platform for on-demand Governance, Risk, and Compliance. He recently coauthored The Performance Manager: Proven Strategies for Turning Information into Higher Business Performance, itself a follow-up to his earlier book The Multidimensional Manager — 24 Ways to Impact Your Bottom Line in 90 Days with more than 400,000 copies printed that remain in use by organizations worldwide today.

About Business Intelligence International (BII): Business Intelligence International (BI International) is a global software and consulting company specializing in the development of Web-based business intelligence solutions to provide GRC +P functionality to companies of all sizes. Since 1996, BI International has provided robust, fl exible, and secure solutions to enable customers worldwide to cost-effectively manage their compliance, risk, and performance initiatives. Leveraging its Aline™ Software as a Service (SaaS) platform, BI International offers a suite of affordable yet powerful and easy-to-use tools that provide a single business intelligence-designed repository of information along with integrated analytics and standard reporting. This allows clients to gain real-time visibility to critical information to identify key issues and drive critical decision making. Visit www.aline4value.com for more information.

INTRODUCTION

Last year’s passage of Auditing Standard No. 5 (AS-5) seems to have been the Public Company Accounting Oversight Board’s (PCAOB) attempt to swing the Sarbanes Oxley regulatory pendulum back from the process oriented, control-centric, “kitchen sink” approach to one that allowed companies to make intelligent choices around properly mitigating their financial reporting risks via a top-down risk assessment. This in theory should have significantly lowered the amount of work to be done and the costs to be incurred. Furthermore, Auditing Standard 5 also encouraged auditors to rely on the work of others (i.e. documenting and testing key controls) when evaluating the system of internal control, which should have reduced the overall costs of SOX compliance even further.  Unfortunately, in practice, these savings have not been fully realized

In point of fact, external auditors often duplicate their clients’ internally-generated work or perform testing of controls deemed non-key because of management’s inability to clearly and succinctly demonstrate how their own efforts addressed the organization’s financial reporting risks for the relevant assertions of significant accounts and disclosures.  If management is unable do so, then external auditors have no other choice than to exercise their own judgment in determining what work must be done to arrive at an opinion regarding the adequacy of internal control.  Their judgment would include selecting the controls required to achieve financial assertion coverage as well as the nature (inquiry/observation, examination, or re-performance), timing (reporting periods from which samples will be selected), and extent (sample sizes) of the tests to be performed on those controls.  In the current business environment, meeting professional obligations to third-party users of financial statements may impact an auditor’s testing decisions - better safe than sorry.

If an organization truly wants to benefit from AS 5, then it must adopt a systematic, objective approach to evaluating financial reporting and internal control risks and demonstrate management’s testing approach adequately addresses those risks.

CHALLENGES IMPACTING MANAGEMENT’S ABILITY TO EVAULUATE INTERNAL CONTROL OVER FINANCIAL REPORTING

Financial Statement Assertion Coverage

Financial statement assertions are nothing new - Sarbanes Oxley has merely changed them from implicit to overt declarations regarding the balances and disclosures reported by management.  Management must now be able to articulate which assertions should be made about a particular account and what assertions each control provides coverage for.  Inexperience with performing this task or unfamiliarity with the details or nuances of each control by the person performing the “Assertion Sourcing” task can result in four common problems:

1.Failure to document and evaluate all relevant assertions for each significant account.  As a result, it becomes difficult if not impossible to ascertain whether all controls necessary to adequately report on an account are in place.
2.Redundant controls resulting in unnecessary testing due to the difficulty in evaluating the “many to many” relationships of risks, controls, and accounts. 
3.Associating to an assertion the wrong controls, i.e. ones that won’t help meet the assertion.  This situation can result from misunderstanding either the control or the assertion definition.

Claiming a control meets an assertion when it actually covers only a portion.  For instance, the Completeness assertion is really composed of both Completeness and Cutoff; that is, all transactions are recorded in the proper period.  A control like bank reconciliations allows management to assert proper cut-off, but not the completeness of the transactions, which should have been recorded in the General Ledger.
A SUGGESTED METHODOLOGY TO OVERCOME THESE ISSUES

Control Sourcing - Ensuring Assertion Coverage While Optimizing Controls

To overcome these issues, a control-optimization effort can be designed to identify duplicative, overlapping, or non-financial key controls for elimination from testing, as well as any areas where additional controls are needed or testing needs to be enhanced.  However, while critical, the effort is not always simple.  Effective control-optimization requires the ability to evaluate the “many to many” relationships of risks, controls, and accounts and evaluate which control would best enable management to make assertions about significant accounts.  Control optimization also requires understanding which major classes of transactions in each cycle impact those accounts.  Since many organizations utilize spreadsheets to capture the risk and control data attributes/elements, they often find it difficult to evaluate the assertion coverage obtained, because there are too many unique dimensions for Excel to deal with.  Management should consider a true database structure to facilitate “Control Sourcing” to accounts and assertions in order to identify both duplication and control gaps via exposure by analysis.
Risk-Based Testing

Many organizations currently utilize a “one size fits all” approach to control testing.  Control frequency determines sample sizes and the nature of the tests tends to skew towards examination and re-performance.  Internal audit or independent management testers obtain evidence of the control and

Management should consider utilizing an approach which considers the combined effect of Financial Reporting risk (FR) (think Materiality and Impact) and Internal Control risk (IC) (think Likelihood), enabling them to assess the relative significance of controls and potential impact of control failures on Internal Control over Financial Reporting (ICFR) by calculating a numeric score based on objective risk criteria relevant to account balances, assertions, process and controls in a highly defined manner.  No longer would all controls be equal.  Instead, those whose failure could result in a more significant misstatement of the results of operations and required disclosures would receive more robust, objective and timely scrutiny. 

The firm of AC Lordi Consulting has developed such a testing methodology and then taken it one step further. It leverages the information gained during the risk assessment, by                                                                                                                                                                                             recommending the nature (inquiry/observation, examination, re-performance), extent (sample sizes) and timing (period from which samples are drawn) for a test based  on the ICFR  score obtained for the related control. 

For instance, an automated application control, in a well-controlled ERP environment, ensuring the summary of data compiled in the Accounts Receivable sub-ledger is completely and accurately recorded in the General Ledger is much less risky than the activities of an individual summarizing a list of invoices and then data-entering them to the General Ledger via a manual journal entry.  Failure of either control would result in relatively the same financial reporting risk, but the process and control risk of the latter would be significantly higher, So the second control would receive a higher ICFR score based on the Process and controls IC risk contribution This higher score would portend a more severe approach to testing, likely resulting in a larger sample size, performed more often and much closer to the end of the reporting period.

Additionally, this methodology permits an organization to both spread the work more evenly over the year by testing the controls with lower (less risky) ICFR scores earlier in earlier quarters while ensuring management tests controls with higher ICFR scores closer to end of the reporting year and the testing is assigned to the more objective and independent Internal Audit function.

Instead of the usual two-phased approach to testing where the bulk of the testing is performed perhaps nine months into the year, with the remainder done shortly after year-end, and all controls have samples drawn from each of the two periods, management can schedule the tests to occur during less demanding timeframes and Internal Audit can integrate its testing with existing audit responsibilities.

CONCLUSION

Management should take a proactive position in helping frame the conversation regarding testing with the external auditors by providing sufficient documentation of a “top-down, risk-based” evaluation of the risks to providing timely and adequate financial results and disclosures to third-parties.  Their approach should clearly show how the evaluation focused efforts on riskier activities and should aid management in achieving their desired goal of reducing compliance costs by clearly demonstrating to the external auditors familiarity with what could go wrong.  Such an approach should also provide senior management and the Board of Directors with greater assurance that their duties have been properly discharged.
Management’s ability to evaluate its control environment is highly dependent on its ability to properly structure its risk assessment in a way that allows deep visibility into the nature of the framework. Knowing what controls can be omitted and what tests can be simplified amounts to understanding the importance associated to a control and the gaps that exist in meeting the assertions. But with the right methodology, data structures and reporting toolsets, this exercise becomes straightforward and highly cost-effective.

Copyright April 2008 Christopher D Coigne and John Dorsam

While completing their first SOX attestation, one of the world’s largest biopharmaceutical outsourcing organizations with operations throughout 43 countries in 56 locations and approximately 6,200 employees, knew that building and maintaining a Sarbanes-Oxley compliance program presented challenges — unearthing and solving the issues that stood in the way of compliance and managing the myriad of spreadsheets and documents that are needed for the task.

In 2005, the Company completed its first year of SOX primarily by performing the tasks in shared services centers in the United States, the United Kingdom and Germany. The Company identified over 1,000 key business controls; remediate and re-tested several hundred key controls and implemented a document control process; tracked remediation; and then tested and re-tested its program.