Regulators around the world are calling for organizations to establish a risk appetite framework. This is primarily for financial services organizations and especially their financial-related risks. But some are extending the idea to organizations in other sectors and for non-financial risks.
The regulators have not heard the risk experts who disparage the concept of risk appetite. While I agree that it is a flawed concept, we have to recognize that it is a required practice for many and should find a way to address related regulations.
What is risk appetite?
In 2013, The Financial Stability Board (FSB) published “Principles for an Effective Risk Appetite Framework” (intended to apply only to financial services organizations) in which it included a number of definitions:
Risk Appetite: The aggregate level and types of risk a firm is willing to assume within its risk capacity to achieve its strategic objectives and business plan.
Risk Appetite Statement: The articulation in written form of the aggregate level and types of risk that a firm is willing to accept in order to achieve its business objectives. It includes qualitative statements as well as quantitative measures expressed relative to earnings, capital, risk measures, liquidity and other relevant measures as appropriate. It should also address more difficult to quantify risks such as reputation and money laundering and financing of terrorism risks, as well as business ethics and conduct.
Risk Appetite Framework (RAF): The overall approach, including policies, processes, controls, and systems through which risk appetite is established, communicated, and monitored. It includes a risk appetite statement, risk limits, and an outline of the roles and responsibilities of those overseeing the implementation and monitoring of the RAF. The RAF should consider material risks to the firm, as well as to the firm’s reputation vis-à-vis policyholders, depositors, investors and customers.
The FSB document includes some useful language (emphasis added):
“An effective RAF should provide a common framework and comparable measures across the firm for senior management and the board to communicate, understand, and assess the level of risk that they are willing to accept. It explicitly defines the boundaries within which management is expected to operate when pursuing the firm’s business strategy. Firms that implement a RAF most effectively are those that incorporate the framework into the decision making process and into the firm-wide risk management framework, and communicate and champion the framework throughout the organisation, starting from the top. However, it is important to check that the ‘top down’ risk appetite is consistent with the ‘bottom up’ perspective. The assessment of a firm’s consolidated risk profile against its risk appetite should be an ongoing and iterative process. Implementing an effective RAF requires an appropriate combination of policies, processes, controls, systems and procedures to accomplish a set of objectives. The RAF should enable risk capacity, risk appetite, risk limits, and risk profile to be considered at the legal entity level as well as within the group context. As such, an effective and efficient RAF should be closely linked to the development of information technology (IT) and management information systems (MIS) in financial institutions.”
The FSB recognized that while it is useful for management to propose and the board to approve “aggregate level[s] and types of risk a firm is willing to assume”, real value is not obtained unless every risk-taker (which amount to every decision-maker) understands how these limits apply to their actions and responsibilities – and acts accordingly. The FSB guidance includes these among the requirements for “business line leaders and legal entity-level management” (emphasis added):
“a) ensure alignment between the approved risk appetite and planning, compensation, and decision-making processes of the business unit and legal entity;
“b) cascade the risk appetite statement and risk limits into their activities so as to embed prudent risk taking into the firm’s risk culture and day to day management of risk;
“c) establish and actively monitor adherence to approved risk limits;”
The most significant problem with this notion is that it is impossible to define every risk that decision-makers might take in the course of running the business, especially when risks are changing constantly and what the business should accept also changes as business conditions change.
Fortunately, the FSB looks to internal audit to ensure that the RAF meets the needs of the organization and is not a static document that is meaningful only to the board.
The FSB publication includes requirements for internal audit to assess the RAF. They say that “internal audit (or other independent assessor) should (emphasis added):
“a) routinely include assessments of the RAF on a firm-wide basis as well as on an individual business line and legal entity basis;
“b) identify whether breaches in risk limits are being appropriately identified, escalated and reported, and report on the implementation of the RAF to the board and senior management as appropriate;
“c) independently assess at least annually the design and effectiveness of the RAF and its alignment with supervisory expectations;
“d) assess the effectiveness of the implementation of the RAF, including linkage to strategic and business planning, compensation, and decision-making processes;
“e) validate the design and effectiveness of risk measurement techniques and MIS used to monitor the firm’s risk profile in relation to its risk appetite;
“f) report any deficiencies in the RAF and on alignment (or otherwise) of risk appetite and risk profile with risk culture to the board and senior management in a timely manner; and
“g) evaluate the need to supplement its own independent assessment with expertise from third parties to provide a comprehensive independent view of the effectiveness of the RAF. “
This is useful for anybody who wants to audit risk management, even if for a non-financial institution.
I translate all of the above to answering these questions:
- Do those responsible for taking risks, whether in the executive suite or in the trenches of the organization, have the guidance they need to ensure that risks they are creating and/or managing are maintained at levels acceptable to the board? This should include both the mitigation of excessive adverse risk and addressing situations where insufficient risk is taken (e.g., where a manager is overly cautious to the detriment of the organization).
- Is that guidance updated and communicated as business conditions (internal and external) change?
- When management proposes and the board approves strategies, plans, objectives, and similar, is appropriate consideration given to risks to those strategies and objectives?
- Is necessary and appropriate risk information (including the results of risk monitoring) provided to the board, executives, and other managers so they can effectively direct and manage the organization?
- Are exceptions appropriate reported and addressed?
- Is performance management (especially reporting) adequately integrated with risk management, and are those responsible for driving performance against objectives also held responsible for addressing risks to those objectives?
That ‘guidance’ could be in the form of a risk appetite statement (or similar) as envisaged by the FSB and described in COSO’s ERM – Integrated Framework, or in the form of risk criteria as required by the global risk management standard, ISO 31000:2009.
What I especially like about the FSB list of questions (and reflected in mine) is that it recognizes that mere compliance with an RAF is an insufficient audit approach; it is critical to assess whether it is current, timely, communicated broadly, and meets the needs of the business.
I welcome your comments.
If you think you are world-class, it is time for you to consider change.
Our organizations and the risks they face are changing constantly and the pace of change is increasing.
Jack Welch once said: “If the rate of change on the outside exceeds the rate of change on the inside, the end is in sight.”
We should never be satisfied with where we are today, as this represents a risk that we will not be sufficiently agile to deal with risks tomorrow.
Here are a couple of excerpts from my book, World-Class-Internal Audit: Tales from my Journey. The first is on the need for change:
OK, you and your team have been recognized as adding huge value and being world-class.
Do you stop there, confident and happy in your success?
No. What is world-class for your organization today may be insufficient for tomorrow.
The CAE should have a thirst for change and growth. Learn not only from other internal audit leaders and what they do well. Learn from leaders of other organizations entirely, like Marketing and Sales.
I like to read magazines like Fast Company because they profile innovative and creative thinkers in all walks of life. Maybe what works for them could, with some tailoring, work for me. At least it might stimulate me to think about something I had never thought about before. It might stimulate me to challenge what had worked for me in the past.
Innovative leaders think outside the box. They create something that excels and they love it. They love it so much it becomes a box for them and limits their ability to discard it in favor of something new.
We should not only think out of the box, but stay out of the box, and kick it as soon as somebody builds one.
This is what I had to say about the future of internal audit:
Internal audit has made great strides since I first became a CAE in 1990.
We have moved the edge of the practice from controls auditing to assurance over governance, risk, and control processes.
The majority of CAEs now report directly to the audit committee with functional reporting to at least the CFO if not the CEO.
But that leading edge is a thin one.
Far too few internal audit departments assess and provide assurance on the effectiveness of risk management.
Even fewer consider the risks of failures in governance programs and processes and include related engagements in their audit plan.
As I travel around the world, talking to internal auditors from Malaysia to Ottawa, I find a consistent pattern of growth. But, there remain pockets where the internal auditor is only there so that management can “check the box”. This seems especially true in government (from local to national), where internal audit departments are upgraded or disbanded based on politics – a concept I find abhorrent in what should be an independent and objective function.
Part of the problem is that audit committees don’t understand the potential of internal audit – and too many CAEs are not educating them. So, they don’t demand more and too many CAEs are satisfied doing what is expected without trying to change and upgrade those expectations.
Still, I expect that internal auditing practices will continue to improve. Organizations need them, as PwC says, to move to the “next platform” and provide assurance that is not just about what used to be the risks, but what they are now and will be in the near future.
Our business environment is becoming more complex, more dynamic, and changing at an accelerating speed. I expect that internal audit leaders will risk to the challenge.
Those that do will create a competitive advantage for their organizations.
Does your internal audit department need to change? Is it able to deliver world-class products and services that represent a competitive advantage for the organization? Do you help them increase the likelihood and scale of success?
Are you ready to adapt to tomorrow’s challenges?
I welcome your comments.
One of the new Core Principles for the Professional Practice of Internal Auditing proposed by the IIA’s Exposure Draft (if you haven’t seen it, read it, and responded please do so) is:
- [Internal Audit is] insightful, proactive, and future-focused.
The last two adjectives, proactive and future-focused, translate to internal audit “auditing forward”.
This is an expression I only heard for the first time this year. It may have been one of the other members of the IIA Task Force that used it; but whoever said it, it resonated with me.
I have a chapter on “Auditing Forward” in my book on World-Class Internal Auditing and the best way for me to explain my thinking is through excerpts.
I assess my effectiveness as CAE by my ability to prevent internal control or risk issues when I can, rather than identify them (and find fault) when they already exist and represent an obstacle to organizational success.
If you are familiar with the CSI TV series, you can imagine a crime scene investigator entering a room and telling a detective “you have a dead body”. If I can, I prefer to be working with management to ensure there are reasonable controls that would prevent a dead body.
That means a couple of things: seeing the value of internal audit as helping improve risk management and controls, and “auditing forward”.
“Auditing forward” means being involved in new initiatives and projects [such as a pre-implementation controls review of a new IT system], providing consulting advice that helps management implement a reasonable level of controls and security.
It means seeing our success as linked to the success of management. If management implements a new system without sufficient controls or security, when we had an opportunity to warn them, it reflects as a failure on our part. Either we failed to identify the issue, to persuade management it was important, or to work with them on corrective actions that addressed the problem.
“Auditing forward” also means auditing the risks that impact today and tomorrow, not limiting your focus to what has happened in the past.
Is there value in somebody telling you that the road in front of the house you lived in last year is being repaired? You only want to know about road conditions where you are likely to drive now or in the future.
In the same way, internal audit needs to provide assurance and consulting advice on the risks of today and tomorrow. Telling management what has been a problem in the past has some limited value, but only to the extent that those conditions continue to exist and similar problems may continue into the future.
Wayne Gretzky’s father advised him to “skate where the puck’s going, not where it’s been”.
Internal auditors need to take this advice to heart and audit where the risk is going to be, not where it has been.
- Being sufficiently agile to change the internal audit plan as risks and business conditions change; and,
- Knowing that risks and business conditions are changing.
Business leaders and the board like it when internal auditors talk about the business using the language of the business; when we can demonstrate that we understand what the company is doing and where it wants to go; and, where we can show that our work is directed to helping them succeed – arriving safely where they want to go.
Do you “audit forward”?
I welcome your views and comments.
Deloitte has published a short piece as part of their CFO Insights, Compliance programs: What separates “good enough” from “great”? (They are talking about a combined ethics and compliance program.)
It’s a decent read; good enough to spark a conversation on the topic.
I believe this is a topic relevant to those responsible for governance, in executive management, as well as those in risk, compliance, assurance, and information security roles.
The introduction is excellent:
The U.S. Federal Sentencing Guidelines and, more recently, promulgations by the Organisation for Economic Co-operation and Development (OECD) Good Practice Guidance have called for companies to develop effective compliance risk mitigation programs and safeguards to protect against internal and external threats of corruption and fraud. Yet, despite decades of experience in developing such practices, the results appear to remain uneven at best, which is especially concerning at a time when risks are increasing.
Consider the stunning growth of social media, mobile technologies, and big data, for example, which has ushered in a new era of transparency, exposing illegal transactions and raising profound new ethical questions about the way business is conducted. Ethics and compliance executives may have come a long way in developing sophisticated measures to prevent, detect, and mitigate risk of malfeasance. But given that those who wish to violate the rule of law are using more sophisticated tactics, “good enough” in compliance is just not good enough today.
But then Deloitte falls back on what I consider an over-simplification of the issue. They identify five areas where a great compliance and ethics program can be distinguished from that is just “good”:
- Tone at the Top
- Corporate Culture
- Risk Assessments
- Testing and Monitoring
- Chief Ethics and Compliance Officer
The points they make are good mother-and-apple-pie comments. But do they add anything for a CFO or other executive? I doubt it.
I doubt many executives are familiar with the requirements of the U.S. Federal Sentencing Guidelines[i] that Deloitte references in the first sentence of its publication. Here is the key section, which Deloitte should (in my opinion) have considered referencing.
The highlights are by me.
8B2.1. Effective Compliance and Ethics Program
(a) To have an effective compliance and ethics program, for purposes of subsection (f) of §8C2.5 (Culpability Score) and subsection (b)(1) of §8D1.4 (Recommended Conditions of Probation – Organizations), an organization shall—
- exercise due diligence to prevent and detect criminal conduct; and
- otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.
Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.
(b) Due diligence and the promotion of an organizational culture that encourages ethical conduct and a commitment to compliance with the law within the meaning of subsection (a) minimally require the following:
- The organization shall establish standards and procedures to prevent and detect criminal conduct.
- (A) The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.
(B) High-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline. Specific individual(s) within highlevel personnel shall be assigned overall responsibility for the compliance and ethics program.
(C) Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.
- The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.
- (A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subparagraph (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.
(B) The individuals referred to in subparagraph (A) are the members of the governing authority, high-level personnel, substantial authority personnel, the organization’s employees, and, as appropriate, the organization’s agents.
- The organization shall take reasonable steps—
(A) to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct;
(B) to evaluate periodically the effectiveness of the organization’s compliance and ethics program; and
(C) to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.
- The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.
- After criminal conduct has been detected, the organization shall take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s compliance and ethics program.
(c) In implementing subsection (b), the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement set forth in subsection (b) to reduce the risk of criminal conduct identified through this process.
The Commentary that follows this text has some interesting language, including:
“Standards and procedures” means standards of conduct and internal controls that are reasonably capable of reducing the likelihood of criminal conduct.
To meet the requirements of subsection (c), an organization shall:
(A) Assess periodically the risk that criminal conduct will occur, including assessing the following:
(i) The nature and seriousness of such criminal conduct.
(ii) The likelihood that certain criminal conduct may occur because of the nature of the organization’s business. If, because of the nature of an organization’s business, there is a substantial risk that certain types of criminal conduct may occur, the organization shall take reasonable steps to prevent and detect that type of criminal conduct. For example, an organization that, due to the nature of its business, employs sales personnel who have flexibility to set prices shall establish standards and procedures designed to prevent and detect price-fixing. An organization that, due to the nature of its business, employs sales personnel who have flexibility to represent the material characteristics of a product shall establish standards and procedures designed to prevent and detect fraud.
(iii) The prior history of the organization. The prior history of an organization may indicate types of criminal conduct that it shall take actions to prevent and detect.
The Background section, which closes this part of the Guidelines, closes with this:
The requirements set forth in this guideline are intended to achieve reasonable prevention and detection of criminal conduct for which the organization would be vicariously liable. The prior diligence of an organization in seeking to prevent and detect criminal conduct has a direct bearing on the appropriate penalties and probation terms for the organization if it is convicted and sentenced for a criminal offense.
I believe the guidance that the compliance program be risk-based is an essential element.
Every CFO – every senior executive and board member of an organization potentially subject to prosecution under U.S. law – should understand that a risk-based approach that leads to reasonable prevention and detection of criminal conduct provides a significant level of protection to the organization, let alone any personal liability they might have.
What do you think?
I welcome your comments.
[i] As a reminder, the U.S Federal Sentencing Guidelines are used by U.S. Federal judges in determining sentences for individuals or organizations convicted of federal crimes.
One of the principles for effective risk management in the ISO 31000:2009 global risk management standard is that risk management should be “dynamic, iterative, and responsive to change”.
I really like that. It captures a number of key ingredients for the effective management of uncertainty and risk.
“Dynamic” implies that risk management operates at the speed of the business. It is far more than the occasional, even if regular, assessment of a list of so-called top risks. “Dynamic” is when the consideration and management of risk is part of the fabric of the organization, and an element in daily decision-making and operations of the organization. It is active and essential.
“Iterative” is about a reliable set of processes and systems for identifying, assessing, evaluating, and treating risk. It means that when management makes decisions, based in part on risk information, there are proven processes and the information is reliable.
Finally, “responsive to change” is essential when risk changes at speed. Every day there is a potential surprise, a new or changed situation to which the organization should at least consider responding. It could be a shift in exchange rates, a change in the government of a nation where you do business, a flood that affects the supply of a critical component, the decision in a court case that affects you directly (because you are a party) or indirectly (because it creates a new interpretation of a regulation with which you must comply), the loss of a key customer, a new product from a competitor, the loss of a key employee, or so on.
Stuff happens and it changes or creates risk.
The organization must be responsive to change, nimble and agile in modifying strategy and execution.
All of this applies not only to risk management but also to internal audit (and to finance and the rest of the organization, in truth).
Is your internal audit function “dynamic, iterative, and responsive to change“?
For that matter, do IT, Finance, Operations, and so on meet the principle behind that phrase?
Or are they slow, scattered, and stubbornly reluctant to change?
Is that a risk to which we must respond?
I welcome your comments.
A conversation I just had with Michael Corcoran left me wondering which companies have now or in the past had what one might consider “world-class” internal audit departments?
My personal view is that the CAE is the last person to say his or her internal audit department should be considered world-class.
Instead, that should only be awarded by members of the audit committee or top executives (although I am not sure I would give as much credence to the opinion of a CFO who wants IA to focus on financial and compliance risks).
I would allow members of the audit team to make the award based on what they hear from senior operational executives.
As a former CAE, I am going to hold to my word and not name any of my prior teams. If they want, they can speak for themselves.
So, please use the comments to identify the IA departments you think are world-class and why.
I want to share two situations/reports. The first relates to SOX, the second to COSO 2013.
SEC Charges SOX 302 Violation
Here are the key points in the SEC’s remarks:
The Sarbanes-Oxley Act of 2002 requires a management’s report on internal controls over financial reporting to be included in a company’s annual report. The CEO and CFO must sign certifications confirming they’ve disclosed all significant deficiencies to the outside auditors, reviewed the annual report, and attest to its accuracy.
The SEC’s Enforcement Division alleges that CEO Marc Sherman and former CFO Edward L. Cummings represented in a management’s report accompanying the fiscal year 2008 annual report for QSGI Inc. that Sherman participated in management’s assessment of the internal controls. However, Sherman did not actually participate. The Enforcement Division further alleges that Sherman and Cummings each certified that they had disclosed all significant deficiencies in internal controls to the outside auditors. On the contrary, Sherman and Cummings misled the auditors – chiefly by withholding that inadequate inventory controls existed within the company’s Minnesota operations. They also withheld from auditors and investors that Sherman was directing and Cummings participating in a series of maneuvers to accelerate the recognition of certain inventory and accounts receivables in QSGI’s books and records by up to a week at a time. The improper accounting maneuvers, which rendered QSGI’s books and records inaccurate, were performed in order to maximize the amount of money that QSGI could borrow from its chief creditor.
According to the SEC’s orders, Sherman and Cummings signed a Form 10-K and Sherman signed a Form 10-K/A each containing the false management’s report on internal controls over financial reporting. And each signed certifications required under Section 302 of the Sarbanes-Oxley Act in which they falsely represented that they had evaluated the report and disclosed all significant deficiencies to the auditors.
What is new is that the executives were found to have violated not only the annual Section 404 requirement that the SOX compliance program is generally focused on, but the quarterly Section 302 certification process.
I have been warning, in both my SOX book for the IIA and in my training classes that ‘one of these days’ somebody would be charged with a Section 302 certification violation. In my conversations with the SEC when I was writing my SOX book for the IIA, they indicated that Section 302 violation was a future rather than a current focus.
But here they are now.
In the Section 302 certification, the CEO and CFO personally sign, and therefore are liable, that the following statements are true:
“The registrant’s other certifying officer and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) and ICFR (as defined in Exchange Act Rules 13a-15(f) and 15d-15(f)) for the registrant and have:
- Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;
- Designed such internal control over financial reporting, or caused such ICFR to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles;
- Evaluated the effectiveness of the registrant’s disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and
- Disclosed in this report any change in the registrant’s ICFR that occurred during the registrant’s most recent fiscal quarter (the registrant’s fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant’s internal control over financial reporting; and
“The registrant’s other certifying officer and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the registrant’s auditors and the audit committee of the registrant’s board of directors (or persons performing the equivalent functions):
- All significant deficiencies and material weaknesses in the design or operation of ICFR which are reasonably likely to adversely affect the registrant’s ability to record, process, summarize and report financial information; and
- Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant’s internal control over financial reporting.”
In the book, I say:
“…. prudence suggests that management:
- Has a reasonably formal, documented process for making the quarterly assessment that is included in the 10-Q and supports the Section 302 certifications.
- This can be included in the activities of the company’s disclosure committee, which most of the larger companies have established.
- The process should include the assessment of all internal control deficiencies known to management, including those identified not only during management’s assessment process but also by either the external auditors in their Sarbanes-Oxley work or by internal audit in its various audit activities.
- The system of ICFR must provide reasonable assurance with respect to the quarterly financial statements and the annual statements. The quarterly assessment is against a lower — typically one quarter the size — determination of what constitutes “material”.
- The process and results should be reviewed and discussed with the CEO and CFO to support their Section 302 certifications.
- Confirms that the external auditors do not disagree with management’s quarterly assessment.
- Understands ― which requires an appropriate process to gather the necessary information ― whether there have been any major changes in the system of internal control during the quarter. A major change can include improvements and degradations in the system of internal control. While Section 302 only requires the disclosure in the 10-Q of a material weakness and the communication to the audit committee of a material or significant deficiency, the correction of a significant deficiency may be considered a major change and, if so, should be disclosed.”
Question: Have you discussed with and obtained guidance from your legal team whether a potential material weakness identified by your periodic SOX testing means that the CEO and CFO should not say, in their current quarter Section 302 certification, that the disclosure controls are effective?
Mapping of Controls to COSO 2013 Principles is Wrong
I am still trying to get information on what the major auditing firms are telling clients about COSO 2013.
I was able to get on a call with a Deloitte practice partner and one of the SOX/COSO leaders in the Deloitte head office.
It was refreshing to hear that they understand that the top-down and risk-based approach mandated by PCAOB Auditing Standard Number 5 remains at the heart of the firm’s approach.
The head office leader made a comment that I like very much.
She said that many registrants are trying to map all their (key) controls from 2013 to one or more of the COSO principles.
This is wrong.
There is no such requirement, nor is it useful.
What is needed is to demonstrate which controls are being relied upon to support management’s determination whether the principles are achieved.
I cover this in detail in the SOX book and in my SOX Master Class training. Basically, my approach is to determine how a failure to achieve a principle might raise the level of risk of a material error or omission above acceptable levels; we then identify the key controls that will be relied upon to address such risks. Where the risk is assessed as low, management’s self-assessment of the controls may be sufficient.
Unfortunately, I know of at least one Deloitte senior manager who doesn’t understand.
I wonder how many other external audit teams are ‘requiring’ that companies do more than is necessary.
Please share through comments or private email to me at email@example.com.
I welcome your insights and observations.