Home > Risk > SOX: Potential changes in the evaluation of internal control over financial reporting

SOX: Potential changes in the evaluation of internal control over financial reporting

As I open my email these days, I see people suggesting that we are about to enter a new era of assessments for SOX (Sarbanes-Oxley Section 404).

Some are excited; some are in despair.

Some are keen to jump on a new bandwagon and sell seats at classes on assessing internal control over financial reporting using COSO 2013 (COSO is preparing to issue an update of its 1992 landmark Internal Control Framework).

Others are lamenting the advent of a checklist-approach to SOX assessment that they believe is implicit in the drafts of COSO 2013.

A few continue their quixotic attempts to brand the COSO Internal Control Framework (ICF) as inept, preferring a totally different approach.

So let me see if I can bring some sanity to this excited confusion.

In my opinion, the 1992 ICF provides a reasonable basis for SOX assessments. What people have overlooked in their haste to criticize is that it requires a risk-based approach! The Risk Assessment component asks that you identify and assess sources of risk to your objectives (in the case of SOX, the objective is financial statements that are free of material error) before selecting the controls to address those risks.

Those who criticize COSO ICF as failing should look, not to any defect in the framework, but to defects in its use – by external auditors and those influenced by them.

The quixotic point out, correctly, that the greatest risks lie in areas that are not given the attention they should: such as the integrity of management and the skills and competencies of those involved in financial reporting (including those responsible for compliance with accounting rules and for tax accounting).

But these are areas included in the Control Environment component. The fault, if fault exists, is that insufficient attention is paid to the Control Environment and too much is paid to detailed business process controls that reside in the Control Activity component.

While most organizations and their external auditors spend the great majority of their time testing detailed controls, very few material weaknesses are uncovered there. In fact, when they do find important issues during that testing, the root cause is typically a failing in the Control Environment activities related to staff competencies.

If I may, I believe any defect in SOX assessment processes has been a deficiency in the use of judgment to understand each organization’s sources of risk to the financial statements – a deficiency in the attention paid to the Risk Assessment component and to the activities in the Control Environment component.

So, COSO 1992 still works for me. But will 2013 augur a change in approach? Will it reduce us from using our judgment to relying on a checklist?

The jury is still out, as we don’t know what the COSO Board is going to do. The signs are not promising, as the last draft continued to be unclear on the role of judgment vs. assessing internal control based on the presence of defined principles (which is the checklist approach). In addition, the supplementary documents that were designed to help with an assessment are entirely checklist-based.

Any class that is offered today on assessing SOX using COSO 2013 should be viewed with great skepticism. How can you teach something that is not yet final – and whose drafts may be changed significantly?

I hope that the COSO Board continues to listen to those (including me) who promote the continued use of a top-down and risk-based approach to assessing internal control – especially internal control over financial reporting. Judgment rather than a checklist is the only way to go.

Guidance specifically for SOX should embody the top-down and risk-based approach, demonstrating with examples how the process explained in SEC guidance and in PCAOB Auditing Standard Number 5 is followed using COSO ICF.

It should start with Risk Assessment, the identification of sources of risk (significant accounts and locations, etc.) and continue with the identification of key controls – which may exist in at any level of the organization and are found in Control Environment, Control Activities, Information and Communication, and possibly in Monitoring.

So, I would not enroll in classes in COSO 2013, nor would I despair (yet) about COSO 2013. All I would do is encourage everybody to lobby COSO to stress judgment over checklists and to promote the top-down and risk-based approach to assessing internal control.

I welcome your comments.

  1. January 7, 2013 at 11:13 AM

    To me, the crux of the post is captured here:

    “While most organizations and their external auditors spend the great majority of their time testing detailed controls, very few material weaknesses are uncovered there. In fact, when they do find important issues during that testing, the root cause is typically a failing in the Control Environment activities related to staff competencies.

    If I may, I believe any defect in SOX assessment processes has been a deficiency in the use of judgment to understand each organization’s sources of risk to the financial statements – a deficiency in the attention paid to the Risk Assessment component and to the activities in the Control Environment component.”

    Management, however, often, I think (I could be wrong) insists on actions based on preconceived notions and long-held prejudices, instead of using good judgement based on a well-reasoned and comprehensive risk analysis process.

    It brings to mind 2 stories. One is from an internal auditor for a life insurance company. Big bucks were obviously very publicly represented in policy payouts. As a result, the internal auditor was required to perform extensive substantive testing in this area. However, they also did extensive testing of the controls. They found controls extremely well designed and backed up and effective. His conclusion was that he substantive testing, which took a lot of time and resources, was a waste of time. Again and again, no deficiencies were found year after year. Continuing to insist on the substantive testing seems a fool’s errand.

    The other is from my years at a supermarket company. Management and even he Board continued to insist that the internal auditors venture into the field to “fondle the cash” as we liked to say. That is, perform cash counts at the store. This despite procedures that required documented dual cash counts at every bookkeeper shift change and detailed over/short reporting of every till. Again, a complete waste of time. in 8 years, we never stumbled into any significant finding related to these cash counts, but spent significant resources on them.

    These two examples demonstrate a lack of understanding of the role of audit and testing and relying on a well-designed risk analysis to guide your audit plan.

  2. January 7, 2013 at 12:21 PM

    Norman, Dana I cannot agree more, the key lies in the top down risk based approach. When this one is done well one can typically reduce the amount of work as too much was done by insufficient focus on the key risk areas. Add to this the ‘fear’ of looking at the environment because this is more difficult to inform that this is not appropriate as it is often seen as criticising someone directly and the tainted focus on lesser important areas is understood.
    Secondly a check list approach will not work to my opinion as it will tick the box and no one will continue thinking why these controls do exist. It is extremely hard to define a check list for a top-down risk based approach as every company is different and therefore by default judgement is required.
    I do hope that COSO will pay more attention to the ‘soft’ area of the environment and stay away from check lists which do not facilitate the thought process.

  3. Barry J Schwartz, Consultant
    January 7, 2013 at 5:39 PM

    Very well laid out. I can only talk from experience that the Control Environment truly has the most impact on the tone and if the SOX process will be successful.

  4. January 8, 2013 at 1:40 AM

    Norman, Yes I agree a risk based approach is sensible. For me though it is the misunderstanding of risk that creates the difficulty in SOX. SOX makes logical sense. Financial statements misstated, ergo, test the risks to the misstatement of financial statements. The one this SOX did do was to prompt external auditors to really think about the controls the tested and relied upon and prove more intellectually robustly that they really made a difference to the potential misstatement of financial statements.

    You mention the misused by external auditors in your piece. That’s the rub. External auditors often have a veneer or weak understanding of the underlying business they audit. They really don’t understand what drives the business and the business risks it faces. I know because I’ve been both sides of a business and from the inside you see a whole lot more.

    The real reason financial statements are misstated or businesses fail is due to the underlying business model, not the narrow and technical process of accounts preparation. For if we take a step back from the granular rules of financial statements’ preparation, the underlying point is to present a true and fair view of the business’ financial performance. This will only be achieved through understanding how the business has performed and the real business (not financial reporting risks) it faces.

    So let us all move away from a rules-based right / wrong attitude to these things and realise the world is complex, messy and difficult and judgements are required. For SOX to be truly meaningful it needs to release itself from its rules-based mindset and move to a principles based approach with real business and ‘human’ meaning.

  5. Patricia Guerrero, CPA
    January 8, 2013 at 4:57 AM

    Bravo!! I could not have said it better, I think I agree with every single word you said. I am a firm believer in Checklists for practically everything in life, specially for SOX Compliance but for the first in my life I happen to agree that the one size fits all “Checklist” approach would create more issues than it solves. I agree that more guidance is necessary but not to the point that it eliminates the flexibility to navigate the complex world of SOX Compliance. Just my two cents…

  6. Greg Kalin
    January 8, 2013 at 9:29 AM

    What will be really interesting is to see what impact the updated COSO ICF will have on how the external accounting firms integrate it into their risk assessment process and testing methodologies, if at all. The PCAOB has taken a very hard line with the accounting firms as of late and their latest guidance clearly indicates that they believe the external auditors have not sufficiently exercised professional skepticism and have not sufficiently evaluated controls. While I very much support the new framework, I fear it will just add more fuel to the fire as we try to better understand the changing (increasing) control evaluation requirements and lack of clear guidance from the PCAOB.

  7. Norman Marks
    January 8, 2013 at 9:37 AM

    Greg, do you believe AS/5 is insufficient guidance, especially in conjunction with the more recent Auditing Standards on risk assessment: http://pcaobus.org/News/Releases/Pages/08052010_AuditingStandardsRiskAssessment.aspx?

    If you support the updated COSO ICF, do you believe it is consistent with either AS/5 or the SEC guidance?

    • Greg Kalin, CIA, CISA, CFE, CRMA
      January 9, 2013 at 7:15 AM

      Norman:

      I think AS/5 is more than sufficient. The problem seems to be the tone change at the PCAOB and the impact this and their audits of the firms are having on companies. The PCAOB has been very critical on the quality of external audits, particularly in terms of the testing methodologies and supporting documentation of the external auditors. The external auditors, in turn, are reacting and raising the bar on what is acceptable on the part of management. The frustrating part is there is a lack of clear guidance coming from the PCAOB and as a result, the external auditors have been increasing the requirements in an ad hoc manner. As a result, what may be acceptable to management (and internal audit) from a risk-based methodology, may fail to meet the changing requirements of the regulators and the external auditors. It comes down to whose view of risk we need to follow. Of course, it should be management, but I worry that we are going to default to the regulators/external auditors in order to get the job done. Frankly, it seems as though the PCAOB does not really support, in action, the concept of the top-down audit approach and that we are moving back to an AS/2 mentality.

      • Bill Spoehr
        January 16, 2013 at 3:22 PM

        The SEC addressed this issue of “convergence” between the auditing standards and management’s assessment of internal controls in their June 2007 Interpretive Guidance to Management. Specifically, the SEC stated that “there will be differences in the approaches used by managment and the [external] auditor because the auditor does not have the same understanding as management ….”

        The SEC’s guidance has been muted in recent years by the above mentioned “activism” of the PCAOB and the resulting knee-jerk changes in audit firm methodology. It appears that the firms now seek to identify and test all potential risks, rather than identify and test relevant risks in an effort to “cover the bases” for the next PCAOB inspection. As a result, external audits have become less efficient, costlier, and do not appropriately consider a top-down approach.

        Until the PCAOB moves towards supporting the use of the SEC Interpretive Guidance, I agree that we are headed towards a checklist, AS 2 audit approach.

        • Greg Kalin
          January 16, 2013 at 3:33 PM

          Bill:

          Well put. What’s funny is that the PCAOB recently criticized the audit firms for “Improper application of the top-down approach to the audit internal control as required by AS No. 5.”

          • Bill Spoehr, CPA, VP Financial Compliance
            January 17, 2013 at 7:21 AM

            Greg – I’m afraid that the recent PCAOB publication of their “2010 Observations” (which, incidently, I mostly agreed with) will only serve to further confuse the firms about how to adjust their audit methodologies to “pass muster.”

            In response to Norman’s original question about the new COSO Framework, I’m concerned that one of the major authors of the revised Framework is subject to PCAOB review criticisms and that the proposed attributes will push the firms further into the weeds instead of focusing on control environment and entity-level controls (as advocated by the SEC in 2007).

            And the beat goes on …………………

  8. Joseph iyofor
    January 8, 2013 at 12:24 PM

    Agree with you Norman,,a risk based approach is not only practical but aligns with the dynamics of an ever changing environment. ( hybrid financial engineering).
    The bottomline is how do Auditors, whether external or internal exercise sound judgment, without risk based auditing skills, the regulatory agencies need to emphasize this.
    The time to fine tuned and act is now! The financial sector is still and can’t afford another meltdown.

  9. Joseph iyofor
    January 8, 2013 at 12:26 PM

    Fragile

  10. Frans Kersten
    January 8, 2013 at 11:12 PM

    I believe that risk based auditing has contributed to the current crisis and lack of trust in auditors. It encourages to do a minimum of testing when the ‘audit risk’ part of the risk model shows very low risk.
    It leads to a lack of professional criticism with regard to the application of accounting rules. High risk areas with respect to material misstatements are those areas in which estimates play an important role to value assets and liabilities, especially in case of ‘off balance’ assets and liabilities. In the Netherlands we have recently seen some big failures from Big4 with the valuation and presentation of these kind of assets and liabilities, althoug high risk, with not correctly applying accounting rules or applying them in a way the could be applied, but fall to meet the overall objectives of the financial statements, i.e. to offer the possibity to the user to have an opionion on the liquidity and solvability of the company.

    As some respondants state correctly, when the organisation is in control, there is a very small chance of material misstatements regarding the day-to-day operations / transaction cylces. From a risk based perspective few attention is needed. But how can you be sure that the organisation is truely ‘in control’. And second, how do you know what the business truely is about: what is going on ‘at the bottom’. To meet both objectives, some minimum form of attention is needed and that ‘minimum’ lies at a higher level than it gets when applying a full risk based approach.

    • Norman Marks
      January 9, 2013 at 7:10 AM

      Frans, there is a difference between basing the external audit approach on the risk of a material misstatement (what I am talking about) and the risk that the external auditor will not detect a material misstatement. The latter is usually referred to as audit risk.

      • Frans Kersten
        January 10, 2013 at 8:52 AM

        Norman, I know that very well, In the break down of audit risk you look at control areas based on items/accounts that make up the financial statements, the underlying control cycles and information system(s). That’s where both types of risk meet. When there is a big change of material misstatement the auditor should do more (like more tests) to make sure the audit risk will remain acceptable.

  11. Linda DiPaola, CPA CISA CGEIT
    January 28, 2013 at 12:26 PM

    “Guidance specifically for SOX should embody the top-down and risk-based approach . . .

    It should start with Risk Assessment, the identification of sources of risk (significant accounts and locations, etc.) and continue with the identification of key controls – which may exist in at any level of the organization and are found in Control Environment, Control Activities, Information and Communication, and possibly in Monitoring.” – Hurrah!! I totally agree, except I would put monitoring a little higher than just “possibly”.

  12. Ray Purcell
    February 15, 2013 at 10:39 AM

    I agree about the importance of the Control Environment, and the lack of attention to this component in SOX 404 assessments, but I do not accept the premise that articulating principles within the components is necessarily the same thing as advocating a checklist approach. I would argue that one reason the Control Environment has received insufficient attention since 2004 is that few organizations really understood the 92 Framework, and that the articulation of the principles helps to make the Framework easier to understand. Therefore, I see the update to the Framework as potentially very positive – as always, depending on how well it is understood and applied. I think there is good reason to hope that the updated Framework will do what COSO intended back in 1992, to help organizations improve their systems of internal control.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: