Archive

Archive for the ‘Sarbanes’ Category

Evaluating the external auditors

June 14, 2015 7 comments

The Audit Committee Collaboration (six associations or firms, including the National Association of Corporate Directors and NYSE Governance Services) recently published External Auditor Assessment Tool: A Reference for Audit Committees Worldwide.

It’s a good product, useful for audit committees and those who advise them (especially CAEs, CFOs, and general counsel).

The tool includes an overview of the topic, a discussion of important areas to assess (with sample questions for each), and a sample questionnaire to ask management to complete.

However, the document does not talk about the critical need for the audit committee to exercise professional skepticism and ask penetrating questions to test the external audit team’s quality.

Given the publicized failures of the audit firms to detect serious issues (fortunately few, but still too many) – the latest being FIFA (see this in CFO.com) – and the deficiencies continually found by the PCAOB Examiners, audit committees must take this matter seriously.

Let me Illustrate with a story. Some years ago, I joined a global manufacturing company as the head of the internal audit function, with responsibility for the SOX program. I was the first to hold that position; previously, the internal audit function had been outsourced. Within a couple of months, I attended my first audit committee meeting. I informed them that there was an internal control issue that, if not addressed by year-end, might be considered a material weakness in the system of internal control over financial reporting. None of the corporate financial reporting team was a CPA! That included the CFO, the Corporate Controller, and the entire financial reporting team. I told that that, apart from the Asia-Pacific team in Singapore, the only CPAs on staff were me, the Treasurer, and a business unit controller. The deficiency was that, as a result, the financial reporting team relied heavily on the external auditors for technical accounting advice – and this was no longer permitted.

The chairman of the audit committee turned to the CFO, asked him if that was correct, and received an (unapologetic) affirmative. The chairman then turned to the audit partner, seated directly to his right, and asked if he knew about this. The partner also gave an unapologetic “yes” in reply.

The chairman then asked the CEO (incidentally, the former CFO whose policy it had been not to hire CPAs) to address the issue promptly, which it was.

However, the audit committee totally let the audit partner off the hook. The audit firm had never reported this as an issue to the audit committee, even though it had been in place for several years. The chairman did not ask the audit partner why, whether he agreed with my assessment of the issue, why the firm had not identified this as a material weakness or significant deficiency in prior years, or any other related question.

If you talk to those in management who work with the external audit team, the most frequent complaint is that the auditors don’t use judgment and common sense. They worry about the trivial rather than what is important and potentially material to the financial statements. In addition, they often are unreasonable and unwilling to work with management – going overboard to preserve the appearance of independence.

I addressed this in a prior post, when I said the audit committee should consider:

  • Whether the external auditor has adopted an appropriate attitude for working with the company, including management and the internal auditor
  • Whether the auditor has taken a top-down and risk-based approach that focuses on what matters and not on trivia, minimizing both cost and disruption, and
  • Whether issues are addressed with common sense rather than a desire to prove themselves

Does your audit committee perform an appropriate review and assessment of the external audit firm and their performance?

I welcome your comments.

Advertisements

Lessons Learned from the Transition to COSO 2013

May 3, 2015 5 comments

Protiviti has shared with us a useful Top 10 Lessons Learned from Implementing COSO 2013.

I especially like this section:

It is presumed that everyone understands that a top-down, risk-based approach remains applicable to Section 404 compliance, and the transition to the 2013 updated Framework does not affect this. While we don’t list this as a lesson, we could have, because some companies either forgot or neglected to apply this approach when setting the scope and objectives for using the Framework. As a result, they went overboard with their controls documentation and testing. We can’t stress enough that the COSO 2013 Framework did not change the essence of, and the need for, a top-down, risk-based approach in complying with SOX Section 404.

The report has a number of excellent pieces of advice. However, I wouldn’t be me if I didn’t have points of disagreement.

The first is on mapping. It is NOT necessary to map all your controls to the principles. If we take principle 10, for example, it states “The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels”. Rather than map all your control activities to this principle (or to principle 11, which is the same – just for IT general controls), the organization needs to identify the control(s) it relies on for its assessment that the principles are present and functioning[1]. For principles 10 and 11, that will be the SOX scoping exercise. For the principle on fraud, the control that should be identified is the fraud risk assessment, not every control relied on to detect or prevent fraud.

Then there is the assertion that indirect controls are the same as entity-level controls. COSO (both 1992 and 2013) tell us, correctly, that activities in each of its components may operate at any level within the organization. For example, let’s say that an account analysis is prepared by Corporate Finance as part of the period-end close. This entity-level control may operate with sufficient precision to be relied upon to detect a material error or omission in that account. But the entity-level control is a direct control, not an indirect control. (A direct control can be relied upon to prevent or detect an error. An indirect control is one that serves to increase or decrease the likelihood that other, direct, controls will function effectively. Hiring, integrity, oversight by the board – these are indirect controls where a defect would increase the likelihood that affected direct controls would fail.)

Another example that helps us understand the difference is the hiring process (related to principle 4, in the Control Environment). The hiring process most often is at a lower level than the entity-level, often as deep as the activity level as that is where most hiring managers reside. Controls in the hiring process in this situation are activity level (or what I call ‘intermediate level’ controls, operating at a location or business unit rather than either the top or the bottom of the organization) and are indirect controls.

I could quibble with one or two more points, but I don’t want to detract from the report. I want, instead, to encourage you to read and discuss it.

What do you think?

What additional lessons have you learned?

[1] Full credit for this wording goes to the E&Y national office, who used it in a conversation I had with them about the firm’s training of its audit staff.

The most important sentence in COSO

April 25, 2015 13 comments

In my opinion, one sentence stands out, whether you are looking at the COSO Internal Control – Integrated Framework (2013 version) or the COSO Enterprise Risk Management – Integrated Framework.

That sentence is:

An effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all three categories.

The sentence is important because it emphasizes the fact that the purpose of controls is to address risk, and that you have ‘enough’ control when risk is at desired levels.

To me, this means that:

  1. Before you assess the effectiveness of internal control, you need to know your objective(s), because we are talking about risk to objectives – not risk out of context
  2. You need to know the risk to those objectives
  3. You need to know what is an acceptable level of risk for each objective, and
  4. You need to be able to assess whether the controls provide reasonable assurance that risk is at acceptable levels

You may ask “where is that sentence?”, because when consultants (and even COSO and IIA) make presentations on COSO 2013 and effective internal control, all you hear about are the principles and components.

In fact, anybody who reads COSO 2013 should have no difficulty finding this most important sentence. It’s in the section headed “Requirements for Effective Internal Control”.

This is how that section starts:

An effective system of internal control provides reasonable assurance regarding achievement of an entity’s objectives. Because internal control is relevant both to the entity and its subunits, an effective system of internal control may relate to a specific part of the organizational structure. An effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all three categories. It requires that:

  • Each of the five components of internal control and relevant principles are present and functioning
  • The five components are operating together in an integrated manner

There is no mention of satisfying the requirement that the “components and relevant principles are present and functioning” until after the reference to risk being at acceptable levels.

In fact, I believe – and I know of at least one prominent COSO leader agrees – that assessing the presence and functioning of the components and principles is secondary, provided to help with the assessment.

Let’s have a look at the very next paragraph in the section:

When a major deficiency exists with respect to the presence and functioning of a component or relevant principle or in terms of the components operating together, the organization cannot conclude that it has met the requirements for an effective system of internal control.

When you look at this with the (COSO) risk lens, this translates to the ability to assess internal control as effective, and the principles and components as present and functioning, as long as there is no deficiency in internal control that is rated as “major”.

How does COSO determine whether a deficiency is “major”? That can be found in the section, “Deficiencies in Internal Control”.

An internal control deficiency or combination of deficiencies that is severe enough to adversely affect the likelihood that the entity can achieve its objectives is referred to as a “major deficiency”.

Let’s translate this as well:

  1. If the likelihood of achieving objective(s) is “severe”, then the risk is outside acceptable levels.
  2. If the risk is outside acceptable levels, not only should the related component(s) or principle(s) not be assessed as present and functioning, but internal control is not considered effective.
  3. When it comes to SOX compliance, a “major deficiency” translates to a “material weakness”. The objective for SOX is to file financial statements with the SEC that are free of material error or omission. The acceptable level of risk is where the likelihood of a material error or omission is less than reasonably possible.
  4. That means that if the deficiency is less than “major” (or “material” for SOX purposes), then the related component(s) or principle(s) can be assessed as present and functioning – and internal control can be assessed as effective.

So, the only way to assess whether the principles and components are present and functioning is to determine whether the risk to objectives (after considering any related control deficiency) is at acceptable levels.

Do you see what I mean?

Risk is at the core. Assessing the presence and functioning of components or principles without first understanding what is an acceptable level of risk to objectives is misunderstanding COSO!

Why are so many blind to this most important sentence?

I have a theory: the presentations were all prepared based on the Exposure Draft. That document failed to reference the requirement that internal control be designed to bring risk within acceptable levels. (The defect was fixed after comments were received on the issue.)

Do you have a better theory?

Can you explain the blindness of so many to the most important sentence in the entire Framework?

Going crazy with COSO 2013 for SOX

February 18, 2015 20 comments

For some reason, I only just saw a new PwC publication, Present and functioning: Fine-tuning your ICFR using the COSO update, dated November 2014.

PwC provided the project team for the COSO 2013 update of the Internal Controls – Integrated Framework, so their advice and insight should merit our attention.

The trouble is that it very easy to go overboard and do much more work than is necessary to update your SOX program for COSO 2013.

I fear that PwC may help people go crazy, rather than perform the few additional procedures necessary. I respect those who have said, rightly in my view, that if you were able to comply with the requirements of COSO 1992 (the original version) and either the SEC guidance (in their Interpretive Guidance) or PCAOB Standard Number 5, you should already be in compliance with COSO 2013.

The key is to be able to demonstrate that.

We need to remember these facts:

  1. Neither the SEC nor the PCAOB has updated regulatory guidance for management or the external auditor since the release of COSO 2013. That guidance, reinforced by the PCAOB October 2013 Staff Practice Report) mandates a top-down and risk-based approach. It requires a focus on the potential for a material error or omission in the financial statements filed with the SEC.
  2. COSO 2013 says that internal control is effective when it reduces the risk to the achievement of objectives to acceptable levels. For SOX, that means that there are no material weaknesses.
  3. COSO 2013 also says that a principle can be deemed present and functioning if there are no “major deficiencies” that represent a significant level of risk to the achievement of the objective – in other words, there are no material weaknesses due to a failure of elements relating to a principle.

Now let’s have a look at what PwC has to say.

“With the COSO’s 1992 Control Framework being superseded by the 2013 updated edition on December 15, 2014, now is the time for companies to use the updated framework to evaluate the effectiveness of their systems of internal control over financial reporting.”

I agree with this statement. This is a great opportunity to ensure an effective and efficient program is in place.

“The updated framework formalizes 17 principles that stipulate more granular evaluative criteria to help a company’s management assess the design and operating effectiveness of its ICFR.”

They forget to say that COSO informs us that internal control is effective if it reduces risk to the achievement of objectives to acceptable levels. They also forget to remind us that the SOX assessment must be top-down, risk-based, and focused on the potential for a material error or omission.

“We don’t believe that implementation of the 2013 framework affects management’s existing control activities…. assuming that a company’s control activities have been assessed as effective, reevaluating them according to the 2013 framework is not necessary.”

While there is an element of truth to this, organizations should not be assessing control activities in isolation – they should be assessing whether the combination of controls provides reasonable assurance that there are no material errors or omissions. Focusing on one component by itself is insufficient and, I believe, incorrect.

In addition, the selection of controls for reliance should always be re-evaluated as the business is likely to have changed, including materiality, significant accounts and locations, and so on.

“We believe the most immediate value of applying the 2013 framework lies in the opportunity it provides for taking a fresh look at indirect entity-level controls.”

Again, the SOX scoping should be focused on the combination of controls that provides reasonable assurance. In addition, some principles (such as the hiring and training of employees, or the provision of training and obtaining certification of employees in the code of conduct) are performed at the activity level. COSO tells us that activities in each of the COSO components may exist at any level of the organization. So, we need to recognize that indirect controls may operate at the entity (corporate) level, activity level, or any level in between (such as at the business unit or regional level).

Having said which, the principles do offer us a new opportunity to determine which of these indirect controls need to be included in scope because a failure would represent an unacceptable level of risk – because they raise to an unacceptable level the likelihood that one or more key direct control relied on to prevent or detect a material error or omission might fail.

But, it all has to be within the context that we are focusing the scope, and the SOX program as a whole, on the risk of a material error or omission!

“…fine-tune the design and related documentation of indirect ELCs [entity-level controls] through mapping them to principles.”

Many have misguided organizations, telling them to “map their controls to the principles”. The proper guidance is to “identify the controls you are relying on to provide reasonable assurance that the principles are present and functioning”. Again, we need to remember that the principles can be deemed present and functioning if a failure would not represent a material weakness.

It is correct to say that if you have indirect controls (at entity or another level) that are not required to provide that reasonable assurance, they do not need to be included in scope for SOX.

“…we have noted the following areas in which management’s assessment has indicated room for optimization or improvement in control documentation.”

I suspect that the issue is not limited to control documentation! There is always room for improvement and it is useful to see what PwC has identified.

“Leading companies are formalizing or clarifying and incorporating into their evaluations of ICFR certain indirect ELCs that support existing human resources policies. Such controls usually consist of approvals of new hires and employee transfers (including background checks and assessments of requisite skills and experience when appropriate), requirements for professional certifications and training (e.g., in new and complex accounting standards), succession planning and retention of competent employees, and periodic reviews of employee performance to assess requisite skill levels and conduct. Compensation programs aligned with expected performance, competencies, and behaviors are also important to support ICFR objectives.”

If you believe that any organization’s HR policies and practices provide the assurance you need that every single key control is performed by individuals with the appropriate experience, knowledge, training, and so on, I have a bridge to sell you!

While it is very important to have excellence in hiring, training, supervision, career development, promotion and so on, I do not believe that for SOX it is productive to spend much time on controls in this area.

I very much prefer to assess the capabilities and competence of each control owner as part of the evaluation of the design and operation of each individual key control.

“In many organizations, the evaluation of fraud risks related to financial reporting is integrated into the overall assessment of financial-reporting risks……… In identifying and evaluating those risks, management investigates incentives, pressures, opportunities, attitudes, and rationalizations that might exist throughout the company in different departments and among various personnel.”

The first statement is (I hope) true, although I personally perform a separate assessment of fraud risk (focused on the risk of a material error or omission due to fraud) and generally find that they are addressed by the controls already identified for mistakes.

PwC talks about ‘scenarios’, while I talk about ‘fraud schemes’. In each case, we are talking about ‘how’ the fraud would be committed – an essential step in understanding the true nature of the risk and the controls that would prevent or detect it, if material.

However, going crazy about the fraud triangle is not recommended. We should focus on how we can provide reasonable assurance that a material error or omission due to fraud might be prevented or detected, and remember that the number of people with the ability to commit such a fraud is limited. More than 80% of reported material frauds have been perpetrated by the CEO and CFO acting together, not individuals “throughout the company in different departments and among various personnel.” Rationalization, for example, is an intensely personal action and not something that can be detected by looking broadly at even a segment of the workforce.

“Companies taking a thoughtful approach in transitioning to the 2013 framework—rather than viewing it as a mere compliance exercise—are finding value in the identification of opportunities to strengthen their ICFR.”

We are back on solid ground.

The focus has to remain solidly grounded on identifying and then testing the design and operation of the controls relied upon to prevent or detect a material error or omission. A top-down and risk-based approach is mandated.

Going beyond this may have value in improving operations and the achievement of other (than SOX) business objectives.

But let’s not go crazy!

I welcome your comments and, especially, your experiences with COSO 2013 and your external auditors.

By the way, I think it is well past time for COSO to issue a statement or other guidance to set people straight on the COSO 2013 principles when it comes to SOX. They need to explain that the primary evaluation criterion for effective internal control is whether there is reasonable assurance that risk to the achievement of principles is at an acceptable level. Then they need to explain that the principles offer more granulated guidance that can be used in assessing that risk and whether it is acceptable, but assessing the principles without the context of risk is misunderstanding COSO 2013.

Do you agree?

 

The effective audit committee

November 22, 2014 7 comments

A short article in CGMA Magazine, Ingredients of an effective audit committee, caught my eye. I recommend reading it.

I think there are some key ingredients to an effective audit committee that are often overlooked. They include:

  1. The members have to read all the material for the audit committee meeting before the meeting. It’s amazing how often they don’t, which reduces the meeting to absorbing the material rather than a constructive discussion of its implications.
  2. The members have to be ready, willing, and able to constructively challenge all the other participants, including the external and internal auditors as well as financial, operating, and executive management. Too often, they are deferent to the external auditor (for reasons that escape me) and too anxious to be collegial to challenge senior management.
  3. They need a sufficient understanding of the business, its external context (including competitors and the regulatory environment), its strategies and objectives, risks to the achievement of its objectives, and the fundamentals of risk management and financial reporting, to ask the right questions. They don’t need to have a deep understanding if they are willing to use their common sense.
  4. They need to be willing to ask a silly question.
  5. They need to persevere until they get a common sense response.
  6. No board or committee of the board can be effective if they don’t receive the information they need when they need it. I am frustrated when I read surveys that say they don’t receive the information they need – they should be demanding it and accepting no excuses when management is slow to respond.
  7. Audit committee members will not be effective if they are only present and functioning at quarterly meetings. They need to be monitoring and asking questions far more often, as they see or suspect changes that might affect the organization and their oversight responsibilities.

What do you think?

I welcome your comments.

Leveraging the COSO Internal Control Update for Advantage

November 15, 2014 4 comments

PwC, who led the project for COSO that updated the Internal Control – Integrated Framework, have shared 10 Minutes on why the COSO Update deserves your attention.

PwC has taken credit for writing the update – and I happy to give them the credit, but if they want that then they also have to recognize the limitations.

Personally, I think they have exaggerated the value of the update. For example, they say that the updated version is “applicable to more business objectives”. Frankly, that is nonsense. The 1992 framework could be and was being applied by practitioners (including me) to any and all objectives, including internal financial reporting and all forms of non-financial reporting (contrary to PwC’s views in this latest document).

Nevertheless, I agree with PwC that the update provides an excellent opportunity to revisit both the effectiveness and efficiency of your internal controls.

PwC shares their approach, which I don’t think is correct as it is not risk-based.

Here is mine:

  1. Do you understand the risks to your mission-critical objectives?
  2. Do you have the controls in place to give you reasonable assurance that those risks are being managed at acceptable levels? (If you are concerned about satisfying the new COSO Principles, remember that they can be assessed as present and functioning as long as there are no major weaknesses that indicate that risks are not managed at acceptable levels).
  3. Do you have the right controls? Are they the most effective and efficient combination of controls? Do you have too many (COSO doesn’t ask this question, nor whether you have the best combination of controls)?
  4. As you look at your strategies and plans for the next year or so, do you have to make changes to your internal controls so they can support changes in your business and its operations?

I welcome your views.

New E-Book on Segregation of Duties: A Review

November 12, 2014 1 comment

I congratulate Larry Carter for his new e-book, published by Compliance Week, on the topic “Segregation of Duties and Sensitive Access: Leveraging System-Enforced Controls”.

This is a timely discussion and explanation of a difficult topic and it includes useful information on the differences between manual and automated controls, preventive and detective controls, and more.

I believe it will be a useful read for internal auditors and application developers who are relatively new to the area, and a reminder to more experienced individuals of some of the key points to consider when designing automated controls to prevent individuals from having more access than they need – which can lead not only to fraud, but disruption, errors, and accidents.

For example, when I was leading the internal audit and SOX programs at Maxtor Corporation, the external auditor asked for access so he could examine some of the SAP configurations as part of his control testing. IT inadvertently provided him not only with the access he requested, read-access to the tables involved, but the ability to change the accounting period. Without realizing what he was doing, the auditor closed the accounting period while our financial team was still posting quarter-end journal entries!

Larry makes the excellent point that we need to consider not only inappropriate combinations of access privileges (i.e., Segregation of Duties, or “SOD”) but inappropriate access to a single capability. He calls this latter Sensitive Access, although the more common term is Restricted Access (“RA”).

As he points out, it is good business practice to limit everybody to the access they need to perform their job. Although it may be easier to establish the same access ‘profile’ (a set of access privileges) for several people, care has to be taken to ensure that nobody has more access than they need. If they do, that creates a risk that they may deliberately or inadvertently use that access and create a problem.

Some years ago, my internal auditors found that an individual in Procurement had the ability to create a vendor in the system and approve payment, as well as approve a purchase order. This creates a risk of fraud. The IT manager said there was a control: “We don’t tell people what access they have”. As you might imagine, we didn’t accept that argument.

This brings me to the critical topic of risk.

Larry makes the excellent and key point that you need to design your controls to address risk. You don’t design and operate controls for any other reason. With SOD, the primary reason for limiting inappropriate combinations of access is to prevent fraud. As he says, it is important to perform a fraud risk analysis and use that to identify the SOD controls you need.

When it comes to controls relating to sensitive or restricted access, the controls you need should also be determined by risk. For example, you will probably want to ensure that only a limited number of people have the ability to approve a journal entry, not only because of the risk of fraud but because you want an appropriate review and approval process to occur before they are posted. Similarly, you will want expenditures over a certain value to be approved by a more senior manager, and that is enforced through a restricted access control.

While Larry makes it clear that risk should drive the determination of what controls you need, I wish that had been how he designed his process for identifying necessary SOD and RA controls. Instead he identifies the total population of potential controls and only then considers (although it is less clear than it should be) whether the risk justifies having a control.

In fact, sometimes there are other controls (other than automated SOD or RA controls) that mitigate or even eliminate the risk. When the design of internal controls is based on a risk assessment that considers all the available controls, you are more likely to be able to design a more efficient combination of controls to address important risks. For example, let’s say you have a risk that individuals with inappropriate access to the spare parts inventory might use that to steal materials critical to manufacturing. At first blush, a control to ensure only authorized people have access might seem mandatory – and it would certainly be good practice. But, if the manager of the warehouse had an inventory taken of that area of the warehouse twice each day, the personnel working there could be relied upon to challenge anybody entering the space, and cameras detected any access, the value of an automated RA control is significantly diminished.

A related issue that Larry unfortunately doesn’t mention is the need to limit the access capabilities of the IT staff – not only to functions within applications, but to functions within IT business processes. For example, you need to limit who can change application code or bypass all your controls using “superuser” capabilities.

Another area that is often overlooked is the need to limit ‘read-only’ access to confidential information. Access privileges that allow unauthorized individuals to view customer or employee’s personal information, or confidential corporate information, may be required to comply with laws and regulations as well as to address the risk of theft or misuse of that information.

Overall, this is an e-book with a lot of useful information and it is an easy read.

Norman Marks is a semi-retired internal audit executive, author of World-Class Internal Audit and How Good is your GRC? (both are available on Amazon), and a frequent blogger on the topics of governance, risk management, internal audit, and the effective use of technology in running the business. He can be reached at nmarks2@yahoo.com.