Archive

Archive for the ‘Sarbanes’ Category

Protiviti provides insights into COSO 2013

May 3, 2014 11 comments

The latest publication from Protiviti with answers to Frequently Asked Questions about the Updated COSO Internal Control Framework has some excellent content.

Protiviti emphasizes the continuing need to embrace the top-down and risk-based approach in determining the scope of the SOX program. I like that and congratulate them for emphasizing that point.

However, they have also suggested (as has pretty much everybody else) that companies should map controls to the 17 COSO Principles.

I have expressed my disagreement with the idea of identifying controls to include in the SOX scope before determining whether there is a risk (at least a reasonable possibility of a material error or omission in the financial statements filed with the SEC) that needs to be addressed.

However, it is useful on general principles to consider all the Principles and discuss them with senior management and then with the Board (or audit committee).

The Principles are important, if not essential, to a system of internal control that addresses risks to the more significant objectives of the organization. It is very difficult to argue that they don’t represent good business practices.

But when it comes to the SOX scope, the regulators have said that you can assess the system of internal control as effective if there are no material weaknesses.

How do you reconcile that with the commandments in COSO 2013 that the system of internal control is effective when:

(a) It provides reasonable assurance that risks to objectives are at acceptable levels. (Unfortunately, many consultants, trainers, and commentators have overlooked the COSO text that puts this requirement first, before talking about components and principles),

(b) The components are present and functioning and working together, and

(c)  All relevant principles are present and functioning?

A couple of observations:

(a) You can assess the components as present and functioning if you have assessed the principles as present and functioning

(b) You can assess the principles as present and functioning if any deficiencies are less than “major” (i.e., represent less than a significant risk to the achievement of the objective). In other words, if you don’t have a deficiency relating to the principle that would be assessed (using traditional SOX control deficiency methods) as a material weakness, you can consider the principle as present and functioning.

In one section, Protiviti suggests that if you have a deficiency such that you assess the principle as other than present and functioning, you have a material weakness. I think that is circular thinking. You don’t assess the principle as less than present and functioning unless there is a deficiency that you assess as (in SOX terms) a material weakness. So it’s not the fact that the principle is defective that leads to the material weakness; it’s the material weakness that leads to the principle being defective.

Many of the controls required to address the principles are of the type discussed by the regulators as “indirect entity-level controls”. When these fail, their effect is not to create risk to the financial statements directly; their effect is to increase the level of risk that other controls will fail.

If there is less than a reasonable possibility that, as a result of the indirect control failing, one or more direct controls will fail and lead to a material error or omission, then the failure of the indirect control should not be considered a material weakness.

So, you need to know your direct control population before you can assess potential indirect control deficiencies. Let’s take an example and consider two of the Principles:

13. The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control.

14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control.

Any company generates and communicates a massive volume of information. However, what we are concerned about for SOX (in fact for any objective) is whether the individuals performing key controls have the information they need to perform those controls reliably. In order to assess whether this Principle is present and functioning, you need to assess it in relation to your key controls – and for that you need to know what they are.

The same thing applies to Principle 4: “The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.” Here, we are concerned about the competency of the individuals performing and responsible for our key controls. We all know that even a world-class HR department doesn’t mean that every employee is world class, so I for one would have difficulty placing reliance on HR processes. I need to assess competency as part of assessing each key control.

By the way, Protiviti (and PwC) suggest that there are multiple objectives when it comes to SOX. I have one: “the financial statements that are filed with the SEC are free of material error or omission”. This single objective covers all the objectives they have suggested. For example, compliance with accounting standards is necessary to have the financials free of material error.

I have previously shared my approach to this issue of integrating the COSO 2013 Principles into the top-down and risk-based approach. It is explained in more detail, principle by principle, in my SOX book (available from the IIA Bookstore and Amazon).

The more I talk about my approach with regulators, firm partners, COSO leaders, and senior practitioners, the more I think it is common sense and practical.

So here’s a refinement for those who have already mapped controls to the principles.

Take each of the controls that have been determined as necessary to address the principles and ask this question:

“If this control failed, would it represent at least a reasonable possibility that a material error or omission in the financial statements filed with the SEC would not be prevented or detected on a timely basis?”

If the answer is no, then you may at your discretion remove this control from the SOX scope. If it failed it would not cause the principle to fail; there would be no material weakness.

Remember that the SEC and PCAOB have directed that the scope only needs to address the risk of a material misstatement. Going further is a choice.

Should your external auditor, consultant, or other advisor ask that you include a control “because it is necessary to meet COSO requirements” or because “it is necessary to meet our firm requirements”, ask them this:

“Why? Where is the risk? If it failed, would it lead to a material weakness?”

I welcome your comments.

COSO Checklists – Is your audit firm using one?

February 27, 2014 3 comments

If your audit firm is asking you to complete a COSO checklist with the 17 Principles, please let me know a.s.a.p. I am talking to a regulator who would like to know.

Thanks!

Questions for the Audit Committee to ask the External Auditors in early 2014

February 15, 2014 4 comments

The Audit Committee of the Board (or equivalent) is responsible for oversight of the external auditors’ work. This should include taking reasonable measures to ensure a quality audit on which the board and stakeholders can place reliance. As a second priority, it should also include ensuring that the audit work is efficient and does not result in unnecessary disruption or cost to the business.

Audit Committees around the world should be concerned by the findings of the regulators who audit the firms in the US (the Public Company Accounting Oversight Board, or PCAOB). They examine a sample of the audits by the firms of public companies’ financial statements and system of internal control over financial reporting. A report is published for each firm and an overall report is also published every few years.

In their October 24, 2013 Staff Alert, the PCAOB highlighted “deficiencies [they] observed in audits of internal control over financial reporting”. They reported that “firms failed to obtain sufficient audit evidence to support their opinions on the effectiveness of internal control due to one or more deficiencies”. In addition, in a large majority of the audits where there were such deficiencies, “the firm also failed to obtain sufficient appropriate evidence to support its opinion on the financial statements”.

While the Staff Alert is intended to help the firms understand and correct deficiencies, it also calls for action by the Audit Committee of each registrant:

“Audit committees of public companies for which audits of internal control are conducted may want to take note of this alert. Audit committees may want to discuss with their auditor the level of auditing deficiencies in this area identified in their auditor’s internal inspections and PCAOB inspections, request information from their auditor about potential root causes, and inquire how their auditor is responding to these matters.”

In a related matter, COSO released an update last year to its venerable Internal Control – Integrated Framework. It includes a discussion of 17 Principles and related Points of Focus. Reportedly, the audit firms and consultants are developing checklists that require management to demonstrate, with suitable evidence, that all the Principles (and in some cases the Points of Focus) are present and functioning. This ignores the fact that COSO has publicly stated that their framework remains risk-based and they never intended nor desired that anybody make a checklist out of the Principles.

Of note is the fact that the PCAOB and SEC have not changed their auditing standards and guidance. They continue, as emphasized in the PCAOB Staff Alert, to require a risk-based and top-down approach to the assessment of internal control over financial reporting.

However, the checklist approach does not consider whether a failure to have any of these Principles or Points of Focus present and functioning represents a risk to the financial statements that would be material.

In other words, blind completion of the checklist is contrary to PCAOB and SEC guidance that the assessment be risk-based and top-down.

With that in mind, I suggest the members of the Audit Committee consider asking their lead audit partner these seven questions at their next meeting. An early discussion is essential if a quality audit is to be performed without unnecessary work and expense to the company.

1. Was your audit of our company’s financial statements and system of internal control reviewed by the PCAOB? If so:

  • For which year was it reviewed?
  • Did the Examiners report anything they considered a deficiency?
    • How significant did they believe it was?
    • Do you agree with their assessment? If not, why not?
    • What actions have been taken to correct that deficiency?
    • What actions will you take to ensure it or similar deficiencies do not recur, including additional training of the staff?
    • Has any disciplinary action been considered?
  • If you did not promptly report this to us, why not?

2. Were any of the partners and managers part of the audit team on a client where the PCAOB Examiners reviewed and had issues with the quality of the audit? If so:

  • What was the nature of any deficiency?
  • How significant did the Examiners consider it to be?
  • What actions have you taken and will continue to take to ensure it and similar deficiencies do not occur on our audit, including additional staff training?

3. Are there any members of your audit team who have been counseled formally or otherwise relating to quality issues identified either by the PCAOB or other quality assurance processes? What assurance can you provide us that you will perform a quality audit without additional cost to us for enhanced supervision and quality control?

4. With respect to the audit of internal control over financial reporting, have you coordinated with management to ensure optimal efficiency, including:

  • A shared assessment of the financial reporting risks, significant accounts and locations, etc., to include in the scope of work for the SOX assessment? In other words, have you ensured you have identified the same financial reporting risks as management?
  • The opportunity to place reliance on management testing? Have you discussed and explained why if you are placing less than maximum reliance on management testing in low or medium risk areas?
  • The processes for sharing the results of testing, changes in the system of internal control, and other information important to both your and management’s assessment?

5. Are you taking a top-down and risk-based approach to the assessment of internal control over financial reporting?

6. Does the top-down and risk-based approach include your processes for assessing whether the COSO Principles are present and functioning? Do your processes ensure that neither in your own work nor in your requirements of management addressing areas relating to the Principles and their Points of Focus where a failure would present less than a reasonable possibility of a material misstatement of the financial statements filed with the SEC? Have you limited your own audit work to areas where there is at least a reasonable possibility that a failure would represent at least a reasonable possibility of a material error – directly or through their effect on other controls relied upon to either prevent or detect such errors? Or have you developed and are using a checklist contrary to the requirements of Auditing Standard No. 5, instead of taking a risk-based approach?

7. How do you ensure continuous improvement in the quality and efficiency of your audit work?

I welcome your comments.

Understanding the COSO Frameworks

February 11, 2014 6 comments

Whether you are a fan of the COSO ERM and Internal Control frameworks or not, a paper just released by COSO is worth reading and thinking about.

The intent of the two authors (my good friend Jim DeLoach of Protiviti and Jeff Thomson of the Institute of Management Accountants) is to explain how the COSO frameworks fit within and enhance the operation’s processes for directing and managing the organization. In their words:

“Our purpose in writing this paper is to relate the COSO frameworks to an overall business model and describe how the key elements of each framework contribute to an organization’s long-term success.”

My intent in this post is not to quibble with some of the concepts and language with which I disagree (such as their portrayal of risk appetite), but to highlight some of the sections I really like (with occasional comments) and encourage you to read the entire paper.

For those of you who prefer the ISO 31000:2009 global risk management standard (and I am among their number), the paper is worth reading because it stimulates thinking about the role of risk management in setting strategy and thereafter optimizing performance. It has some useful language and insight that can help people understand risk management, whatever standard you adopt. That language can be used by ISO advocates, for example when explaining risk management to executives and the board.

In addition, even if you like the ISO risk management standard, it does not provide the insight into internal control provided by the COSO framework. It is perfectly acceptable, in my opinion, to adopt ISO for risk management and COSO for internal control.

I have one quibble that I think is worth mentioning: the authors at one point say that internal control “deals primarily with risk reduction”. I disagree. It should serve to provide assurance that the right level of risk is taken. On occasion, that may mean taking more risk. For example, one objective that is too often overlooked is to be efficient. More risk in reviewing expense reports might be appropriate when the cost of intense reviews exceeds the potential for expense-related fraud or error. Another example is when a decision has to be made on the quantity of key raw materials to re-order as quantities on hand fall. Current practice may be to place an order that will bring inventory to 20% more than is expected to be consumed in the next period, as a precaution in case of quality issues or should incoming orders exceed the anticipated level. But, having excess materials can result in a different risk. Risk management thinking can help us decide how much risk to take when it comes to running out of raw materials compared to how much risk to take that the materials may degrade due to extended time sitting on the shelf.

But back to talking about the “good bits”, with the first from the Executive Summary:

“Within the context of its mission, an organization is designed to accomplish objectives. It is presumed that the organization’s leaders can articulate its objectives, develop strategies to achieve those objectives, identify the risks to achieving those objectives and then mitigate those risks in delivering the strategy. The ERM framework is based on objective setting and the identification and mitigation or acceptance of risks to the achievement of objectives. The internal control framework is designed to control risks to the achievement of objectives by reducing them to acceptable levels. Thus, each of the frameworks is inextricably tied into the operation of a business through the achievement of objectives. ERM is applied in the strategy-setting process while internal control is applied to address many of the risks identified in strategy setting.”

Comment: While COSO Internal Control Framework assumes (or presumes) that the appropriate objectives are set, as we all know controls within the objective-setting process are essential to address such matters as engaging the right people in the decisions and providing them with reliable information.

“The ERM framework asserts that well-designed and effectively operating enterprise risk management can provide reasonable assurance to management and the board of directors regarding achievement of an entity’s objectives. Likewise, the internal control framework asserts that internal control provides reasonable assurance to entities that they can achieve important objectives and sustain and improve performance. The “reasonable assurance” concept embodied in both frameworks reflects two notions. First, uncertainty and risk relate to the future, which cannot be precisely predicted. Second, risks to the achievement of objectives have been reduced to an acceptable level.”

“In general, ERM involves those elements of the governance and management process that enable management to make informed risk-based decisions. Informed risk responses, including the internal controls that accompany them, are designed to reduce the risk associated with achieving organizational objectives to be within the organization’s risk appetite. Therefore, ERM/internal control and the objective of achieving the organization’s strategic goals are mutually dependent.”

“Robust enough to be applied independently on their own, the two COSO frameworks have a common purpose — to help the enterprise achieve its objectives and to optimize the inevitable tension between the enterprise’s value creation and value protection activities. Therefore, both facilitate and support the governance process when implemented effectively.”

“ERM instills within the organization a discipline around managing risk in the context of managing the business such that discussions of opportunities and risks and how they are managed are virtually inseparable from each other. An organization’s strategic direction and its ability to execute on that direction are both fundamental to the risks it undertakes. Risks are implicit in any organization’s strategy. Accordingly, risk assessment should be an integral part of the strategy-setting process. Strategic and other risks should be supported or rationalized by management’s determination that the upside potential from assuming those risks is sufficient and/or the organization can manage the risks effectively.”

“The risk assessment process considers inherent and residual risk and applies such factors as likelihood of occurrence, severity of impact, velocity of impact, persistence of impact and response readiness to analyze and prioritize risks. Risk assessment techniques include contrarian analysis, value chain analysis, scenario analysis, at-risk frameworks (e.g., value, earnings, cash flow or capital) and other quantitative and qualitative approaches to evaluating risk. Furthermore, risk assessment considers relationships between seemingly unrelated events to develop thematic insights on potential long-term trends, strategic possibilities and operational exposures.”

Comment: Although many leading experts have moved away from the concepts of inherent and residual risk, I still like them. What I like most in this paragraph is the discussion of other important attributes of risk. Impact and likelihood are not the only factors to consider when assessing whether the level of risk is acceptable.

“…..organizations must “plan” for disruption and build and refine their radar systems to measure and be on the alert for changes in key risk indicators (leading indicators) versus rely solely on key performance indicators (which are often lagging and retrospective in nature). Looking forward will enable an organization’s culture to support an experimental and adaptable mindset. Adapting is all about positioning companies to quickly recognize a unique opportunity or risk and use that knowledge to evaluate their options and seize the initiative either before anyone else or along with other organizations that likewise recognize the significance of what’s developing in the marketplace. Early movers have the advantage of time, with more decision-making options before market shifts invalidate critical assumptions underlying the strategy. Failing to adapt can be fatal in today’s complex and dynamic business environment.”

“Organizational resiliency is the ability and discipline to act decisively on revisions to strategic and business plans in response to changing market realities. This capability begins to emerge as organizations integrate strategic plans, risk management and performance management and create improved transparency into the enterprise’s operations to measure current performance and anticipate future trends.”

I welcome your comments on this paper and my analysis.

Internal Auditors should be Brave

February 9, 2014 9 comments

It can be hard for internal auditors to tell their stakeholders, whether at board level or in top management, what is putting the organization at greatest risk.

It can be hard to say that the root cause for control failures is that there aren’t enough people, or that the company does not pay enough to attract the best people.

It can be hard to tell the CEO or the audit committee that the executive team does not share information, its members compete with each other for the CEO’s attention, and as a group it fails to meet any person’s definition of a team.

It can be hard to say that the CFO or General Counsel is not considered effective by the rest of management, who tend to ignore and exclude them.

It can be hard to say that the organization’s structure, process, people, and methods are insufficiently agile to succeed in today’s dynamic world.

But these are all truths that need to be told.

If the emperor is not told he has no clothes, he will carry on without them.

Internal auditors at every level are subject to all kinds of pressure that may inhibit them from speaking out:

  • They may believe, with justification, that their job is at risk
  • They may believe, with justification, that their compensation will be directly affected if they alienate top management
  • They may believe that their career within the organization will go no further without the support of top management, even if they receive the support of the board
  • The level of resources provided to internal audit will probably be limited, even cut
  • The CEO and other top executives have personal power that is hard to oppose
  • They are focused on “adding value” and do not want to be seen as obstacles
  • They fear they will never get anything done, will not be able to influence change, and will be shut out of meetings and denied essential information if they are seen as the enemy

Yet, if internal auditors are to be effective, they need to be able to speak out – even at great personal risk.

It would be great if internal auditors were protected from the inevitable backlash. I know of at least one CAE that has a contract that provides a measure of protection, but most are only protected by their personal ethics and moral values.

It would be great if the audit committee of the board ensured that the CAE is enabled to be brave. But few will oppose an angry CEO or CFO.

We need to be brave, but not reckless. There are ways to tell the emperor about his attire without losing your neck. They include talking and listening to allies and others who can help you. They include talking to the executives in one-on-one meetings where they are not threatened by the presence of others. Above all, it is about not surprising the emperor when he is surrounded by the rest of the imperial court.

It is about treating the communication of bad news as a journey, planning each step carefully and preparing the ground for every discussion.

It is also about being prepared to listen and if you are truly wrong being prepared to modify the message.

But, the internal auditor must be determined to tell the truth and do so in a way that clearly explains the facts and what needs to be done.

I close with a tongue-in-cheek suggestion that the song Brave by Sara Bareilles (well worth watching) become our anthem.

You can be amazing
You can turn a phrase into a weapon or a drug
You can be the outcast
Or be the backlash of somebody’s lack of love
Or you can start speaking up

Everybody’s been there,
Everybody’s been stared down by the enemy
Fallen for the fear
And done some disappearing,
Bow down to the mighty
Don’t run, just stop holding your tongue

And since your history of silence
Won’t do you any good,
Did you think it would?
Let your words be anything but empty
Why don’t you tell them the truth?

Say what you wanna say
And let the words fall out
Honestly I wanna see you be brave
With what you want to say
And let the words fall out
Honestly I wanna see you be brave

What Audit Committees (Should) Want

January 25, 2014 8 comments

Michele Hooper is a highly-respected (including by me) member and chair of audit committees. She has been a passionate advocate for internal audit and its profession for many years and an advisor to the Institute of Internal Auditors (IIA). In addition, she has been very active with the Center for Audit Quality (CAQ), which is where I met her (she was chair of a CAQ meeting in San Francisco to discuss fraud and I was present as a representative of the IIA).

In December, Michele was interviewed for an article in Internal Auditor (Ia), What Audit Committees Want.

The article brings out some important points. I agree with some and disagree with others (in part because they are left unsaid).

The very first sentence is telling:

“I rely on CAEs to be my eyes and ears in the organization, reporting back on culture, tone, and potential issues that may be emerging within the business”.

The expression ‘eyes and ears’ is an old and perhaps tired phrase. On one hand, it implies that internal audit is spying on management and then running, like a child, to tell on it. On the other, it describes the important role of internal audit as a source of critical information to the board on what is happening within the organization, which may be different from what they are hearing from management.

I can accept that, but what I especially like and appreciate are the next words: “culture, tone, and potential issues that may be emerging within the business”.

Michele is not talking about controls. She is not even talking directly about the management of risk. She is talking first about the culture and tone of the organization, and then about emerging business risks and related issues.

Does your internal audit function provide the board and its audit committee with a sense of the culture and tone within the organization – at the top, in the middle, and in the trenches? If not, why not?

Does your internal audit function ensure that the board is aware of new and emerging business risks and related issues? If not, why not?

Then Michele goes astray:

“An important responsibility critical to audit committee and board discussions is the CAE’s ownership and prioritization of the process management framework for risk identification.”

The CAE should not own the process for identifying and prioritizing risks. The IIA has made that clear in its famous Position Paper: The Role of Internal Auditing in Enterprise-Wide Risk Management. It says: “Management is responsible for establishing and operating the risk management framework on behalf of the board….. Internal auditor’s core role in relation to ERM should be to provide assurance to management and to the board on the effectiveness of risk management”.

When Michele is asked about the risks she and the audit committee will worry about in 2014, she comments on:

  • Culture
  • Tone
  • Internal control
  • Compliance, especially regulatory compliance
  • Cyber vulnerabilities
  • Financial reporting
  • Reputation risk, and
  • Oversight of the external auditor

What she does not mention are:

  • The effectiveness of the organization’s ability to manage risks to the achievement of objectives
  • The effectiveness of governance processes
  • The need for the audit committee to work collaboratively with other board committees, such as the risk and governance committees, to ensure risks are managed at acceptable levels

I wish she had. I especially wish she had mentioned the magic word:

ASSURANCE

Let’s return to basics, but with a new twist: a new explanation of the primary purpose and value of internal auditing.

Internal audit provides objective assurance to the board and top management of the effectiveness of the entity’s organization, people, processes, and systems in managing risks to the achievement of the entity’s objectives at acceptable levels.

Does your internal audit department provide that assurance, formally, to the board and top management?

 

What they don’t know will probably hurt them

January 18, 2014 8 comments

It is always interesting to read the various studies that report that directors don’t have an in-depth understanding of their organization’s business, its strategies, and the related risks. In fact, the studies generally report that the level of understanding is insufficient for them to provide effective oversight of management and governance of the organization.

I want to turn this on its head.

If you are the head of risk management, internal audit, information security, or a senior executive, answer this question:

Do you believe that your directors have a sufficient understanding of the reality that is the organization: its culture and politics; the effectiveness of its people, systems and processes; its strategies; and whether risks to the achievement of its objectives and delivery of value to its stakeholders are being managed within acceptable tolerances?

If not, do you have an obligation to help educate the directors? What are you doing about it and is that sufficient?

Now let’s ask another question?

Do you believe that your top executives (including the CEO and CFO) have a sufficient understanding of the reality that is the organization: its culture and politics; the effectiveness of its people, systems and processes; and whether risks to the achievement of its objectives and delivery of value to its stakeholders are being managed within acceptable tolerances?

If not, do you have an obligation to help educate them? What are you doing about it and is that sufficient?

If the directors and/or top executives don’t understand reality the way you do, if their head is in the sand or in a more pungent place, shouldn’t your priority be to help them get their head on straight, pointed in the right direction? If they don’t understand the current state of the organization, shouldn’t the process of informing and educating them be fixed before trying to communicate new areas of concern?

I welcome your views and commentary.