Evaluating Internal Control over Financial Reporting

Evaluating Internal Control over Financial Reporting A subjective approach to stratify identified risks, ensure adequate financial statement assertion coverage, and reduce compliance costs via risk-focused testing INTRODUCTION Last year’s passage of Auditing Standard No. 5 (AS 5) seems to have been the Public Company Accounting Oversight Board’s (PCAOB) attempt to swing the Sarbanes Oxley regulatory pendulum back from the process oriented, control-centric, “kitchen sink” approach to one that allowed companies to make intelligent choices around properly mitigating their financial reporting risks via a top-down risk-based assessment. This in theory should have significantly lowered the amount of work to be done and the costs to be incurred. Furthermore, Auditing Standard 5 also encouraged auditors to rely on the work of others (i.e. documenting and testing key controls) when evaluating the system of internal control, which should have reduced the overall costs of SOX compliance even further. Unfortunately, in practice, these savings have not been fully realized In point of fact, external auditors often duplicate their clients’ internally-generated work or perform testing of controls deemed non-key because of management’s inability to clearly and succinctly demonstrate how their own efforts addressed the organization’s financial reporting risks for the relevant assertions of significant accounts and …management’s inability disclosures. If management is unable do so, then to clearly and succinctly external auditors have no other choice than to demonstrate how their exercise their own judgment in determining what work must be done to arrive at an opinion own efforts addressed regarding the adequacy of internal control. Their the organization’s judgment would include selecting the controls financial reporting risks required to achieve financial assertion coverage as for the relevant well as the nature (inquiry/observation, assertions of significant examination, or re-performance), timing (reporting periods from which samples will be selected), and accounts and disclosures. extent (sample sizes) of the tests to be performed on those controls. In the current business environment, meeting professional obligations to third-party users of financial statements may impact an auditor’s testing decisions – better safe than sorry. If an organization truly wants to benefit from AS 5, then it must adopt a systematic, objective approach to evaluating financial reporting and internal control risks and demonstrate management’s testing approach adequately addresses those risks. CHALLENGES IMPACTING MANAGEMENT’S ABILITY INTERNAL CONTROL OVER FINANCIAL REPORTING Where is the Risk? TO EVAULUATE Every organization has a host of transaction flows that culminate in many general ledger balances. Those balances are then evaluated, adjusted, consolidated, and reported both in the financial statements and the footnote disclosures. Because of the size and complexity of operations and financial reporting, the challenge for most organizations is identifying the most likely points at which potential material misstatements of reported results could occur. By objectively evaluating the attributes inherent to financial reporting risk – balance and assertion – as well as the quality of process activities and competence of the people performing the controls – internal control risk – management can assign a numeric ICFR (internal control over financial reporting) risk score to each control and then stratify them from highest to lowest in order to identify those with the highest potential for failure. This approach should enable management to appropriately direct its efforts on the activities which could negatively impact its ability to meet obligations under Sarbanes Oxley. Financial Statement Assertion Coverage Financial statement assertions are nothing new – Sarbanes Oxley has merely changed them from implicit to overt declarations regarding the balances and disclosures reported by management. Management must now be able to articulate which assertions should be made about a particular account and what assertions each control provides coverage for. Inexperience with performing this task or unfamiliarity with the details or nuances of each control by the person performing the “Assertion Sourcing” task can result in four common problems: 1. Failure to document and evaluate all relevant assertions for each significant account. As a result, it becomes difficult if not impossible to ascertain whether all controls necessary are in place to adequately report on an account. 2. Redundant controls resulting in unnecessary testing due to the difficulty in evaluating the “many to many” relationships of risks, controls, and accounts. 3. Associating to an assertion the wrong controls, i.e. ones that won’t help meet the assertion. This situation can result from misunderstanding either the control or the assertion definition. 4. Claiming a control meets an assertion when it actually covers only a portion. For instance, the Completeness assertion is really composed of both Completeness and Cutoff; that is, all transactions are recorded in the proper period. A control like bank reconciliations allows management to assert proper cut-off, but not the completeness of the transactions, which should have been recorded in the General Ledger. A SUGGESTED METHODOLOGY TO OVERCOME THESE ISSUES Control Sourcing – Ensuring Assertion Coverage While Optimizing Controls To overcome these issues, a control-optimization effort can be designed to identify duplicative, overlapping, or non-financial key controls for elimination from testing, as well as any areas where additional controls are needed or testing needs to be enhanced. However, while critical, the effort is not always simple. Effective controlEffective controloptimization requires the ability to evaluate the optimization requires the “many to many” relationships of risks, controls, ability to evaluate the and accounts and evaluate which control would “many to many” best enable management to make assertions about significant accounts. Control relationships of risks, optimization also requires understanding which controls, and accounts and major classes of transactions in each cycle evaluate which control impact those accounts. Since many would best enable organizations utilize spreadsheets to capture management to make the risk and control data attributes/elements, assertions about they often find it difficult to evaluate the assertion coverage obtained, because there are significant accounts. too many unique dimensions for Excel to deal with. Management should consider a true database structure to facilitate “Control Sourcing” to accounts and assertions in order to identify both duplication and control gaps via exposure by analysis. A good way to visualize the required data structure would be the following table listing the relevant assertions against their associated controls for a specific account (in this case Cash) Existence Cash -Revenue/ Receivable ---Control #1 ---Control #2 -Procure to Pay ---Control #3 ---Control #4 -Treasury ---Control #5 ---Control #6 -Closing Process ---Control #7 Bank Reconciliations X Completeness X Rights/ Obligations X Valuation/ Allocation Presentation/ Disclosure X X X X X X X X X X X X In this example, note There is no need to cover Valuation/Allocation and Presentation/Disclosure because they have been deemed irrelevant for the Cash Account Procure to Pay is exposed because there is no control to cover Completeness Control #6 might be redundant because Control #5 covers the same assertion. We may decide to keep Control #5 as an important supplement depending on the risk, but it certainly is a candidate for removal. The table makes this analysis straightforward, but creating such a table can be quite difficult unless much a strong reporting or business-intelligence engine is used. Additionally, a further delineation of the five COSO assertions into their more elemental parts could aid management in assessing the adequacy of assertion coverage during “Control Sourcing”. As mentioned previously, bank reconciliations enable management to assert that Cash exists and that recorded transactions have been recorded in the proper period. By placing an “X” in the Completeness column, management may inadvertently believe no other control is necessary and improperly eliminate other controls from consideration. However, if the data structure were modified to recognize Completeness and Cutoff as subsets of the Completeness assertion, then management would very quickly recognize the need to identify controls in Revenue to Receivable, Procure to Pay, and Treasury, which will ensure that all transactions have been recorded. Control Right-Sizing Once the sourcing process has been completed, management should assess whether or not they have the correct controls. Process level controls tend to be numerous and performed with a high degree of frequency. These controls result in a more extensive and time-consuming testing effort. Instead, management should attempt to identify entity level controls, both pervasive and rigorous enough, to permit them to meet assertions regarding entire account balances rather than just individual process transactions. Financial close controls are actually entity level controls in that they generally monitor other controls. For example, management’s periodic business performance review of the income statement is often performed with sufficient granularity that assertions regarding the completeness and cut-off of some account balances can be made, i.e. budget to actual comparisons of Rent Expense. Additionally, some process level controls are pervasive enough to qualify as entity level controls. A three-way match of purchase order, bill of lading and invoice performed in a shared services environment may permit management to make assertions regarding the validity of the Accounts Payable account balance Risk-Based Testing Many organizations currently utilize a “one size fits all” approach to control testing. Control frequency determines sample sizes and the nature of the tests tends to skew towards examination and re-performance. Management should consider utilizing an approach which considers the combined effect of Financial Reporting risk (FR) (i.e. Materiality and Impact) and Internal Control risk (IC) (i.e. Likelihood), enabling them to assess the relative significance of controls and potential impact of control failures on Internal Control over Financial Reporting (ICFR) by calculating a numeric score based on objective risk criteria relevant to account balances, assertions, processes and controls in a highly defined manner. No longer would all controls be equal. Instead, those whose failure could result in a more significant misstatement of the results of operations and required disclosures would receive more robust, objective and timely scrutiny. The firm of AC Lordi Consulting has developed a testing methodology that leverages the information gained during the risk assessment, and utilizes that information to recommend the nature (inquiry/observation, examination, re-performance), extent (sample sizes) and timing (period from which samples are drawn) for each test based on the ICFR score obtained for the related control. For instance, an automated application control, in a well-controlled ERP environment, ensuring the summary of data compiled in the Accounts Receivable sub-ledger is completely and accurately recorded in the General Ledger is much less risky than the activities of an individual summarizing a list of invoices and then data-entering them to the General Ledger via a manual journal entry. Failure of either control would result in relatively the same financial reporting risk, but the process and control risk of the latter would be significantly higher, so the second control would receive a higher ICFR score based on the process and controls IC risk contribution. This higher score would portend a more severe approach to testing, likely resulting in a larger sample size, performed more often and much closer to the end of the reporting period. Additionally, this methodology permits an organization to both spread the work more evenly over the year by testing the controls with lower (less risky) ICFR scores earlier in earlier quarters while ensuring management tests controls with higher ICFR scores closer to end of the reporting year and the testing is assigned to the more objective and independent Internal Audit function. Instead of the usual two-phased approach to testing where the bulk of the testing is performed perhaps nine months into the year, with the remainder done shortly after year-end, and all controls having samples drawn from each of the two periods, management can schedule the tests to occur during less demanding timeframes and Internal Audit can integrate its testing with existing audit responsibilities. CONCLUSION Management should take a proactive position in helping frame the conversation about the external auditors’ testing by providing sufficient documentation of a “topdown, risk-based” evaluation of the potential misstatement of financial results and disclosures to third-parties. This approach should clearly show how the evaluation focused efforts on riskier activities and should aid management in achieving their desired goal of reducing compliance costs by clearly demonstrating awareness of what could go wrong to the external auditors. Such an approach should also provide senior management and the Board of Directors with greater assurance that their duties have been properly discharged. Management’s ability to evaluate its control environment is highly dependent on its ability to properly structure its risk assessment in a way that allows deep visibility into the nature of the framework. Knowing what controls can be omitted and what tests can be simplified amounts to understanding the importance associated to a control and the gaps that exist in meeting the assertions. With the right methodology, data structures and reporting toolsets, evaluating internal control over financial reporting becomes straightforward and highly cost-effective for any organization. About The Authors Christopher D. Coigne, CPA, CIA, CFE Business Intelligence International John Dorsam AC Lordi About Business Intelligence International For over ten years, BI International has led the development of key business solutions for national and international leaders, both large and small across many industries. More recently, it has used its "expert to the experts" know-how to create AlineTM. The Aline™ Platform is made up of an affordable set of easy-to-learn and easy-to-use tools that untangle the complexities of a business and organize critical information to a point of clarity, flagging key issues and driving successful decision making. History of Thought Leadership About AC Lordi AC Lordi offers the guidance you need to complete important accounting, internal audit and business advisory initiatives. With the first true top-down, risk-based approach to Sarbanes-Oxley in the industry, our methodology ensures compliance while reducing the overall amount of ongoing testing. We have joined with BII to combine this unique approach with the flexibility and simplicity of their software to offer companies a simple and effective solution for managing compliance programs while drastically reducing time and costs associated with compliance. AC Lordi Consulting is a leading provider of accounting, internal audit and business advisory services. We serve a broad range of clients from emerging growth through multi-national organizations across most major industries with deep experience in the life sciences, manufacturing and distribution, and professional services industries. Our goal is to provide you with the best possible client service in order to earn your confidence in our team and the quality of our results. A Dedicated Team of Experts that Gets the Job Done Our success and growth depend on the skills, intelligence, creativity, and dedication of our associates. That's why we have assembled a diverse group of the most talented professionals in the industry and empowered them to take initiative and make a difference. This allows us to provide you with a highly committed and focused team of CPAs, CISAs, controllers, and audit managers who share a common purpose - to get the job done and provide exceptional results.