May 17, 2016
SOX News Channel: 2015 Season Highlights
In one word, how would you describe your company’s 2015 Sarbanes-Oxley (SOX) assessment experience? A few words I heard from various clients: exhausting, over-reaching, challenging, painful, costly, time-consuming, rigorous and stressful. Sound familiar?
Public companies continued to face high expectations and level of effort (emphasis added) to assess effectiveness of internal controls over financial reporting for SOX compliance purposes during 2015. These expectations are higher than ever since PCAOB Audit Standard 5’s risk-based approach was issued effective November 2009, and not likely to decrease any time soon. The Securities and Exchange Commission (SEC) recently increased the Public Company Accounting Oversight Board (PCAOB) budget by three percent for 2016. PCAOB inspections of external audit firms will continue to drive regulatory pressure upon Board and Audit Committees, management and internal control owners on the front lines.
While this all sounds dismal, it can be beneficial.
Just like the early days of SOX, those who embrace achieving a sustainable and successful SOX program through appropriate investment in people, processes and systems will gain the confidence of stakeholders and allow management to focus on the business of running its business. Otherwise, the alternative of reporting and subsequently proving remediation of material weaknesses, and even significant deficiencies, is extremely disruptive to business.
SOX News Update: Six Critical Areas That Require Increased Attention
1. Entity-Level Controls: COSO 2013 Framework Principle 1 Tone at the Top
Most companies have policies in place and various activities carried out at the Board, C-Suite, management and/or employee levels that support integrity, ethical values and effective internal controls for a positive tone at the top. Written policies in place are self-evident. However, there may be improvements needed to take credit for other activities by retaining better evidence.
For example, email communications, intranet website posts and agendas of periodic all-hands meetings are forms of evidence that address and encourage accountability for effective internal controls.
Watch what you say. Perhaps the biggest challenge and risk is behavior demonstrated through verbal communications or lack of involvement that is contrary to appropriate tone at the top. For example, a finance leader venting frustrations with SOX bureaucracy in a group setting, not “owning” SOX program responsibilities, or inadequately allocating resources needed to achieve effective internal controls, raises questions if appropriate tone at the top is really present and functioning. Messaging how this behavior can be perceived and negatively impact other control owners’ sense of accountability may be needed to mitigate the risk of a control environment deficiency.
2. Entity-Level Controls: COSO 2013 Framework Principle 5 Control Owner Accountability
Companies with mature SOX programs have formally assigned and documented who is responsible and accountable for the effectiveness of each internal control over financial reporting. Such assignments start with individual control owners and roll up through the ranks of management and Board levels, as applicable.
However, the recent implementation of COSO 2013 framework highlighted that some companies continue to struggle with educating and driving this accountability down to individual control owners. It’s interesting to note that these companies are oftentimes the ones with challenges of consistently demonstrating a proper tone at the top.
Here are some common misconceptions that may contribute to a lack of control owner(s) accountability:
Only people in management positions have SOX responsibilities-After all, it is ‘management’s assessment’
- Internal Audit and/or other third party provider is viewed as responsible for preparing or updating SOX risk assessment, process documentation and effective design of internal controls over financial reporting
- Internal Audit and/or other third party provider is viewed as responsible for operating and evidencing effectiveness of internal controls over financial reporting by virtue of their re-performance testing procedures
- IT (or the business) is the sole owner of automated, application and IT-dependent controls when actually such controls should have joint, collaborative ownership
So what entity-level controls can be put in place or improved upon to drive accountability and satisfy Principal 5 of COSO 2013?
- Document and communicate control owner(s) assigned to each control; this often is done through the master risk/control matrix and should be updated at least annually or timely as needed to accommodate any changes in personnel
- Routine education of individual control owners and management on SOX requirements through formal training sessions (document training materials and attendance as evidence) and ongoing informal discussions
- Implement or improve upon a formally documented sub-certification process, including dashboard/scorecard reporting, whereby individual control owners up through management ranks respond as to the effectiveness of each assigned control on a quarterly basis; results are monitored and timely corrective actions taken as necessary
3. Related Party and Unusual Transactions
The release of PCAOB Standard 18 coupled with the COSO 2013 framework, both with effective dates of December 2014, increased auditor scrutiny on internal controls covering (a) related party relationships and transactions, (b) significant unusual transactions, and (c) financial relationships and transactions with executive officers. This resulted in entity-level control design (gap) deficiencies for some companies requiring remediation action plans in order to mitigate the associated inherent risk of corporate scandal and fraud.
Thus, management’s assessment of internal controls over financial reporting should cover whether control activities are designed and operating effectively to confirm that the aforementioned relationships and transactions are identified, monitored as to appropriate (e.g., arms-length) business purpose and amount, authorized, properly accounted for and properly disclosed. A best practice may be to incorporate inquiries of any such relationships and transactions into the formal sub-certification process mentioned above in #2 to prompt quarterly responses with sign off, as well as extending such inquiries with required quarterly responses to all executive officers and Board members.
4. Information Technology Pervasiveness
Companies continue to experience increased focus and level of effort on IT General, automated, application and IT dependent controls over financial reporting. Global Technology Audit Guidance (GTAG’s) sets forth the theme that IT controls are foundational to support the reliability of virtually every other control. This pervasiveness requires management and auditors to evaluate the impact of individual and aggregate IT General Control (ITGC) deficiencies on automated/application and business controls. This means that ITGC deficiencies may render automated/application and business controls non-reliable even if they are otherwise effective. For example, an automated control that is configurable may not be reliable if the supporting user access controls are ineffective. Therefore, routine and timely assessment of ITGC effectiveness is critical. A few other thoughts:
- Third party IT service providers:
management is responsible to understand and monitor the effectiveness of third party service providers’ controls. Most companies have experienced heightened risk management and level of effort in obtaining and evaluating SSAE 16 reports from applicable service providers, including increased documentation and assessment of related User Control Considerations (UCC’s).
- Key reports supporting ITGC, application and/or business controls:
control owners must thoroughly understand and document the source of data in key reports to evidence completeness and accuracy. This typically requires an acceptance of joint accountability on the part of assigned “owners” within IT and the business. A suggested best practice, if not already done, is for management to develop and maintain a master key reports matrix that sets forth information such as IT and business owners, controls supported, source system and type of report (e.g., “canned” versus “custom”), frequency produced, and documentation to be retained to evidence completeness and accuracy. This master list supports control owners’ responsibilities and enables management to prioritize the assessment of key reports within their SOX program activities.
5. Review controls
“Review” controls represent activities in which the reviewer is independently validating a preparer’s work such as account analysis, reconciliations, reserve calculations or scrutinizing business performance (e.g., budget and/or forecast to actual) variances. A few years ago, a sign off by the reviewer was considered sufficient evidence of control operation.
However, in today’s regulatory environment, the reviewer must be accountable as the control owner to evidence the following:
- Criteria/thresholds (e.g., volumes, dollars, percentages, tie out of balances, understanding of source and completeness/accuracy of supporting key reports or spreadsheets) and timeliness for his or her review are defined and documented with an appropriate level of precision to detect potential material errors; this has resulted in significant updates to process documentation with increased details in order to support rigorous walkthroughs for control design evaluations.
- Reconciling items, variances or questionable data as to completeness and accuracy that meet or exceed defined criteria and thresholds are identified, investigated, explained and/or adjusted and corrected.
Internal auditors or other service providers that are assessing internal controls over financial reporting on management’s behalf must then make inquiries, inspect relevant supporting documents and evidence, and conduct re-performance test procedures to evaluate if the reviewer (control owner) has designed and operated the control timely and effectively.
6. Rigorous design (walkthroughs) and operating effectiveness assessment
The areas highlighted above have greatly contributed to increased rigor, level of effort and cost to assess the design and operating effectiveness of internal controls over financial reporting. The documentation for design assessment walkthroughs has become voluminous to capture risks and related control activities covering transactions from initiation, processing, recording and reporting through to the financial statements. Operating effectiveness testing procedures, evidence gathering and related documentation for management’s assessment have expanded significantly to meet expectations in the current regulatory environment.
Bridgepoint’s Risk Services team is highly experienced in helping companies navigate through these rigorous expectations to achieve a successful, sustainable SOX program.
Contact us to learn how our experts can help you.