|
publications |
|
ON BALANCE • FREQUENCY • THE BRIDGE • CPA2B • ACCOUNTING FOR THE FUTURE |
(taken from the July/August 2006 issue of On Balance magazine)
This Side Up:
Implementing Entity-Level Controls
By James P. Miller, CPAOne of the more surprising aspects of SOX compliance is the fact that while all of these regulations were new to business, and regulators managed to develop them at a rapid-fire pace, there is a huge part of SOX that had existed for more than a decade.
I am referring to the Internal Control–Integrated Framework report developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. When I first heard about the report, I wasn’t the only one to ask, "What is this and why haven’t I heard about it before?" If you are involved in SOX compliance, you will get to know about this report and the framework.
The framework consists of five interrelated components of internal control.
The first is the control environment. The control environment exists throughout the organization but is most critical at the entity level. This is where you will hear things like the "tone at the top," which should not to be confused with the "top down" approach of risk assessment—which can turn out to be more of a "bottoms up" approach.
One problem with compliance efforts is that you can get easily distracted from assessments at the entity level and dive into the transaction-level details, thus "bottoms up." If you spend more time at the entity level, you can reduce a big part of the compliance work and the cost inherent at the transaction level.
The entity level—let’s call it what it is, corporate governance—is the foundation for the other four components. Factors include the integrity, ethical values and competency of the employees, management style and philosophy, and the attention and direction provided to the management by the Board of Directors and, more specifically, the Audit Committee.
Document controls
Keep in mind that there needs to be evidential matter to support all the controls that exist or are put into place. The basics: Interviews, surveys and questionnaires communicate and document evidential matter.
Start with interviews beginning with the chief executive officer and direct reports. Conduct a survey of all staff positions for their assessment of risk points and controls over financial reporting. Make sure management has a clear understanding of the company’s goals and objectives and managers are active in the budgeting process and evaluation of variances throughout the year. Management should always be aware of the financial statements and their respective inputs to these balances and results.
The company needs to have a hotline media that allows all employees a chance to report anything they consider to be questionable. This hotline could also be available to the outside with access from business contacts including vendors and customers.
Questionnaires pertaining to the code of conduct and conflicts of interest should be signed by appropriate levels of management and reinforced through periodic discussions.
Fraud assessment
You also need to make an anti-fraud assessment. Can anyone at the management level improperly order an invalid or improper accounting adjustment or input data directly into the system in order to distort the financial reports? Could management create or condone side deals creating off-book liabilities invisible on the business system software?
Will the financial reporting closing cycle detect unintentional errors made during preparation of the reports, and is there qualified professional staff to assess proper accounting treatment for all business activity? Today, most integrated business systems have opened up general ledger activity well outside the accounting arena. System access helps to control this significantly. However, making sure those who transact business are properly trained is equally important and will reduce the likelihood of erroneous transactions.
You also need to be able to follow the money. Find out whether customers are paying invoices properly and vendors are satisfied with your payments. If there is a problem, it will most likely be evidenced by the issuance of debits and credits. The volume and value of these can be symptoms of erroneous transaction processing.
Look for the areas of financial reporting that are complex and may require additional legal and/or professional advice such as income taxes, mergers and/or acquisitions. How does management deal with these complex situations?
Have the appropriate managers complete quarterly questionnaires that disclose their knowledge of business activities. Additional attention should be given to non-routine transactions. Managers should also concur that in the areas of responsibility, their employees have followed the procedures put in place to control the risk of errors in financial reporting.
Last checkpoint
Make sure that, prior to release, all public financial information is reviewed by the disclosure committee and it has reviewed the contents for completeness and accuracy. During the financial closing process and up through the committee meeting, there should be a review of a "disclosure checklist" to make certain all points have been covered.
Closing the books is a routine that needs to be properly documented. A checklist of the tasks can be a useful tool to ensure that nothing is overlooked. System and manual entries to the general ledger should all be authorized by the controller and/or CFO.
And, finally: Work closely with your outside auditors to make certain they agree with management’s approach regarding the scope, goals and methodology in achieving Sarbanes compliance at the entity level. It is management’s responsibility—but you don’t want to have a late discussion with your auditors that you are not doing the right thing or don’t have enough information. One thing that has changed from the first year of compliance is that your auditor can actually talk to you about the Sarbanes compliance process.
James P. Miller, CPA
is corporate controller at Ladish Co. Inc. in Cudahy. He can be reached at jmiller@ladishco.com or (414) 747-2877.