Enterprise Risk Management Best Practices: From Assessment to Ongoing Compliance (Wiley Corporate F&A)

FM.indd 1

8/5/2011 11:47:21 AM

Enterprise Risk Management Best Practices

FM.indd 1

8/5/2011 11:47:21 AM

F

o u n d ed i n 18 07, John Wiley & Sons is the oldest independent pub-

lishing company in the United States. With offices in North America, Europe, Asia, and Australia, Wiley is globally committed to developing and marketing print and electronic products and services for our customers’ professional and personal knowledge and understanding. The Wiley Corporate F&A series provides information, tools, and insights to corporate professionals responsible for issues affecting the profitability of their company, from accounting and finance to internal controls and performance management.

FM.indd 2

8/5/2011 11:47:21 AM

Enterprise Risk Management Best Practices From Assessment to Ongoing Compliance

ANNE M. MARCHETTI

John Wiley & Sons, Inc.

FM.indd 3

8/5/2011 11:47:21 AM

Copyright © 2012 by John Wiley & Sons, Inc. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. For more information about Wiley products, visit our web site at www.wiley.com. Library of Congress Cataloging-in-Publication Data Marchetti, Anne M. â•… Enterprise risk management best practices : from assessment to ongoing compliance / Anne M. Marchetti. â•…â•…â•… p. cm. — (Wiley corporate F&A) â•…â•… Includes index. â•…â•… ISBN 978-0-470-91740-4 (hardback); ISBN 978-1-118-14951-5 (ebk); ISBN 978-1-118-14952-2 (ebk); ISBN 978-1-118-14953-9 (ebk) â•… 1.╇ Risk management. I. Title. â•… HD61.M2669 2012 â•… 658.15’5—dc23

2011023737

Printed in the United States of America 10 9 8 7 6 5 4 3 2 1

FM.indd 4

8/5/2011 11:47:21 AM

To my parents, Jim and Barbara Marchetti, to whom I owe all my love and gratitude.

FM.indd 5

8/5/2011 11:47:21 AM

FM.indd 6

8/5/2011 11:47:21 AM

Contents

Preface

xi

Chapter 1: Overview of Enterprise Risk Management eRM introduction Guidance: History and Relationship organization View eRM Today increased Pressure to Manage Risk Additional evidence Perceived Barriers to Risk Management Building the Business Case for eRM: Value and Benefits Keys to Success Summary notes

Chapter 2: Corporate Governance and Roles and Responsibilities Board Behavior Corporate Culture Roles and Responsibilities Summary

Chapter 3: ERM Defined definitions and Concepts Risk Categories internal environment Summary note

1 1 3 5 7 9 10 11 11 13 15 16

17 18 19 20 23

25 28 30 31 34 34

vii

FM.indd 7

8/5/2011 11:47:21 AM

viii

◾  Contents

Chapter 4: The ERM Process: Step by Step

35

Step 1: Strategy and Objective Definition Step 2: Event Identification Step 3: Risk Assessment Step 4: Risk Response Step 5: Communication Step 6: Monitoring Oversight Summary Notes

36 38 40 41 45 46 47 47 48

Chapter 5: COSO Framework and Financial Controls Focus on Financial Controls Control Environment Integrity and Ethical Values Board of Directors Management’s Philosophy and Operating Style Organizational Structure Financial Reporting Competencies Authority and Responsibility Human Resources Summary Notes

Appendix 5A: Excerpt from a Code of Ethics Policy Our Guiding Principles and Values Conflicts of Interest Confidential Information; Intellectual Property

Appendix 5B: Whistleblower Program Reports Regarding Accounting Matters Investigation of Suspected Violations Discipline for Violations

Appendix 5C: Approval Policy and Procedures Policy Purpose Scope Approvals/Documentation

FM.indd 8

49 49 52 53 55 57 57 58 59 60 61 62

63 64 64 65

67 67 68 68

69 69 69 69 70

8/5/2011 11:47:21 AM



Contents  ◾

Chapter 6: Financial Controls and Risk Assessment

74

Risk Assessment Financial Reporting Objectives Financial Reporting Risks Fraud Risk Entity-Level Controls Example: Risk Assessment and Financial Controls Evaluating Deficiencies Summary Notes

74 75 76 77 83 84 86 87 87

Appendix 6A: Entity-Level Control Assessment

88

Control Assessment Overview Control Environment Overall Evaluation of Control Environment Risk Assessment Overall Evaluation of Risk Assessment Control Activities Overall Evaluation of Control Activities Information and Communication Overall Evaluation of Information and Communication Monitoring Overall Evaluation of Monitoring Summary Assessment Overall Assessment of Internal Controls

88 90 95 96 98 99 100 101 104 105 108 109 110

Appendix 6B: Accounts Payable: Preliminary Controls Assessment Questionnaire

111

Purchasing Controls Questionnaire Internal Control Assessment

Appendix 6C: Fraud Risk Factors: AU Section 316 Risk Factors Relating to Misstatements Arising from Fraudulent Financial Reporting

Chapter 7: Ongoing Compliance Overview Origin of the Sarbanes-Oxley Act Generating Value from Compliance Moving Beyond Initial Compliance

FM.indd 9

ix

111 112

114 114

120 120 121 123

8/5/2011 11:47:21 AM

x

◾  Contents

Reevaluating the Compliance Program Summary

Chapter 8: Ongoing Compliance Challenges Future State Opportunity: Compliance Optimization Issues to Consider When Optimizing Compliance Ongoing Compliance Plan Role of Internal Audit: Balancing the Compliance and Audit Functions Evolving Role of the Audit Committee Summary

Chapter 9: Addressing Compliance and Risk Management Challenges through Automation Software Can Add Value Beyond Compliance Monitoring Software Utilization of Continuous Monitoring: Control Testing and Control Automation Benefits of Continuous Monitoring Continuous Monitoring Tool Considerations Continuous Monitoring Process Risk Management Software Unifying Financial Statements, Close Tasks, and SOX Controls Determining the Right Solution Summary Note

Chapter 10: Ongoing Compliance and IFRS International Financial Reporting Standards Communicating the Impact Preparing for IFRS Comprehensive IFRS Transition Approach Key Elements of an Effective IFRS Implementation Summary

FM.indd 10

125 131

132 133 136 138 143 145 148

149 151 152 153 154 155 155 157 159 159 161 161

162 162 164 166 167 170 172

About the Author

173

Index

175

8/5/2011 11:47:21 AM

Preface

M

A n Y o R G A n i Z AT i o n S S T R u GGL e with the development and

implementation of an enterprise risk management (ERM) program. Most are overwhelmed by the task. They believe they do not possess the expertise, resources, time, and/or dollars required to effectively design and build an effective risk management program. In addition, there is minimal perceived value in this activity. My objective for this book is to demystify ERM and the risk management process in order to eliminate implementation apprehension. The goal is to simplify the explanation of related concepts and provide guidance that demonstrates a practical, cost-effective process that can be utilized by any organization. The material addresses the development of programs in two major areas: ERM and ongoing compliance. Chapters 1 through 3 provide an introduction and overview of ERM including important components of the process as well as a corporate governance/organizational framework and definitions of roles and responsibilities. Chapter 4 provides a detailed description of the ERM process and includes suggestions regarding implementation. Chapters 5 and 6 present an in-depth review of financial controls, including an example of the application of the risk assessment process relative to this risk category. Chapters 7 through 10 address ongoing compliance challenges and provide insight into cost minimization and control optimization including the effective use of technology as well as future International Financial Reporting Standards considerations and implications. It is my hope that this consolidation of information will be a useful guide through the risk management process. In addition, it is my intention to provide explanations and the basis for a solid understanding of critical components of an effective ERM program that will assist with strategy execution and achievement of overall entity objectives.

xi

FM.indd 11

8/5/2011 11:47:21 AM

FM.indd 12

8/5/2011 11:47:21 AM

1

CHAPTER ONE

Overview of enterprise risk Management

erM iNTrODuCTiON Enterprise risk management (ERM) includes the methods and processes used by organizations to minimize surprises and seize opportunities related to the achievement of their objectives. ERM is an approach to aligning strategy, process, and knowledge in order to curtail surprises and losses as well as to capitalize on business opportunities. Many individuals associate risk with negative outcomes. However, there is a potential value component to risk assessment and management. Risk management is about balancing risk and reward. A well-designed risk management program encourages and allows an organization to take intelligent risks. It involves assessing quantitative factors and information as well as considering management experience and judgment. An effective risk management program entails balancing people and processes. Ultimately, an entity’s risk profile

1

ch01.indd 1

8/12/2011 10:20:14 AM

2

◾  Overview of Enterprise Risk Management

is affected by the actions and decisions of its board of directors, management, and employees. One cannot talk about risk management without discussing risk assessment. The vast majority of organizations conduct some type of informal risk assessment process. As a result, these organizations have some form of risk management plan. This plan, in most cases, is not documented. Initial introduction of formal risk assessment and risk management within an organization is critical to the ultimate success of the initiative. An entity must consider its culture and develop an approach that is most likely to result in success. The organization should take care not to overcomplicate or overwhelm individuals with technical terminology. Initial discussions should focus on the importance and the benefits of risk management. Employees should be encouraged to think and talk about the business and what could go wrong that might result in failure to achieve entity objectives and, as a result, have a negative effect on performance and/or perception. Good risk management is essentially choice management. It is a continuous work in progress. An entity must identify risks and subsequently determine how it will address each one. The organization must decide the degree of risk it is willing to assume and address other identified risks, likely through mitigation. It is important to consider both tangible consequences, such as loss of revenue or drop in stock price, as well as intangible possibilities, such as public perception. Perception often is a major consideration in assessing positive or negative consequences. Organizations often evaluate risks in somewhat of a siloed process—considering the risk consequence to a single area of the business. Risks are inherently dynamic and interdependent. Consequences of unforeseen or unpredictable events typically affect multiple areas of a business. Therefore, aggregate entity consequences should be considered when conducting a risk assessment and designing a risk management program. Risks should not be separated into components and managed independently. Such an approach is rarely effective or successful. A holistic view of risk should be taken, including the contemplation of interdependencies. Every organization is faced with uncertainty and risk. The challenge for management is to determine how much uncertainty to accept as it strives to improve stakeholder value. Risk identification is a process designed to identify first both the strategic objectives and goals and then the potential internal and external events that can adversely affect the enterprise’s ability to achieve those objectives and goals.

ch01.indd 2

8/12/2011 10:20:14 AM

Guidance: History and Relationship

◾

3

Each entity should strive to build an integrated risk organization. This would include three components: (1) centralized risk management reporting to the chief executive officer and the board of directors, (2) an integrated risk management strategy that takes a holistic view of all types of risk within the organization, and (3) integration of risk management into business processes. It is not easy to accomplish these stated objectives. The method and processes for execution may vary significantly based on the size, structure, and culture of the organization. Each company must determine the most practical method of implementation. However, this integrated approach will allow risk management to become an offensive weapon for management rather than the more common defensive reaction to incident occurrence. Organizations should take a proactive approach to optimizing their risk profiles. Minimal investment in risk assessment and subsequent risk management program development and implementation can improve efficiency and reduce losses.

guiDANCe: HiSTOrY AND reLATiONSHiP Due to the heightened scrutiny and concentration on risk and risk management, there is a great deal of guidance available. Prior to exploring ERM design and implementation details, it is beneficial to examine various frameworks and standards. There will be extensive reference to these guidance documents in this book. The frameworks and standards discussed here are not the only sources of information available. The publications presented are commonly referenced and have been suggested for use by many industry-specific organizations. Some of the guidance, by nature of the issuer, is intended primarily for auditor use; some is directed to management. Certain publications provide broad advice regarding risk management; other documents specifically concentrate on risks and controls over financial reporting. However, examination of all of the recommendations, regardless of the source or intended audience, is valuable when undertaking a risk management initiative. In 1992, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission fi rst issued a conceptual framework entitled Internal Control—Integrated Framework. COSO originally was charged with studying and reporting on factors that can lead to fraudulent financial reporting. The COSO Framework was intended for broad use by any organization, and it provides evaluation tools that can be utilized for comprehensive evaluation of control

ch01.indd 3

8/12/2011 10:20:14 AM

4

◾  Overview of Enterprise Risk Management

systems. This is evidenced in the general nature of the COSO definition of internal control: A process, affected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

▪▪ Effectiveness and efficiency of operations ▪▪ Reliability of financial reporting ▪▪ Compliance with applicable laws and regulations Subsequently, with the passage of the Sarbanes-Oxley Act (SOX) in 2002, the Securities and Exchange Commission (SEC) suggested management use of the COSO Framework specifically for the design, build, and/or analysis of internal control over financial reporting. Details of the components of the COSO Framework and its use in the risk management and risk assessment process are presented in Chapters 5 and 6. SOX established the Public Company Accounting Oversight Board (PCAOB), a private, nonprofit corporation whose mission is to oversee the auditors of public companies. To date, the PCAOB has issued five auditing standards (ASs); the most recent is AS No. 5, An Audit of Internal Control over Financial Reporting that Is Integrated with an Audit of Financial Statements. This standard directs auditors to adopt a top-down risk-based approach to internal control and compliance during the audit process. It points auditors toward initial review of entity-level controls and emphasizes the significance of strength at this level. In addition, the standard reinforces the importance of auditor focus on high-risk areas and situations and provides auditor guidance regarding the confirmation of risk mitigation in those identified areas. In 2004, COSO published the ERM—Integrated Framework. It was issued to assist organizations to identify, assess, and manage risk effectively. The document establishes key risk management principles, concepts, language, and guidance with a goal of aiding an entity in formally establishing or improving its risk management. Details of the components of the Integrated Framework and its use in the risk management and risk assessment process are presented in Chapter 4. The Auditing Standards Board has issued several Statement of Auditing Standards (SASs), commonly referred to as the Risk Assessment SASs (SAS 104– 111), that outline auditor requirements, including documentation specifically associated with risk assessment. This guidance includes auditor requirements

ch01.indd 4

8/12/2011 10:20:14 AM

Organization View ◾

5

for understanding and documenting management’s risk assessment process as well as documentation of the auditor’s own risk assessment process as part of audit planning. All of the standards and frameworks contain detailed guidance that is valuable to an entity when designing, building, and/or analyzing its internal control and risk management program. The remainder of the text refers to these documents extensively because of their definitions, concepts, and advice. Risk management involves risk assessment, which results in risk mitigation, which occurs through the existence or implementation of control activities. All of these are interrelated and defined as well as referenced in one or more of the documents mentioned.

OrgANiZATiON VieW Figure 1.1 illustrates an organization view of risk management and its role and relationship to overall corporate governance and compliance. Each entity should seek to build its organizational structure to support a top-down approach that begins with consideration of overall corporate governance, progresses to risk management and assessment, and ultimately considers the achievement of all compliance requirements. SOX Section 404 compliance requirements created an inverted pyramid effect. Many organizations focus primarily on compliance and secondarily on risk management and governance. More recently, there has been emphasis from governing bodies, guidance, and standards regarding the appropriate top-down focus and process. Thus, entity attention has shifted in this direction. Executive management in tandem with the board of directors should develop and document a strategy that outlines what the organization expects to accomplish—its goals—as well as the objectives it must achieve in order to realize the desired results. When determining a strategy, the board of directors and senior management may ask: How are we going to create value for our stakeholders? The answers manifest themselves in a strategic plan and associated objectives. A clearly documented strategy and associated objectives are critical to the development of an effective ERM program. An outline in these areas allows the organization to focus on opportunities presented in the strategic plan as well as to minimize the potential impact of threats. From a practical prospective, this may be a single-page document that outlines organization goals in terms of areas such as the customer, fi nancial expectations, and products/services. The strategic plan, at the highest level, will aid in the

ch01.indd 5

8/12/2011 10:20:14 AM

6

◾  Overview of Enterprise Risk Management

Governance • Tone at the top • Integrated compliance strategy • Outline objectives • Establish culture—foster integrity and high ethics • Develop policies and monitoring • Embed ownership, responsibility, and accountability

Enterprise Risk Management • Identify and assess risk • Develop a risk response strategy • Document control activities • Apply risk management to gain competitive advantage

Compliance Ensure adherence to laws and regulations

Figure 1.1  Organization View of Risk Management

facilitation of all future discussions regarding risk and risk mitigation. The organization should consider the strategy from a financial and an operational perspective. The absence of a documented strategy and objectives, including related policies and job descriptions that outline overall expectations and define roles and responsibilities, significantly impairs an entity’s ability to design and implement an effective ERM program. Once the entity has documented and can articulate its strategy and related objectives, it can then develop and implement an ERM program. Doing this includes performance of a risk assessment, which includes considering what could go wrong that might prohibit the entity from achieving its objectives. Therefore, it is extremely difficult, if not impossible, to execute this process effectively if the strategy and objectives are not defined initially. Part of the risk assessment process should include consideration of entity compliance with all applicable laws and regulations.

ch01.indd 6

8/12/2011 10:20:14 AM

ERM Today

◾

7

Ultimately the entity will seek to mitigate identified risks through numerous forms of control activities.

erM TODAY Less than a decade ago, ERM was not a major focus for most organizations. Today, it is quickly ascending to the top of the agendas of senior executives and shareholders alike as corporate scandals and globalization challenge the status quo and regulators publish new or updated requirements. ERM is a structured approach to aligning strategy, processes, people, technology, and knowledge to identify and manage uncertainties and risk. Providing a comprehensive, integrated framework that enables organizations to proactively manage business risk, ERM aids in the achievement of balance between business needs and risk thresholds to increase competitive advantage and shareholder value. ERM definitions tend to vary from source to source, but all contain common themes: a standard risk management process, an integrated view of risks, and a focus on relating risks to business objectives. One would think that recent corporate scandals and fraud as well as provisions set by SOX would have spurred companies to assess and improve the management and mitigation of enterprise-wide risks. Despite the plethora of internal and/or external events that could expose an organization to serious risks, companies focus much more on measuring and monitoring fi nancial performance than on proactively measuring, analyzing, and responding to and mitigating risks—threats that could negatively impact financial performance. The majority of risk management experts agree that companies, for the most part, are not doing a good job of assessing and managing risk because they lack either the discipline for it or a mandate from executive management. However, risk management is rapidly becoming a major area of focus, and risk areas within each organization should be analyzed. A number of major drivers prompt the development of a formal enterprise risk framework, including:

▪ Regulatory guidance. Several recent SEC releases reference a risk-based approach to compliance. This focus serves as an excellent platform for the design and implementation of an enterprise-wide risk management program. The program does not have to be implemented throughout the entire organization concurrently but can be rolled out using a phased approach (e.g., business unit, geography, function, etc.).

ch01.indd 7

8/12/2011 10:20:15 AM

8

◾  Overview of Enterprise Risk Management

▪▪ Evolving roles of the audit committee and board of directors. Since the passage

▪▪

of SOX, audit committee members and directors have increased responsibilities and greater accountability. This has prompted them to focus inquiries on the organization’s plans for developing a formal risk management strategy and plan. Risk assessment standards. The SASs 104 through 111 (effective December 2006) and SAS 115 require the auditor, among many other items, to direct a significant amount of focus on understanding and documenting the entity and its environment, including internal control. The standards also emphasize the importance of the entity’s risk assessment process and how it correlates to the entity’s process of setting strategies and objectives and assessing related business risk.

Companies that assess risk, set risk thresholds, and actively monitor and manage their risk exposure within those thresholds are better able to predict future performance more accurately. They are also more likely to achieve higher performance and/or meet financial expectations because they are better able to potentially avoid large fluctuations in business and avoid the negative consequences of unmitigated risk events. Although the percentage of organizations without a formal ERM program in place is declining, it is surprising how few organizations have such a program. Even if companies have a risk management program, often it is more informal in nature. This is shocking, given the amount of money that has been lost in the financial markets due to poor risk management and fraud. Note: It is critical that any reader understand, prior to proceeding through this book, how the words “internal control” are used and their relationship to any discussion about risk management. First, any reference or use of the words “internal control” or “risk management” applies to all organizations, private or public, large or small, for-profit or nonprofit. The difference is in the design of the risk management program or system of internal control as appropriate for an individual entity and its specific structure and circumstances. This book often mentions controls and internal controls. Very simply put, controls mitigate risk. Finance and accounting professionals, due partially to the nature of our training, often immediately associate any reference or discussion of internal control with financial reporting and disclosure. However, the reader should bear in mind that the term “internal control” applies to any and all risk mitigation activity, regardless of the risk category. These controls exist in many different forms and activities within the structure and processes of each organization.

ch01.indd 8

8/12/2011 10:20:15 AM

Increased Pressure to Manage Risk ◾

9

iNCreASeD PreSSure TO MANAge riSK A number of prominent events stimulate a case for increased risk assessment and risk management programs, including:

▪ The recent financial crisis and the existence of volatile market conditions. ▪ A significant increase in identified major fraud incidents, such as the ▪ ▪

▪

Madoff case, which resulted in millions of dollars in losses for individuals as well as a number of organizations. Accounting scandals, such as Enron and WorldCom, that caused a public loss of confidence in financial reporting. Increased regulatory pressure, including the passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act in 2010 and SOX as well as the recent SEC concentration on review of risk information in annual quarterly and proxy filings. The recent focus of credit rating agencies on ERM processes.

The events listed provide additional incentive for organizations to consider either the enhancement or the development of a risk management program. Although most of the events outlined have had a greater regulatory and financial impact on public organizations, these incidents definitely have affected private and nonprofit companies. This fact is evidenced by several occurrences. Several audit firms have migrated to one method of audit for all of their clients, regardless of their status, public or private. Therefore, the auditors are concentrating considerable effort understanding and documenting client internal control as well as their risk assessment process. Many financial institutions/ lenders and granting agencies have begun requesting information regarding an entity’s internal control. Moreover, many private entities’ board of directors have begun to query management regarding risk management and internal control over financial reporting. SAS 115 requires that if, during the course of the financial statement audit of a private company, the auditor identifies any significant deficiencies or material weaknesses in internal control over financial reporting, the auditor must report those identified deficiencies in writing (SAS 115 letter) to management and those charged with governance. This requirement further evidences the reason for the auditor attention on risk assessment and internal control over financial reporting as well as the increased pressure on private companies to concentrate additional effort in these areas.

ch01.indd 9

8/12/2011 10:20:15 AM

10

◾

Overview of Enterprise Risk Management

ADDiTiONAL eViDeNCe Recently, in its reviews of regulatory filings, the SEC has been encouraging companies to provide more information regarding risks they face and dissuading the use of boilerplate language. In addition, the regulator has warned entities regarding its increased focus on risk disclosures. The SEC has stated that entities should refrain from “copying and pasting” risk disclosures from quarter to quarter. When commenting on recent reviews, the SEC has referred to disclosures as too broad and generic, and the regulator is demanding risk information that is specific to an organization including the board’s role in risk oversight. CFO Magazine lists these ten as the most frequently questioned issues in the SEC comments on companies’ risk factors over the past two years: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

Inadequate disclosure issues Market for products and services Reliance on suppliers, customers, governments Going concern Effects of regulatory changes Legal exposures and reliance on legal positions Ineffective internal or disclosure controls Reliance on certain employees Conflicts of interest/related party issues History of operating losses1

The Corporate Executive Board’s top ten high-risk areas of focus for 2010 cited by finance executives included: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

ch01.indd 10

Strategic change management Capacity Incentive plans Human resources Fraud Innovation/research and development Third-party relationships Shared services Inflation/Deflation Tax management2

8/12/2011 10:20:15 AM

Building the Business Case for ERM: Value and Benefits ◾

11

All of the summarized data listed should be considered by organizations, public or private, when conducting a risk assessment.

PerCeiVeD BArrierS TO riSK MANAgeMeNT Most organizations report competing priorities, insufficient resources, and lack of perceived value in addition to absence of board of director and/or senior leadership support for the initiative as major barriers to risk management program implementation. These companies often state that they feel overwhelmed by a daunting, lengthy process with which they have little familiarity. In addition, most individuals believe that the design and implementation of an ERM program is extremely costly. Based on this assumption, many organizations believe that they lack the financial resources to develop and sustain the program. In some cases, management and the board of directors are not aware that they are implicitly responsible for risk management within their organization.

BuiLDiNg THe BuSiNeSS CASe FOr erM: VALue AND BeNeFiTS All organizations face uncertainty. Uncertainty presents risk as well as opportunity. A well-designed ERM solution will provide an entity with numerous tangible and intangible benefits. The goal of every company is to maximize value for its shareholders. Value certainly can be created or deflated by business decisions made at the top, but it also can be created, preserved, or eroded by routine decisions that occur at every level within the organization. ERM supports value creation by helping management assess future events and respond in a manner that reduces the likelihood of outcomes that would lead to value erosion. Effective risk management supports the alignment of an entity’s documented strategy and objectives with the risk management plan; it also facilitates communication of the strategy, objectives, and ERM plan throughout the organization. In addition, an effective ERM program fosters greater accountability, responsibility, and ownership for internal controls throughout the organization. Successful long-term risk management enables the organization to anticipate risks resulting from opportunity, uncertainty, and hazards that can present occasions for either value enhancement (i.e., upside risk) or value erosion

ch01.indd 11

8/12/2011 10:20:15 AM

12

◾  Overview of Enterprise Risk Management

(i.e., downside risk). ERM can aid in creating and/or preserving a company’s value by dealing effectively with potential future events that create uncertainty. Analysis of upside risk can provide valuable insight that management can use to plan actions that will achieve positive gains. Defensively managing downside risk through policies, procedures, and systems may help prevent behaviors that could negatively impact company performance. A functional approach to risk management often creates “silos” that can be difficult to manage across the enterprise. An integrated ERM framework allows for risks to be managed effectively across business units, functions, and business activities. Employees can be empowered to own and manage risks in their respective areas. This approach also increases risk transparency throughout the organization. The real value of ERM surfaces when organizations look beyond assessing risk for the sole purpose of meeting minimum regulatory requirements. A comprehensive risk management plan presents a higher value proposition. The benefits of pursuing such a solution can be numerous. A few of the main benefits include:

▪▪ Cost savings through an integrated approach to compliance. Overlapping

▪▪

▪▪

ch01.indd 12

requirements and initiatives, which compete for company resources and management’s attention, have prompted an increasing number of companies to develop a common framework for addressing all regulatory and management requirements. Such an integrated approach, including internal audit, regulatory compliance, and process improvement, can provide considerable savings over the cost of multiple stand-alone responses by providing greater operational efficiency. In addition, an integrated approach may assist in fostering greater accountability and ownership for internal controls throughout the organization. Ability to assess current risk position and respond. The absence of an ERM program makes it much more difficult for an organization to evaluate its risk position. Without this ability, an entity is disadvantaged. The existence of a formalized, documented risk assessment facilitates improved risk management and mitigation and enables the organization to better align strategy with acceptable levels of risk. Improved proactive management. The existence of an ERM program facilitates a proactive versus reactive approach. A well-developed plan can help a company’s board and senior management team focus their efforts on strategic decision making rather than reacting to unexpected risks. Increasing management’s focus on the future based on existing information and

8/12/2011 10:20:15 AM

Keys to Success

▪

◾

13

analysis, rather than crisis management, can lead to improved decision making and a better competitive position for the company. Thus, operational surprises and losses are minimized. In addition, management response to challenges and opportunities is enhanced. ERM supports management decisions regarding activity such as product development, pricing, and acquisitions. Optimized capital structure and allocation. Improved estimation of a company’s capital requirements is one of the most frequently cited benefits of ERM. A better understanding of risk across an organization leads to a more thorough understanding of what capital is required to support a given risk tolerance. ERM also leads to better capital allocation among business units. As risk management capabilities improve, a company can achieve a greater level of transparency, which helps boards and senior executives make more informed decisions about capital allocation as well as business mix, products, and future investments.

If effectively implemented, an ERM program can help an entity achieve its goals and potentially avoid surprises along the way while providing value to stakeholders.

KeYS TO SuCCeSS Successful ERM initiatives have several consistent themes. It is important to keep these general thoughts/concepts in mind when considering an ERM implementation.

▪ Executive support is critical to the success of the initiative. ERM should be

▪

ch01.indd 13

incorporated into the culture and viewed as an important, company-wide strategic initiative. Support at the top is a necessity and should begin with the board of directors and extend to executives and senior management through to each employee at every level. Clear demonstration of support and expectations should be communicated, both initially and consistently at every appropriate opportunity. The tone-at-the-top sponsorship and testimony is especially important for establishing the appropriate internal environment, which is fundamental for the creation of a solid ERM program foundation. The development of a risk intelligent culture is beneficial. Historically, most small organizations have spent little, if any, time formally considering,

8/12/2011 10:20:15 AM

14

▪▪

▪▪

▪▪

ch01.indd 14

◾  Overview of Enterprise Risk Management

discussing, documenting, and/or analyzing risk. In order to navigate effectively and efficiently through the risk management process as well as obtain buy-in, both of which are critical to a successful initiative, the organization should seek to become more risk intelligent. Prior to delving into and proceeding through the documented ERM process, members of the board of directors and senior management should work to understand the major concepts, definitions, and objectives of ERM. This will facilitate education of the entire organization, effective board of director oversight, and provide an invaluable basis for execution of this initiative. Any organization that does not seek to educate itself in this way prior to commencing the ERM process would be severely handicapped. The entity is also at risk for failure or, at minimum, may not realize maximum benefit. Incorporate risk into strategy. Ideally an entity, led by its board of directors, should seek to embed risk management into the core business processes and structure of the organization. This is a long-term progression that begins with the risk education process referred to previously. It then involves ensuring that entity strategy and objective definition as well as any associated discussions and documentation include the consideration of risk. For example, companies may consider incorporating a discussion about risk—“What can go wrong?”—into the planning and budgeting processes. Any proposed strategic initiative deliberations should include an analysis of risks. Define/determine risk appetite early. It is vitally important that an organization consider, discuss, and define its risk appetite. The entity should take steps very early during the initial risk management program development process to ensure that the board of directors and management are clear and in agreement regarding the level of risk the organization is willing to take related to both specific incidents/events and the entity as a whole. In many cases, risk appetite is evidenced, although not specifically by name or definition, in company policies that outline things such as authorities and/ or approval limits. Risk appetite determination will help facilitate critical discussions throughout the ERM program development process, including risk mitigation planning. Consider building the ERM program in phases. Many organizations are hesitant to embark on an ERM initiative because of the perceptions that risk management is highly complex, costly to implement, and requires extensive expertise and resources. Companies often are overwhelmed with the task of a full ERM implementation. They believe that risk management is an all-or-nothing proposition. This is not the case. Many organizations

8/12/2011 10:20:15 AM

Summary

▪

▪

▪

◾

15

have implemented a successful risk management program using a phased approach. This affords the entity the opportunity to achieve short-term success. In addition, members will further educate themselves regarding risk management and will be able to apply that knowledge and expertise during future implementation phases. Also, the organization can customize the remaining phases of the program to realize the most efficient implementation and maximum benefit for it. Success has been achieved by following the process outlined in the subsequent paragraphs. Focus initially on a few agreed-on high risks. If an entity chooses to adopt the phased implementation approach referred to previously, the organization should focus initially on a small group of identified high risks associated with the entity’s documented strategic objectives. Another option is to focus on one category of risk. (Examples of risk categories are provided in Chapter 3.) Management can navigate through all steps of the risk management process for these identified risks. Doing so will help to build the foundation for a robust, holistic ERM program. Use initial work as a platform for expanding the ERM initiative. An entity should capitalize on the initial risk management work it performs and use that foundation as the platform for future initiative phases. The subsequent phase may include organization consideration of another single risk category, or it may choose a high-risk area or decide to remain at the overall broader strategic objective risk level. Develop a monitoring process early on. Risk management is a continuous evolution. Therefore, it is important that management develop an effective monitoring process that provides all appropriate groups and individuals, including the board of directors, with the necessary information to perform their risk management responsibilities. An ERM program will not be effective if it is designed and implemented but not monitored after initial completion.

In addition to the concepts listed, each organization must consider its culture and individual circumstances in determining the best ERM implementation approach.

SuMMArY The increased focus and pressure on organizations to manage risk warrants management and board of director attention and support for the risk

ch01.indd 15

8/12/2011 10:20:15 AM

16

◾

Overview of Enterprise Risk Management

management process. An effective risk management program can be implemented cost effectively. The initiative does not require a significant amount of time or resources (internal or external). There is a sufficient amount of guidance available to enable an entity to design and implement an ERM program that adds value to the organization and allows management to proactively make the best choices and decisions for the company.

NOTeS 1 Sarah Johnson, “SEC Pushes Companies for More Risk Information,” CFO Magazine, August 2, 2010, www.CFO.com 2 Kate O’Sullivan, “A Risk Top 10 for 2010,” CFO Magazine, January 12, 2010, www.CFO.com

ch01.indd 16

8/12/2011 10:20:15 AM

2

CHAPTER TWO

Corporate Governance and Roles and Responsibilities

P

R I O R TO T H E D E V ELO PM EN T O F A N EN T ER PR ISE R ISK M A N AGEMEN T (ERM) program, it is important to understand the relationship

between corporate governance and risk management as well as examine roles and responsibilities associated with this initiative and resultant program. Corporate governance is a vital component of risk management. It provides the necessary top-down monitoring and management of risk associated with an organization. The topics of corporate governance and risk management are closely related. Both focus on strategy and support of the strategic direction of the organization. Given the heightened attention on risk, risk management oversight is one of the key responsibilities and functions of the board of directors. The board should be actively involved in an oversight capacity in working with management to define the organization’s strategy and objectives as well as ensure risk mitigation occurs. Risk governance and value creation are also closely associated. A well-developed and implemented governance program provides the 17

ch02.indd 17

8/10/2011 8:37:14 PM

18

◾

Corporate Governance and Roles and Responsibilities

top-down monitoring and management of risk that is necessary for an effective risk management initiative. An entity’s overall risk profile is managed through corporate governance. The board of directors should focus on general oversight and stewardship. Every organization outlines goals and implements strategies for their achievement. These strategies have associated risks that must be managed. Development and adherence to strong corporate governance will aid an organization in the attainment of its goals. The proper organizational structure and risk management function can assist management in conjunction with the board of directors with the creation of a culture that encourages appropriate behavior for the realization of its goals. The board has responsibility for ensuring that risk management policies and programs are in place and operating effectively within the organization. Several aspects of risk management are closely aligned with board responsibilities, including the development and implementation of a risk policy, determining risk appetite, and establishing an overall corporate culture that supports risk management. In 2008, in response to a number of significant events including the financial crisis and corporate scandals such as Enron, the New York Stock Exchange created the Commission on Corporate Governance to address issues impacting corporate governance. Among many other items, the commission outlined descriptions of the role of boards of directors and management, placing specific emphasis on risk management. Recommendations included overall guidance related to the role of management and the board. The board should guide the organization in the development and implementation of governance policies that support long-term growth. The board should be independent, eliminate policies that promote excessive risk taking, ensure that appropriate risk management systems are in place, and establish compensation plans that align goals with value creation. Management is responsible for creating an environment in which a culture of performance and integrity can flourish. When performing risk management responsibilities, management should set the tone at the top, establish a risk management program that includes involvement of competent personnel, and develop compensation plans that encourage disciplined risk taking. The board of directors has a fiduciary responsibility and accountability to the organization and its shareholders or owners.

BOARD BEHAVIOR Members of the board of directors should engage in discussion and debate regarding risks. In order for this to occur, the board should have independent

ch02.indd 18

8/10/2011 8:37:14 PM

Corporate Culture

◾

19

leadership and seek to maintain an open culture that allows and encourages the expression of different opinions. Independence is considered critical to ensure the existence of objectivity and that each member acts in the best interest of the organization and its stakeholders. Diverse, relevant skills and perspectives should be represented on the board. In addition, the board should be provided with sufficient information regarding entity performance and risk management in a timely manner for its proper consideration. Finally, the board should be consciously aware of its continuous accountability to shareholders or owners. Overall key board duties, functions, and responsibilities specifically associated with risk management include:

▪ Guiding corporate strategy, including the existence of clearly documented objectives aligned with that strategy as well as risk policies.

▪ Oversight of the integrity of an organization’s accounting and financial ▪ ▪

reporting process, including the external audit as well as compliance with relevant standards, laws, and regulations. Conducting an annual risk assessment and overseeing the overall risk management process. Monitoring the entity’s governance process and modifying as needed.

In order to perform these tasks effectively, each member should have the requisite skills and knowledge, possess the ability to devote sufficient time required for the position, and maintain independence and objectivity.

CORPORATE CULTURE An appropriate corporate culture that fosters an environment of high ethics and integrity is vital to the success of any risk management initiative. Corporate culture often is considered one of the most important factors for the integration of risk management into the culture and values of an organization. The development of a corporate culture begins with the board—the ultimate tone at the top. Therefore, the board should seek continuously to ensure that employees understand their responsibility for appropriate behavior. In addition, board members must demonstrate their commitment through actions. Board activity should be based on strong ethical standards and integrity. Actions include ensuring that the organization’s strategy and objectives are ethically sound.

ch02.indd 19

8/10/2011 8:37:14 PM

20

◾

Corporate Governance and Roles and Responsibilities

Regardless of the size of the organization, each entity should develop and implement a code of ethics that applies to the entire organization and its members. This document should be approved and reviewed annually by the board for both completeness and relevance. Subsequent to initial approval, management is responsible for ensuring that the code is actively communicated throughout the organization and that any necessary training is provided. The code should include reinforcement of an expectation of the standards for ethical behavior and integrity among all employees. In addition, the document should outline guiding principles and values. Existence and effective implementation of the code not only facilitates good corporate governance; it also strengthens entity-level financial control. This control is a component of risk mitigation associated with financial reporting and disclosure. A sample code of ethics document is shown in Appendix 5A. Similar to the development of the code of ethics, the existence and effective implementation of a whistleblower program also facilitates good corporate governance and strengthens entity-level financial control. This control is also a component of risk mitigation associated with financial reporting and disclosure. The board’s role in risk oversight should be clearly defi ned. The board should set the tone for management and clearly outline expectations regarding risk. Management should perform risk management procedures; the board should be included in the risk oversight process. Therefore, ideally, the board should consist of knowledgeable, experienced individuals who bring different perspectives to the organization. Members should be willing and prepared to engage in conversations regarding risk management but also should take care not to become overly involved in management activities and daily operations. The board of directors should conduct periodic, formal evaluations of its performance.

ROLES AND RESPONSIBILITIES Every individual within the organization has some responsibility for ERM. This includes members of the board of directors, management, risk officers, internal auditors, and each employee. Management should ensure that each employee has an understanding of his or her role in the company risk management process. Depending on the function, risk management responsibility may or may not be included explicitly in the job description. Management and the board, in setting the appropriate tone at the top, should communicate effectively that each employee is accountable for ERM at some level.

ch02.indd 20

8/10/2011 8:37:14 PM



Roles and Responsibilities  ◾

21

Board of Directors The board of directors has a number of duties and responsibilities. Key board functions related to risk management include overall risk management oversight, including strategy definition and objective setting, participation in the annual risk assessment process, and ensuring accounting and financial reporting integrity. Each organization should publish a risk management policy that outlines the risk management philosophy and approach to risk as well as its risk appetite. The board should approve the risk management policy. Additional duties involve determining, along with management, the strategic direction of the organization, including related objective setting, creating an environment and organizational structure for the company’s defined risk management program to operate effectively, and continuously monitoring corporate performance in regard to risk management. Simply stated, the board should be aware of the most significant risks facing the organization and their potential effects, both quantitative and qualitative, as well as how the company is managing these risks. When evaluating the company system of internal control, the board should consider the nature and extent of risks as well as the likelihood of each of those risks actually manifesting itself. The board also should consider how risks should be managed and the company’s ability to manage or mitigate those risks or, at minimum, its capability to minimize the impact on the organization. Finally, consideration should be given to the cost-benefit of existing and proposed control activities as well as the overall effectiveness of management’s risk assessment process. The board provides oversight with regard to ERM by:

▪▪ Knowing the extent to which management has established effective ERM in the organization.

▪▪ Being aware of and concurring with the entity’s risk appetite. ▪▪ Reviewing the entity’s portfolio view of risk and considering it against the entity’s risk appetite.

▪▪ Being apprised of the most significant risks and whether management is responding appropriately.

Management Ultimately, the chief executive officer (CEO) of the organization has overall responsibility for ERM, including ensuring the development and implementation of all required components of a comprehensive risk management program.

ch02.indd 21

8/10/2011 8:37:14 PM

22

◾  Corporate Governance and Roles and Responsibilities

The CEO should ensure the appropriate tone at the top and take every opportunity to reinforce the importance, commitment, and expectations regarding risk management within the organization. In addition, the CEO is responsible for providing leadership and direction to senior managers and working with this group to define strategy, high-level objectives, and policies related to risk management philosophy, risk appetite, and culture. In order to gain knowledge and information regarding inherent risks associated with operations, the CEO should meet regularly with senior managers responsible for each functional area of the organization. Doing this will facilitate appropriate high-level monitoring of risks in relation to defined risk appetite. Management is directly responsible for all entity activity, including risk management. Roles will differ considerably depending on the size and nature of the organization. Managers are accountable for managing risk related to documented objectives in their specific area/business unit/department. Depending on the size of the organization, risk management may not include a hierarchy of responsibility. In a smaller entity with a flat organizational structure and the absence of management layers, each senior executive may be required to perform risk management duties associated with both senior-level executives and management. Management also should consider organizations or parties that interact with the entity, such as outsourced activities and financial analysts. It is management’s responsibility to ensure that a process is in place to monitor information from any relevant external resources that may affect risk to the organization and its ability to achieve stated objectives.

Risk Officer An organization may have a complete risk management department, a single risk officer, a named part-time risk manager, or none of the above. The structure is dependent on several factors, including the size of the organization, the industry and regulatory environment associated with the entity, and the nature of the business. Regardless of the configuration, a number of responsibilities typically are associated with a risk officer that should be performed within each organization. In many small companies, these tasks are performed by the chief financial officer, vice president of finance, controller, or other individual or combination of individuals within the finance and accounting function. Risk officer responsibilities may include:

▪▪ Establishing ERM policies, including defining roles and responsibilities and participating in setting goals for implementation.

ch02.indd 22

8/10/2011 8:37:14 PM

Summary

◾

23

▪ Framing authority and accountability for ERM in business units ▪ Promoting an ERM competence throughout the entity, including facilitat-

▪ ▪ ▪ ▪

ing development of technical ERM expertise and helping managers align risk responses with the entity’s risk tolerances and developing appropriate controls. Guiding integration of ERM with other business planning and management activities. Establishing a common risk management language that includes common measures around likelihood and impact and common risk categories. Facilitating managers’ developing of reporting protocols, including quantitative and qualitative thresholds and monitoring the reporting process. Reporting to the CEO on progress and outliers and recommending action as needed.

Internal Audit An internal audit function may or may not exist within a smaller organization, and the role will undoubtedly vary from one company to another. Regardless of the specific function, internal audit should ensure continuous maintenance of objectivity and independence within the group. The internal audit role may include several or all of these functions:

▪ Audit of the company risk management process including significant risk areas identified by management

▪ Support of the overall risk management process ▪ Training and education regarding risk and risk management throughout the organization

▪ Support management with the risk identification and assessment activity The existence of an internal audit function can strengthen risk management capabilities within an organization. This group, in performing its overall responsibilities, possesses significant amount key information that can assist and support management with strategic planning, objective setting, and the management of strategic risk.

SUMMARY Corporate governance is critical to the initial development and long-term maintenance of a successful ERM program. The board of directors and management

ch02.indd 23

8/10/2011 8:37:14 PM

24

◾  Corporate Governance and Roles and Responsibilities

should be actively and consistently involved in the risk management initiative. Management is responsible for the development and detailed monitoring of the risk management program. Depending on the organization, members of management may include a risk officer and/or an internal audit group. The board must function in an oversight role. Members are tasked with understanding management’s strategy and objectives, risk assessment process, and risk mitigation plans. A clear understanding and execution of individual roles and responsibilities will help to ensure effective risk management within an organization.

ch02.indd 24

8/10/2011 8:37:14 PM

3

CHAPTER THREE

ERM Defined

I

N 2 0 0 4 , T H E C O M M I T T E E O F S P O N S O R I N G O R G A N I Z AT I O N S

(COSO) of the Treadway Commission issued a document entitled Enterprise Risk Management—Integrated Framework. The publication was made available to provide management guidance for the development, evaluation, and/ or improvement of its risk management. Those familiar with the original COSO Framework, which was published in 1992, will note many similarities in the structure, including the defined components and objectives, as well as the guidance contained in the Integrated Framework. COSO defines enterprise risk management (ERM) as: a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.1 25

ch03.indd 25

8/5/2011 11:40:08 AM

26

◾  ERM Defined

Further examination of this definition requires focus on a number of important attributes when designing, implementing, and/or analyzing an ERM solution. Considerations include these points:

▪▪ Enterprise risk management is a process. This statement suggests that a ▪▪

▪▪

▪▪ ▪▪

risk management solution is a continuous practice. It requires monitoring and consistent review. Each individual member of the organization is responsible for risk assessment and risk management. Certain groups or individuals may have greater influence and responsibility than others, but every person associated with the organization plays a role. Roles and responsibilities should be clearly defined and documented. The use of the words “strategy,” “risk appetite,” and “objectives” in the definition implies that an entity has a strategic plan, clearly outlined objectives, and a risk management solution that includes consideration of the organization’s risk appetite. The phrase “applied across the enterprise” implies a portfolio view of risk. Absolute assurance regarding the achievement of entity objectives is an unrealistic goal and an impossible task. An ERM solution should be designed to provide an entity with reasonable assurance associated with the attainment of documented entity objectives.

An organization should carefully assess the definition and the associated factors listed and incorporate these considerations into its ERM solution in order to effectively and efficiently design and implement a practical, cost-effective, sustainable program. The development and implementation of an effective ERM program involves thinking and planning ahead as well as thoughtful anticipation and consideration of what could go wrong. Every risk management program should seek to create value, and risk management should be included in the decision-making process of the organization. It should be based on the best available information, address uncertainty, and consider human factors. In addition, risk management should be structured and responsive to change. Ideally, it should be incorporated into operational processes. The ideal risk management program minimizes both spending and the negative effects of risk. Enterprise risk management involves:

▪▪ Aligning an entity’s strategy and risk appetite. Management takes into consideration the risk appetite of the organization when setting objectives related to its strategy.

ch03.indd 26

8/5/2011 11:40:08 AM



Definitions and Concepts  ◾

27

▪▪ Determining risk responses. An effective ERM program provides valuable ▪▪ ▪▪ ▪▪ ▪▪

information and guidance in the appropriate risk response, whether it is avoidance, reduction, sharing, or acceptance. Reduction of losses and surprises due to an increased capability to identify and respond to potential events. The ability to identify and respond to risk across the entire enterprise through an integrated method. Proactively capitalizing on and realizing opportunities through the consideration of multiple potential events. Effectively assessing overall capital needs and improving capital allocation as well as deployment of capital. The ERM—Integrated Framework consists of eight interrelated components:

1. Internal environment. The internal environment encompasses the tone of the organization and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. 2. Objective setting. Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite. 3. Event identification. Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting process. 4. Risk assessment. Risks are analyzed, considering the likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis. 5. Risk response. Management selects risk responses—avoiding, accepting, reducing, or sharing risk—developing a set of actions to align risks with the entity’s risk tolerances and risk appetite. 6. Control activities. Policies and procedures are established and implemented to help ensure the risk responses are carried out effectively. 7. Information and communication. Relevant information is identified, captured, and communicated in a form and time frame that enables people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.

ch03.indd 27

8/5/2011 11:40:08 AM

28

◾

ERM Defined

8. Monitoring. The entirety of the ERM is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both. The COSO Framework also outlines objectives in four major categories: 1. 2. 3. 4.

Strategic. High-level goals aligned with and supporting its mission Operations. Effective and efficient use of its resources Reporting. Reliability of reporting Compliance. Compliance with applicable laws and regulations

The Integrated Framework is valuable guidance for the design build and analysis of an effective ERM program. The steps in the ERM process will be outlined in detail in the following chapters. The book incorporates significant reference to the guidance included in the framework.

DEFINITIONS AND CONCEPTS Several terms and concepts will be introduced and utilized throughout this book. The author does not suggest use of all of these technical terms when introducing risk management and risk assessment concepts to an organization. Continuous mention of such terms tends either to confuse or to alienate an audience, resulting in lack of interest and/or buy-in to the concepts and the resultant initiative. The terms and concepts can be presented using common, more recognizable phrases. This approach tends to be more effective with employees. However, it is important for the reader to grasp the definitions and underlying concepts presented in order to lead an organization through the development and implementation of an effective risk management program. A search for the terms on the Internet would uncover a number of definitions developed by and gathered from several professional sources and publications, including those outlined earlier.

Risk Appetite Risk appetite is basically the level of risk an organization is willing to accept in pursuit of the achievement of its objectives. An organization’s risk appetite is actually a reflection of the risk appetites of its individual members and groups—meaning the board of directors and management. It is not necessarily

ch03.indd 28

8/5/2011 11:40:09 AM



Definitions and Concepts  ◾

29

measured quantitatively. It can be referred to as “risk limits” and somewhat defined in a narrative format in the entity’s risk policies. An entity’s risk appetite ultimately provides guidance to the organization regarding strategy and objective setting.

Risk Tolerance An entity’s risk tolerance is measurable and should parallel its risk appetite.

Risk Response All companies have risk. It is inherent in being in business. Part of a formal risk assessment process involves ranking risks based on impact, financial or otherwise, and the likelihood of occurrence. Beginning with this assessment, risks will be placed into one of four risk response categories. These categories include: 1. Risk avoidance. Activities associated with a high likelihood of loss and significant financial impact typically evoke a response that results in recommendation of complete avoidance of the activity. Simply stated, these are situations where the consequences or organizational impact are so great that management chooses to avoid them completely. Risk avoidance commonly is invoked in cases where the probability and consequence of the risk impact is significant enough to potentially have a severe negative effect on a major company asset, such as cash/finances, brand, or people. 2. Risk acceptance. Management accepts certain risks by virtue of the fact that it operates a business. Some risks are unavoidable. Also, in some situations, certain risks are accepted if a cost-benefit analysis is performed and it is determined that the cost to mitigate the risk is higher than the cost to bear it. However, effective risk management involves planning, understanding risk, and monitoring it. These same risks that management has agreed to accept (within its risk tolerance) should be monitored for factors or incidents that may change the risk event and, thus, the risk treatment. 3. Risk mitigation. “Mitigation” by definition involves minimizing risk. Therefore, if management determines that a risk should be mitigated, it is seeking a response that will reduce either the likelihood or the impact of that incident or event. In other words, management is seeking to limit exposure. This response incorporates management control systems to reduce the risk of loss. 4. Risk transfer. This response involves moving risk from one entity to another. It most often entails movement of risk to an external party, but it may also

ch03.indd 29

8/5/2011 11:40:09 AM

30

◾

ERM Defined

result in shifting risk to a different part of the same entity or subsidiary. The two most common forms of risk transfer include the purchase of various types of insurance and derivative product transactions, such as futures or options.

RISK CATEGORIES Risks can be categorized in many different ways and historically have been presented in various formats. Every organization is unique based on culture, industry, and business strategy/models, to cite a few. Risk categories may be named differently, and certain risks may be included in different categories from one organization to another. However, it is most important that an organization ensure that risk has been considered in all areas that are relevant to the development of a comprehensive risk profile and ultimately encompassed in an effective risk management program for the organization. A list of risk categories that management should consider when conducting its risk identification is presented next. These categories will be referred to during the outline of the risk management process in the next chapters. This information is intended to provide guidance for management discussion and consideration during the process. It is not intended to be comprehensive or allinclusive, given that each organization is distinctive and therefore will have unique considerations.

▪ External. When analyzing external risks, an organization should consider

▪

▪

ch03.indd 30

customers, suppliers, and competitors. Assessment in this area should also include discussions regarding risk to brand and reputation as well as risks associated with new competition, outsourcing, suppliers, partners, and financial or other crisis or disasters. Financial. Considerations in this area include risks associated with credit/ cash management; financial markets, such as interest rate fluctuations, debt and equity structure; and financial reporting, including the production of accurate, timely financial statements and appropriate disclosures. Assessment should include discussions regarding processes, controls, and potential deficiencies related to the financial close and financial statement preparation as well as risks to the achievement of all documented financial reporting objectives. Operational. Big-picture operational risks focuses on the people (human resources), process (product development, marketing), and physical assets

8/5/2011 11:40:09 AM

Internal Environment

▪

▪

▪

◾

31

(property, plant, equipment) that are most important to an organization’s survival and success. In some cases, these are the items that, typically, ultimately have the greatest impact on cash flow. For example, in many organizations, a significant portion of revenue is lost due to errors or issues with process and/or those individuals involved in those processes. In a number of the situations considered in this area, the probability of incident occurrence is low. However, the potential consequences are substantial. Strategic. Assessment of strategic risk requires consideration as to whether outlined strategies are appropriate and if they support the entity in meeting its documented business objectives. In addition, management should examine inherent risks associated with the strategies. Strategic risks focus on areas such as governance, external relations, and business models/plans. Regulatory. Overall concentration in this area is on risk of meeting all regulatory requirements and compliance with applicable laws and regulations. This focus includes financial, labor, and policy such Sarbanes-Oxley, Occupational Safety and Health Administration, and environmental, respectively. Securities and Exchange Commission, Internal Revenue Service, Department of Labor, and industry regulations should be considered as part of the risk assessment process. Information. When evaluating information, risk management should concentrate on risks related to intellectual property as well as information technology that support processes, operations, and reporting within the organization. This includes hardware, software, and network support. Discussion should center on whether information systems are reliable, secure, and adequately support the organization and if data/information is relevant, reliable, and timely.

INTERNAL ENVIRONMENT The eight components of the COSO ERM—Integrated Framework outlined earlier in this chapter include: 1. 2. 3. 4. 5. 6.

ch03.indd 31

Internal environment Strategy and objective definition Event identification Risk assessment Risk response Communication

8/5/2011 11:40:09 AM

32

◾  ERM Defined

7. Monitoring 8. Oversight The next chapters provide a logical progression of activities and detailed guidance for the design and implementation of an ERM program that incorporates consideration of each of these components, beginning with strategy and objective definition. Before each of these steps is explained, it is important for the reader to understand the internal environment component and its role in the design, implementation, and/or analysis of a risk management program. The internal environment is the foundation and basis for all of the other components of any ERM program. The elements and their treatment in this area set the tone of an organization related to risk management. The internal environment is influenced by the history and culture of the organization. Elements within the internal environment influence strategy and objective definition, business plan structure, and risk identification and assessment. In addition, the internal environment also impacts the design and implementation of control activities as well as the information/communication and monitoring component activities. Internal environment elements include the entity’s risk management philosophy, its risk appetite, board of directors’ oversight, employee integrity and ethical values, organizational structure, assignment of authority and responsibility, and employee competence. Each is discussed in more detail next. It is important to be mindful of the fact that although each of these elements is important, there will be differences in the level to which they will be addressed within each organization, depending on the size and complexity.

▪▪ Risk management philosophy. The attitudes and principles of the entity are exhibited in the organization’s risk management philosophy. They are reflected in the entity’s consideration of risk and application of the other risk management components from strategy, to process, to internal controls. These attitudes and principles are displayed in management policies as well as written and oral communications. This presentation is reflected in the values, culture, and operating style, which all affect the development of the other components of an ERM program, including risk identification, risk response, and risk management. A well-developed risk management philosophy that is communicated and accepted throughout the organization will facilitate effective risk assessment and management. Management in tandem with the board of directors should develop a risk philosophy statement that broadly defines the entity’s perspective

ch03.indd 32

8/5/2011 11:40:09 AM



Internal Environment  ◾

▪▪

▪▪

▪▪

▪▪

▪▪

ch03.indd 33

33

regarding the risk identification process as well as its position regarding risk tolerance and avoidance as each relates to the achievement of organization objectives. Risk appetite. Risk appetite, as defined earlier, is the level of risk an organization is willing to accept in pursuit of the achievement of its objectives. It is reflected in an entity’s risk management philosophy and taken into account during strategy and objective setting. When outlining its strategy, an entity should seek to align strategy with risk appetite. Risk appetite translates risk management philosophy into more specific tangible risk terms that can be understood and considered by members of the organization when assessing risk. An organization may express its risk appetite qualitatively in terms of high, medium, or low. Conversely, it may choose to express risk appetite quantitatively, such as a percentage of revenue or expense. Ultimately, risks will be appraised and deemed acceptable or unacceptable based on the stated risk appetite standards. Board of directors. The board of directors plays a critical role in the internal environment of an organization. Members should be independent of management and be prepared to question the organization regarding strategy, objectives, and performance. Specifically, the board is responsible for providing ERM oversight. Integrity and ethical values. An entity’s ethical values manifest themselves in the development and documentation of its strategy and objectives. Expectations regarding standards of behavior are expressed explicitly in documents such as a code of conduct as well as through management and board of directors’ actions and activities. Organizational structure. A company’s organizational structure should enable effective risk management. Ultimately, the structure should support risk management program design, implementation, and monitoring. In addition, it should establish key areas of responsibility and accountability. The organizational structure should be relevant and appropriate for the organization based on the nature and size of the entity. Most important, it should meet the needs of the organization and not be overly complicated or cumbersome from an operational perspective. Assignment of authority and responsibility. This element addresses accountability, responsibility, and ownership. It involves the level to which employees are authorized to address and solve issues. Therefore, management should ensure that individuals understand the entity’s objectives as well as how their role contributes to the achievement of those objectives. Management should clearly establish and outline reporting relationships

8/5/2011 11:40:09 AM

34

▪

◾

ERM Defined

and authority limits. Employees should recognize that they will be held accountable. Commitment to competence. Management must determine what knowledge and skills are necessary to perform specific tasks. Competence is a reflection of the existence of that knowledge and skill in tasks performed. When documenting plans for the implementation and achievement of its strategy and objectives, management must determine the level of competency expected in the accomplishment of these tasks.

SUMMARY An entity’s internal environment has a significant impact on all of the other components of ERM. An ineffective internal environment can result in potential financial loss or, in an extreme case, business failure. In contrast, a solid internal environment will positively influence the organization and serve as the cornerstone for the design, implementation, and support of an effective ERM program.

NOTE 1 COSO, Enterprise Risk Management—Integrated Framework, September 2004, Executive Summary, p. 4.

ch03.indd 34

8/5/2011 11:40:09 AM

4

CHAPTER FOUR

The ERM Process: Step by Step

T

H E VA S T M A J O R I T Y O F O R G A N I Z AT I O N S , if not all, consider

risk, discuss risk, and proactively address potential high-risk incidents or situations. In doing so, most probably do not often use the terms “risk,” “risk incidents,” or “risk response.” Management has informal discussions about what could go wrong or what events may occur that can have a negative impact on the business and subsequently determines how to handle these situations. However, a significant number of these same organizations do not conduct a formal risk assessment and have not developed a comprehensive risk management program. The information in this chapter provides a practical guide for the design and implementation of an effective enterprise risk management (ERM) program. Every organization’s risk management program will be different because each company is unique. Risk profiles and risk appetites differ. It is critical to the development of an effective risk management program that management obtain a solid understanding of both the risks and the related severity of each 35

ch04.indd 35

8/5/2011 11:40:34 AM

36

◾

The ERM Process: Step by Step

in order to customize an appropriate solution for the organization, including the categorization of risk responses. An effective risk management program allows an entity to make informed decisions guided by proactive, documented solutions and considerations versus reaction and guessing. ERM program design and implementation does not necessarily require external expertise. Management and the board of directors should know the organization, the business and the industry as well as the internal and external factors that may affect the achievement of objectives well enough to develop an effective process based on the steps outlined in this chapter. The program need not be overly complicated or result in the production of volumes of documentation. As stated previously, the goal is to create a successful, valuable program that is suitable for the individual entity. As outlined earlier, the overall steps and considerations in the risk management process include: 1. 2. 3. 4. 5. 6. 7. 8.

Control environment/internal environment Strategy and objective definition Event identification Risk assessment Risk response—control activities Communication Monitoring Oversight

To reiterate guidance provided earlier, management is responsible for the design, implementation, and monitoring of the ERM program. The board of directors is charged with risk management oversight. Chapter 3 details the internal environment component and its role in an ERM solution so here we begin with strategy and objective definition.

STEP 1: STRATEGY AND OBJECTIVE DEFINITION A clearly documented strategy and associated objectives is necessary in order to facilitate the design and development of an ERM program. Absence of this information and guidance make it impossible to follow the suggested ERM program development procedure. Therefore, this step is critical to the process. The establishment of objectives is a prerequisite for the subsequent program steps of event identification, risk assessment, and risk response.

ch04.indd 36

8/5/2011 11:40:34 AM



Step 1: Strategy and Objective Definition  ◾

37

In conjunction with board of director oversight and approval, management defines the entity mission or purpose. The mission statements will help to determine how the organization will create value for its owners or shareholders. Subsequently, management establishes strategic objectives and outlines strategy as well as defines operations, reporting, and compliance objectives. Strategic objectives are the goals that support the organization’s mission or purpose. These objectives should be presented to employees and should be understandable and measurable. Individuals should be aware of the relationship between the entity’s objectives and their role and responsibilities. Specific broad objective categories should be instituted related to operations, reporting, and compliance. These three objectives are identical in both the Committee of Sponsoring Organizations (COSO) Framework and the COSO ERM—Integrated Framework. Some objectives will be associated with the nature of the entity’s business or the industry. External factors, including reporting or compliance obligations, will impose some of the documented objectives in these categories such as environmental requirements or Securities and Exchange Commission regulations. Internal factors, such as management reporting requirements, management judgment, and operating style, will drive the development of operational objectives. These objectives will vary significantly between entities.

Operations Objectives Operations objectives relate to the effectiveness and efficiency of operations. Objectives outlined in this area ultimately will drive resource allocation. Management should ensure that these objectives reflect expectations regarding the industry and economic environment as well as market demands and any internal documented quality requirements.

Reporting Objectives Reporting relates to both internal and external requirements. Reliable reporting should provide management and external parties as well as any applicable regulatory agencies with required information. This information includes data such as flash reports, production detail, and financial statements and disclosures.

Compliance Objectives Many organizations must comply with specific laws and regulations based on their industry. Therefore, the entity must perform certain activities and/or provide

ch04.indd 37

8/5/2011 11:40:34 AM

38

◾

The ERM Process: Step by Step

specific information to regulatory agencies. These requirements may apply to areas such as environmental or labor laws. Compliance or noncompliance in this area can have a significant financial and reputational affect on the organization. An entity should seek reasonable assurance regarding the development and achievement of its objectives. Absolute assurance is not possible. Achievement of stated reporting and compliance objectives is mostly within the organization’s control. Strategic and operations objectives are influenced and subject to external events and activities.

Risk Appetite There is a definitive relationship between strategy and risk appetite. If ERM is employed during strategy setting, the selected strategy should be consistent with the entity’s risk appetite. Upon completion of the outline of objectives, management should consider whether the documented objectives support the stated mission as well as how and if they align with the entity’s risk appetite, which is defined as part of the internal environment. Effective ERM requires that management have a process for aligning strategic objectives with risk appetite. Management should examine if strategic options fall within the risk appetite. At the conclusion of this step, the organization should have a document that includes clearly stated strategic, operations, reporting, and compliance objectives. The document may consist only of a single page, and certain areas may include only one or very few objectives.

STEP 2: EVENT IDENTIFICATION Risk management supports an entity in minimizing the effect of negative impact events and maximizing the effect of positive impact events. Management identifies potential events and determines whether they represent risk and/or opportunity based on whether the event may prevent or deter the entity from achieving its objectives or enhance its ability to do so. Definition of these events and potential impact is essentially the entity’s risk profile. This profile will be utilized to categorize risks in order to determine how they will be managed. Management considers internal and external events. A number of external factors can influence strategy and objective achievement, include:

▪ Economic. Related events include price movements, capital availability, or lower barriers to competitive entry, resulting in higher or lower cost of capital and new competitors.

ch04.indd 38

8/5/2011 11:40:34 AM



Step 2: Event Identification  ◾

39

▪▪ Natural environment. Events include flood, fire, or earthquake resulting in ▪▪ ▪▪

▪▪

damage to plant or buildings, restricted access to raw materials, or loss of human capital. Political. Events include election of government officials with new political agendas and new laws and regulations resulting in newly open or restricted access to foreign markets or higher or lower taxes. Social. Events include changing demographics, social mores, family structures and work/life priorities, and terrorism activity resulting in changing demand for products and services, new buying venues and human resource issues, and production stoppages. Technological. Events include new means of electronic commerce resulting in expended availability of data, reductions in infrastructure costs, and increased demand for technology-based services.1

A number of internal factors also may affect successful objective achievement; these include:

▪▪ Infrastructure. Events include increasing capital allocation, preventive ▪▪ ▪▪

▪▪

maintenance and call center support, reducing equipment downtime, and improving customer satisfaction. Personnel. Events include workplace accidents, fraudulent activities, and expiration of labor agreements resulting in loss of available personnel, monetary or reputational damage, and production stoppages. Process. Events include process modification without adequate change management protocols, process execution errors, and outsourcing customer delivery with inadequate oversight resulting in loss of market share, inefficiency and customer dissatisfaction, and loss of repeat business. Technology. Events include increasing resources to handle volume volatility, security breaches, and potential systems downtime resulting in backlog reduction, fraudulent transactions, and inability to continue business operations.2

Once major internal and external factors that may influence events are identified, management can consider their significance. Management may utilize a number of different event identification techniques based on the entity’s risk management philosophy. These techniques reflect on the past and the future. Techniques may include facilitated workshops that capitalize on the knowledge base and experience of all levels of employees, including management and staff. Individuals from all areas and departments

ch04.indd 39

8/5/2011 11:40:34 AM

40

◾

The ERM Process: Step by Step

should be included to ensure that relevant events are not overlooked. Depending on the size and complexity of the organization, this group may include only a few individuals. The size of the group is not important. It is critical to involve the individuals who are able to provide knowledge and insight into the key risks and risk areas related to the organization. Management can utilize listings available by industry or process to inventory and document possible events. These listings are also available in software products. Process documentation may be utilized to identify and analyze internal and external factors that may affect achievement of process objectives. Threshold triggers or event indicators can be identified and implemented for consideration when certain events occur. Previous loss events also should be considered. Identified events may occur concurrently or one as a result of another. Management should understand relationships between events as well as interdependencies. Practical implementation guidance suggests that management ask participants involved in facilitated workshops to consider what could go wrong in the areas or processes documented during event identification that might affect the achievement of entity objectives. Event identification is the foundation for the risk assessment and resultant risk response steps in the overall risk management process. The depth and detail involved in event identification varies between entities. An organization may find it useful to document events by category. Specific examples of categorization types are provided in Chapter 3. However, some companies may choose to identify and document events based on their documented objectives. Either method is effective. At the conclusion of this step, the organization should have a documented listing, by category, of potential risks. A review and analysis for completeness should be conducted prior to proceeding.

STEP 3: RISK ASSESSMENT Once risks have been identified, management must assess each risk for impact as well as consider the organization’s vulnerability to each risk. Individuals with in-depth knowledge of entity operations and the industry should be included in the assessment process. Risk assessment involves management consideration of external and internal factors as well as expected and unexpected events that may affect an entity’s ability to achieve its objectives. Management must consider inherent and residual risk. Inherent risk is risk to the entity that exists absent of any

ch04.indd 40

8/5/2011 11:40:35 AM

Step 4: Risk Response ◾

41

management activity or mitigation. Residual risk is the risk that exists subsequent to management mitigation or response. Management considers residual risk after risk responses have been developed. Potential events are evaluated for likelihood and impact. “Likelihood” denotes possibility or probability, and “impact” characterizes the effect. Likelihood and impact should be evaluated for a time period that parallels that of the related strategy and objectives. Estimates of likelihood and impact often are established based on internal historical entity data and events. Industry benchmarks are also valuable data sources for this analysis. Whenever possible and practical, management should include external data and analysis as part of its risk assessment process related to likelihood and impact estimates. This data increases the subjectivity of the examination. The risk assessment process may include qualitative and quantitative techniques. Quantitative techniques are more precise than qualitative techniques. Management may utilize the same type of facilitated sessions used during event identification to gain consensus and opinion on risks as well as likelihood and impact in either numeric or descriptive terms. When conducting the risk assessment, management should consider the risks that the entity is taking, how each is being addressed, and how each risk, if it manifests itself, will affect the enterprise. Management, along with the board of directors, may consider reviewing the entire list of identified risks and collectively determining the top ten most significant risks for the organization. This will be helpful for periodic review and monitoring purposes. Some organizations may begin the development of their risk management program with a focus on this list or on a small number of risks that have been agreed on as potentially most impactful. Utilizing this approach, the entity would follow the remainder of the outlined risk management process. Subsequently, this program can be expanded. The information that is collected during the risk assessment process can be assembled into a single document for management and board of director review. This will facilitate the next steps in the risk management process and also help to ensure a comprehensive program.

STEP 4: RISK RESPONSE Subsequent to the documentation and assessment of relevant risks, management must determine its response to each identified risk. When developing action plans, it is important that the entity understand the related factors and

ch04.indd 41

8/5/2011 11:40:35 AM

42

◾

The ERM Process: Step by Step

circumstances associated with each risk as well as what actually can be done about them, if anything. In some cases, the identification of key risk indicators may be helpful for the development of action plans. If the organization currently is utilizing key performance indicators, these data points often also can be used for this purpose. In other cases, the development of key risk indicators may be required, for example, to monitor external activity that may affect the organization from a risk perspective. Doing this may involve simple actions, such as examination and review of analyst reports for signs of potential negative impact on reputation. When determining risk response, management must assess the likelihood and impact of the risk, cost versus benefit, as well as potential opportunity in achieving stated objectives. Ultimately, the organization should seek to align residual risk with the risk tolerances and risk appetite reflected in overall risk management philosophy and documented in policy and written communications. There are four categories of risk responses: avoidance, reduction, sharing, and acceptance. If management is unable to identify a response option that will reduce the likelihood and impact to an acceptable level, then avoidance is chosen as the appropriate risk response to that individual risk. Reduction or sharing responses are implemented when management determines that the activity will reduce the residual risk to an acceptable level. Acceptance implies that the risk level is already aligned with documented risk tolerances. A detailed discussion of each of the responses is included in Chapter 3. In addition, the following risk response chart provides high-level guidance for risk response categorization: Probability

Likelihood

Response

High

High

Avoidance

Low

High

Mitigate

High

Low

Transfer

Low

Low

Accept

When analyzing and determining responses, additional consideration also should be given to historic activity and trends as well as potential future scenarios. Upon completion of the risk response process, management should have selected and documented a risk response category and related activity/action plan for each recognized event that was documented during the risk assessment

ch04.indd 42

8/5/2011 11:40:35 AM



Step 4: Risk Response  ◾

43

process. Management examines risk holistically from the entity perspective. Therefore, it should ensure that the consolidated risk responses align with risk appetite.

Control Activities Once selected responses have been identified, management may need an implementation plan to accomplish some of the planned responses. The most significant component in the development of the implementation plan is instituting control activities to be certain that risk is mitigated. When choosing control activities, management should consider how each activity is related, if at all, to the others. Control activities are policies and procedures that are the actions of people to implement the policies, directly or through application of technology, to help ensure that management’s risk responses are carried out.3 Control activities are the risk response. Ultimately, objectives, risk responses, and control activities should be clearly linked. A detailed example is outlined in Chapter 6. There are several types of descriptions of control activities, including preventive, detective, manual, automated (computer), and management controls. There are also numerous types of control activities. The COSO ERM—Integrated Framework lists these examples of control activities:

▪▪ Top-level review. This includes senior management review of performance

▪▪ ▪▪ ▪▪ ▪▪ ▪▪

ch04.indd 43

as well as analysis and comparison to budget, historic information, and industry/competition. Organization initiatives also are tracked and reviewed; these may include marketing campaigns, production activities, or new product development. Functional activity management. This involves direct manager review of performance and activity. Information processing. A series of controls is performed to check accuracy, completeness, and authorization of transactions. Physical controls. Assets such as inventory and equipment are physically secured and periodically counted and compared to recorded amounts. Performance indicators. This step includes the use of analytical procedures, budgets, and other information to identify variances, unexpected results, or unusual trends for subsequent follow-up. Segregation of duties. Duties are separated between different individuals in order to reduce the risk of fraud or error. The authorization and recording functions are segregated.

8/5/2011 11:40:35 AM

44

◾  The ERM Process: Step by Step

It should be noted that this listing is not all-inclusive of the myriad of control activities found within different organizations.

Information Controls In the current environment, most organizations place a significant amount of reliance on information systems for operations as well as for the achievement of reporting and compliance objectives. Therefore, management should focus on identification and mitigation of risk related to the technology that is utilized. There are two groups of information technology (IT) controls: general and application. General computer controls are pervasive and apply to all systems. They include IT management and infrastructure, security management (physical and logical) and software acquisition, development, and maintenance. Application controls include input, processing, and output controls. These controls focus on completeness, accuracy, authorization, and validity of data input and processing. Application controls aid in preventing erroneous data from entrance into a system and help in the detection and correction of identified errors.

Policies and Procedures Control activities are guided by two components: a policy that outlines what should be done and a procedure that describes, in detail, how that policy should be applied. Policies may be communicated orally, but, ideally, they should be documented, approved, and distributed throughout the organization.

Control Activity Summary Control activities are entity specific. No one set of controls can be applied to every entity. In the end, the COSO Framework reinforces the fact that the control activities must fit the organization’s resources, history, complexity, and culture. Controls reflect the environment and industry in which the entity operates as well as the nature and scope of its operations. An entity must create controls that function in its environment, enforce those controls, and modify the controls if circumstances change. At the conclusion of the risk response step, the organization should have an identified control activity documented for each identified risk based on the categorization. The final two steps in the design and implementation of an ERM program address communication and monitoring. They are both vital in the

ch04.indd 44

8/5/2011 11:40:35 AM

Step 5: Communication

◾

45

development of a comprehensive program and critical components necessary for an entity to sustain the initiative.

STEP 5: COMMUNICATION Once an organization has completed Steps 1 through 4, it is ready to begin formalizing communication plans as well as considering how it treats and manages information. Communication begins with information. Every entity gathers a plethora of information related to external and internal activities that is relevant and necessary for the management of the organization. Current and historical data are utilized to support entity risk management. This information may be financial or nonfinancial in nature as well quantitative or qualitative. Financial information is necessary for the production of financial statements, planning, budgeting, and other management activities. Operating information is also necessary for financial reporting as well as many internal management reports and compliance purposes. Management is challenged with processing and refi ning a significant amount of data and disseminating relevant information to appropriate individuals and/or groups. This information supports employees in performing their risk management duties and/or activities. Source data and information processing must be accurate and timely. Therefore, data processing and data management and the selection and implementation of technology are critical to the achievement of objectives. Information systems should support business strategy and thus support associated risk management. When considering data and related information systems, management should obtain reasonable assurance that accurate, timely, quality information is being produced and disseminated to the proper individuals to support entity risk management. Communication also must occur regarding broad expectations of employees as well as roles and responsibilities including personnel responsibility for risk management and delegation of authority. Management should ensure that employees understand that the organization, beginning with the board of directors, is committed to risk management and the program should be taken seriously. Communication should effectively convey:

▪ ▪ ▪ ▪

ch04.indd 45

The importance and relevance of effective ERM The entity’s objectives The entity’s risk appetite and risk tolerances A common risk language

8/5/2011 11:40:35 AM

46

◾

The ERM Process: Step by Step

▪ The roles and responsibilities of personnel effecting and supporting the components of ERM4 External communication of relevant information should be provided to regulators, analysts, and other appropriate external parties. In order to communicate effectively internally and externally, the organization must establish and maintain open channels of communication. Management should ensure that personnel believe that management is willing to listen to issues and address them promptly and appropriately. Upon completion of this step, management should have considered and addressed its communication style, process, and effectiveness as well as the supporting technology to determine whether it is sufficient to preserve risk management.

STEP 6: MONITORING Each entity should sustain continuous vigilance in monitoring the established risk management program. It is through the continuous monitoring process that management obtains information that facilitates a determination as to whether the functioning ERM program remains effective. As situations change and/or events occur, either internal or external to the organization, the entity risk profile is modified. Risk response may or may not continue to be appropriate or effective. Risk monitoring and reporting activities supply individuals, including board of directors and management, with the information necessary to oversee and/or support a risk management program and make changes to the program as necessary. Monitoring is accomplished through ongoing activities, separate evaluations, or both. Ongoing monitoring occurs through the normal course of operations and processes within the organization and therefore is performed on a real-time basis. Some examples of ongoing monitoring activities include management review of operations reports, communication from external parties, communication from regulators, and internal and external audit reports and memos. Separate evaluations often are performed through self-assessment and include the use of checklists, questionnaires, and flowcharting. In addition, the internal audit group may perform this activity. In either case, the evaluator analyzes the design and results of tests of the ERM program and compares them to management’s standards to determine if the program provides reasonable assurance of the achievement of the stated objectives.

ch04.indd 46

8/5/2011 11:40:35 AM

Summary

◾

47

Deficiencies may be discovered in the entity’s risk management. They may be identified through normal operating activity or process review/observation or by the monitoring of the risk management program itself. External parties also may provide information or communication that indicates the existence of a deficiency. Each identified deficiency should be carefully considered for impact on risk management, and corrective action should be taken. Reporting structure and format will differ by organization. However, the organization should document expectations regarding what should be communicated and to whom. Upon completion of this step, management should have a documented monitoring process that includes a procedure for deficiency reporting and escalation.

OVERSIGHT The last consideration outlined in the COSO Framework is oversight. Oversight is a method of monitoring. Roles and responsibilities, including those of the board of directors, audit committee, and management, are detailed in Chapter 2. The existence of good corporate governance, including proactive oversight at all levels of the organization, is critical to the initial and continued success of any risk management program.

SUMMARY The design and development steps of an ERM program that have been outlined provide guidance that can be utilized by any entity, regardless of size or availability of resources. Each organization should approach this initiative from a practical perspective. In order to develop an effective program, all of the steps described should be followed. However, the goal is to conduct an initiative that is perceived as valuable and ultimately produces a program that is useful in minimizing surprises, loss, and cost and allows the organization to become more proactive than reactive in its activities. Management should be mindful of these and any other entity-specific goals when leading the organization through this exercise. A successful ERM program does not require volumes of documentation or a significant amount of time and resources. The organization should emerge from the process with a document and related communication that very simply states the entity’s overall objectives, the risks that may prevent

ch04.indd 47

8/5/2011 11:40:35 AM

48

◾

The ERM Process: Step by Step

achievement of those objectives, and a plan for minimizing and monitoring those risks. At the conclusion of all of these process steps, management should have a complete risk management plan that can be monitored as well as communicated to the entire organization. Items documented in the plan should include the risk management philosophy, entity strategy and related objectives, and identified risks in addition to control activities or plans for addressing each. There are many benefits to risk management. However, there are also some inherent limitations. Managing risk is a component of management’s job. Managers should know all aspects of their business. However, the most effective, comprehensive risk management program cannot ensure that events with negative impact will never occur. Effective risk management provides reasonable assurance that objectives can be achieved. Nonetheless, an effective risk management program that is implemented and monitored by knowledgeable employees who understand their individual accountability for risk management can aid an organization in identifying and correcting resulting issues in a timely fashion. Judgment and human error, collusion, management override, and inability to justify the cost benefit of certain controls contribute to the limitations of any risk management program.

NOTES 1 COSO, Enterprise Risk Management—Integrated Framework, September 2004. Chapter 4, Event Identification, p. 42. 2 Ibid. 3 Ibid. Chapter 7, Control Activities, p. 61. 4 Ibid. Chapter 8, Information and Communication, p. 71

ch04.indd 48

8/5/2011 11:40:35 AM

5

CHAPTER FIVE

COSO Framework and Financial Controls

FOCUS ON FINANCIAL CONTROLS It is important to establish the reason for the substantial dedication of time and focus specifically on controls over financial reporting. Many private companies lack appropriate documentation regarding the existence of controls associated with the financial reporting and disclosure process. In each case, these controls may or may not exist. Therefore, the most practical approach for these organizations is to focus initially on analyzing and building a strong foundation of internal control through risk assessment in the area of financial reporting and disclosure. Subsequently, management may utilize that foundation as a platform for concentrating on overall risk related to the business, which will facilitate the design and implementation of a robust, holistic risk management program. Smaller companies should consider beginning their risk assessment program by focusing initially in the area of financial reporting and disclosure. This 49

ch05.indd 49

8/5/2011 11:41:04 AM

50

◾  COSO Framework and Financial Controls

concentration can serve as a dual-purpose initiative for an organization since risks and risk mitigation in this area fall into the overall enterprise risk management (ERM) category of financial risk and subcategory of financial reporting and disclosure. Often smaller and private organizations are lacking in internal control over financial reporting and do not have the stringent regulatory requirements of a public company (i.e., Sarbanes-Oxley). By focusing on the period-end close and financial reporting process as well as the associated risks, an organization can strengthen its system of internal control over financial reporting through mitigation while beginning the larger task of overall risk assessment. Strong internal control mitigates these risks. The period-end close and financial reporting process is also the area where external auditors focus a significant amount of attention during the financial statement audit. Improvements in internal control over financial reporting, therefore, can potentially aid in easing the burden and the cost of the audit and eliminate or minimize the related auditor deficiency disclosures and/or management letter comments. In addition, this approach is not only a logical but also the most comfortable starting point for many companies. The individual or group directing the risk management initiative or leading the attempt to guide the company toward this type of initiative usually is part of the finance/accounting organization. Therefore, they possess intimate knowledge of the financial reporting process and, more than likely, the supporting transaction processes. Thus, the greatest comfort level for the finance/accounting group will be in beginning the risk assessment process in this area. This methodology will help to ensure initial success and aid in building momentum and buy-in for future expansion into a robust ERM program. Smaller companies tend to have numerous challenges related to internal control over financial reporting. These challenges increase risk of material misstatement. Some of the most common challenges include:

▪▪ Lack of sufficient resources to maintain appropriate segregation of duties within individual processes

▪▪ Management ability to override activity ▪▪ Lack of financial expertise at the board of director level ▪▪ Lack of employees with adequate accounting and financial reporting skill and experience Ultimately, these items, along with the principles to be outlined later in the chapter, should be addressed during management’s risk assessment process and the development of risk mitigation. Further discussion of each item follows.

ch05.indd 50

8/5/2011 11:41:04 AM



Focus on Financial Controls  ◾

51

In 1992, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission first issued a conceptual framework entitled Internal Control— Integrated Framework. The Framework was developed for broader use than just design and evaluation of internal controls over financial reporting, as evidenced in its definition of internal control. COSO defines “internal control” as: A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

▪▪ Effectiveness and efficiency of operations ▪▪ Reliability of financial reporting ▪▪ Compliance with applicable laws and regulations When designing and/or evaluating internal control over financial reporting, the organization focuses mainly on the second objective listed in the definition. Specifically, the entity should include in its considerations regarding risk assessment and control existence the overall objective of the production of timely, accurate financial statements as well as adequate and complete disclosure. The COSO Framework consists of five components: 1. Control environment 2. Risk assessment 3. Control activities 4. Information and communication 5. Monitoring The Securities and Exchange Commission has provided guidance that suggests that management should utilize the COSO Framework when designing, building, and/or analyzing internal control over financial reporting. It is important for management to consider all five components and the associated elements of each for the development of a strong system of internal control over financial reporting. When applying the COSO Framework to the design, build, and/or analysis of internal control over financial reporting, companies should take a top-down, risk-based approach. This is the most practical and cost-effective method for all entities. In many cases, an entity can mitigate risk as well as strengthen internal control through the institution of an activity or process that requires minimal implementation time and nominal or no cost. Most entities and individuals

ch05.indd 51

8/5/2011 11:41:04 AM

52

◾

COSO Framework and Financial Controls

tend to focus on process-level controls and control activities. An example of a process-level control would be the approval of invoices prior to payment. It is at this level where some of the challenges listed previously manifest themselves, such as segregation of duties. In a top-down risk-based approach, an entity focuses on mitigating risk of material misstatement in financial statements by focusing fi rst on entity-level controls. These controls are associated with the control environment component of the COSO Framework. Entity-level controls typically serve as mitigating controls for process-level control deficiencies, such as segregation of duties. In order to apply a top-down risk-based approach, an organization must fully understand the principles and attributes of the control environment and risk assessment components of the COSO Framework as well as entity-level controls. It is not necessary to study all of the information to be described in this chapter, and the details need not be shared throughout the entire organization. Implementation of all of the items suggested may not be possible, practical, or cost effective for every company. However, this information is included in detail so that every organization involved in a risk management initiative can consider all of the guidance when designing, building, or analyzing a system of internal control over financial reporting. When reviewing the information, it is important to keep in mind that the primary focus of this guidance is internal control over financial reporting and the related risk assessment. As stated earlier, this is a single subcomponent of the financial risk category in an overall risk management program. Upon review of the COSO Framework components, principles, and attributes, the reader will note significant consistent reference, to the board of directors, audit committee, and management responsibility regarding internal control over financial reporting. Therefore, there is an inherent expectation of documentation of roles, responsibilities and related control activities for each of the aforementioned groups. The reader also may note that there are several opportunities for a single piece of evidence to support the existence and strength of internal control over financial reporting associated with more than one principle and/or attribute.

CONTROL ENVIRONMENT The control environment is the foundation for all of the other components of internal control. The control environment consists of pervasive controls. A weakness in the control environment may negate controls that exist within other components of internal control.

ch05.indd 52

8/5/2011 11:41:05 AM

Integrity and Ethical Values ◾

53

The seven principles related to the control environment are: 1. 2. 3. 4. 5. 6. 7.

Integrity and ethical values Board of directors Management’s philosophy and operating style Organizational structure Financial reporting competencies Authority and responsibility Human resources1

Each principle, its potential associated risks, and mitigation suggestions are presented in detail in the next paragraphs. Each organization should be mindful of the fact that the existence of evidence and the ability to produce evidential matter is one of most important factors in substantiating internal control strength. Therefore, the discussion provides examples of evidential matter.

INTEGRITY AND ETHICAL VALUES According to COSO: Sound integrity and ethical values, particularly of top management, are developed and understood and set the standard of conduct for financial reporting.2 This principle is considered the foundation of the control environment. Tone at the top is critical when setting the standard for financial reporting. Several major incidents of financial statement fraud have involved senior management engaging in unethical activity, thus demonstrating a gross lack of integrity. This principle includes three attributes: 1. Senior management develops a clearly articulated statement of ethical values that is understood at all levels of the organization. 2. There are procedures in place to monitor adherence to the principles of sound integrity and ethical values. 3. If there are deviations from the sound integrity and ethical values, then the deviations are identified in a timely manner and addressed and remedied at appropriate levels within the company.

ch05.indd 53

8/5/2011 11:41:05 AM

54

◾  COSO Framework and Financial Controls

Management should continuously demonstrate through actions as well as interaction with internal and external constituents the values of honesty, integrity, and ethical behavior. Evidence related to this principle is the most difficult to find. Some argue that it is not possible to prove or evidence integrity effectively. However, an entity, led by its board of directors and senior management, can take a number of actions to demonstrate commitment and expectations regarding ethical behavior as well as to foster a culture of high integrity. The appropriate tone at the top begins with new employee orientation. However formal or informal this process may be within the organization, new employees should be educated regarding expectations for ethical behavior. These expectations can be outlined in a code of ethics document that is distributed to all employees. A code of ethics can be implemented effectively fairly easily with minimal resource time and at virtually no cost. The document does not need to be very lengthy or cumbersome. If the company has an employee handbook, the code of ethics can be included in that document. If not, it can be issued as a stand-alone document. An example is included in Appendix 5A. Every employee should be required to sign the code of ethics upon initial implementation. Organizations should consider employee confirmation on an annual basis. If the company has a mission statement, it should consider, if not already included, incorporating reference to its commitment to integrity and expectations regarding ethical behavior by all employees. In addition, the corporate Web site, both external as well as any intranet site, should include reference to ethics and integrity. The development and implementation of a whistleblower program is considered strong evidence of board of director and management commitment to ethical behavior. Similar to the code of ethics, a whistleblower program can be implemented effectively fairly easily with minimal resource time and at virtually no cost. The document should be clear and concise. It can facilitate reporting of any suspected unethical activity, including fraud. The implementation process should consist of five steps: 1. Develop a whistleblower policy and obtain board of director and management approval. (An example policy is included in Appendix 5B.) 2. Determine the individual who will monitor any responses. Ideally, this should be an independent board or audit committee member. 3. Obtain a post office box for mailed responses.

ch05.indd 54

8/5/2011 11:41:05 AM

Board of Directors

◾

55

4. Create a telephone extension for verbal/recorded responses. 5. Roll out the program to the organization. Be sure to clearly articulate the purpose of the policy. This is a good opportunity for management to reinforce its commitment and expectations regarding ethical behavior. Board of director and management expectations, commitment, and philosophy regarding integrity and ethical behavior should be reinforced at every opportunity, such as during company meetings and conference calls. Implementation and evidence associated with the suggestions just outlined directly address the three attributes of this principle and thus demonstrate the existence of strong internal controls and mitigation of risk in this area.

BOARD OF DIRECTORS According to COSO: The board of directors understands and exercises oversight responsibility related to financial reporting and related internal control.3 Board of director activities include:

▪ Defining authority. The board defines and communicates authorities ▪ ▪ ▪ ▪ ▪

ch05.indd 55

retained at the board level and those delegated to management. Operating independently. The board has a critical mass of members who are independent directors. Monitoring risk. The board actively evaluates and monitors risks of management override of internal control and considers risks affecting the reliability of financial reporting. Retaining financial reporting expertise. One or more board members has financial reporting expertise. Overseeing quality and reliability. The board provides oversight to the effectiveness of internal control over financial reporting and financial statement preparation. Overseeing audit activities. The board oversees the work of both internal and external auditors and interacts with regulatory auditors if necessary. It has exclusive authority to engage, replace, and determine the compensation of the external audit fi rm. The board meets privately with internal and external audit to discuss relevant matters.

8/5/2011 11:41:05 AM

56

◾  COSO Framework and Financial Controls

The audit committee should:

▪▪ Regularly consider the effectiveness of internal control over financial ▪▪ ▪▪ ▪▪ ▪▪ ▪▪

reporting Regularly meet with the internal and external auditors to address scope, plans, findings, and so on Review accounting policies and procedures used by management for determining significant estimates, including key assumptions Maintain an appropriate level of skepticism regarding management’s assertions and judgments affecting financial reporting and ask probing and challenging questions of management Consider whistleblower information and the company’s antifraud and similar processes to monitor the risks of misstatements in financial reporting Certify its compliance with the company’s ethics guidelines and independence rules

In smaller companies that do not have an audit committee, the board of directors should perform all functions required of the audit committee. As mentioned earlier, one of the most common challenges faced by many smaller, private companies is the lack of independence as well as financial expertise in board membership. The existence and/or addition of a single independent member as well as a financial expert to the board of directors significantly strengthens control over financial reporting. Theoretically, the qualities associated with these members—independence and financial expertise—aid in risk mitigation related to financial reporting and disclose. These members not only have a different perspective but also possess the knowledge and skill set to review and analyze financial results. Management plays a significant role in the board/audit committee ability to perform its duties adequately. Management is responsible for the development and implementation of an appropriate risk management program for the organization. The board is responsible for the high-level overall monitor of risk. In order for this process to be effective, management must conduct and provide evidence of the program so that the board can review and ask questions. Part of the board review process should include monitoring of whistleblower program activity/response. This program is outlined earlier in this chapter. As mentioned, there is an inherent expectation associated with audit committee responsibilities regarding the existence of evidence related to internal control over financial reporting. Therefore, management should ensure that all necessary policies are documented and distributed. Smaller companies often

ch05.indd 56

8/5/2011 11:41:05 AM

Organizational Structure ◾

57

have implicit policies but lack formal documentation. Ultimately, complete policy documentation is optimal. Practically, management should focus initially on the development, approval, distribution, and implementation of any policy that would be considered a component of or evidence of an agreed-on key/significant control. For example, if all invoices require approval prior to payment, evidence that this control is in place and operating effectively would include proof that a test sample invoice is approved via electronic or manual signature and that the approver has the authority to do so, as evidenced in an approval policy. These policies do not need to be voluminous or complicated. They simply should address the internal control requirements and provide the necessary information and guidance to enable all employees to perform and execute their assigned roles and corresponding responsibilities. See Appendix 5C for an example of a suggested format, content, and detail of an approval policy.

MANAGEMENT’S PHILOSOPHY AND OPERATING STYLE According to COSO: Management’s philosophy and operating style support achieving effective internal control over financial reporting.4 This principle is closely related to the first principle of integrity and ethical values. It can be dually evidenced by, the existence and implementation of items such as a whistleblower program and code of ethics outlined earlier in this chapter.

ORGANIZATIONAL STRUCTURE According to COSO: The company’s organizational structure supports effective internal control over financial reporting.5 In line with this principle, management should:

▪ Establish appropriate lines of financial reporting for each functional area and business unit in the organization.

ch05.indd 57

8/5/2011 11:41:05 AM

58

◾

COSO Framework and Financial Controls

▪ Maintain an organizational structure that facilitates effective reporting about internal control over financial reporting. Simply stated, the existence of a documented, published organizational chart is critical to demonstrate the strength of internal control over financial reporting in this area. Many smaller companies do not take the time to circulate an organizational chart. This is an area where management can significantly improve internal control strength associated not only with this principle but with the principles to come. The task can be accomplished with minimal resources and time and at virtually no cost. In conjunction with this exercise, management should consider documenting and publishing job descriptions initially, at minimum, for the accounting/finance function. In particular, specific attention should be focused on responsibility for internal control as well as risk management and the education, experience, and skill sets required to perform such duties. This focus will aid in ensuring that each individual has a clear understanding of responsibility regarding risk management and for establishing and maintaining effective internal control over financial reporting. Note that there is a correlation between this principle and the COSO definition of internal control, which highlights the fact that every individual has some level of responsibility for internal control. Ultimately, ideally management should prepare and distribute job descriptions for all positions within the organization and include reference not only to responsibility for internal control over financial reporting but to overall control activities that mitigate enterprise business risks according to the documented risk management program.

FINANCIAL REPORTING COMPETENCIES According to COSO: The company retains individuals competent in financial reporting and related oversight roles.6 Attributes of this principle include:

▪ Identifying competencies that support reliable financial reporting. ▪ Retaining or employing individuals who have the required competencies. ▪ Evaluating competencies on a regular basis.

ch05.indd 58

8/5/2011 11:41:05 AM

Authority and Responsibility ◾

59

Lack of the required skill set within the accounting and finance group is one of the most frequently cited risk mitigation challenges faced by smaller entities. Development of the job descriptions just discussed will aid the organization in determining whether competency is lacking in this area. If lack of competency is established, the entity may mitigate this risk through staff addition or replacement (not the most practical or common resolution in the majority of cases), additional staff training/education, or the development of a process/plan for consideration and use of external resources/expertise on an ad hoc basis. The latter suggestion minimizes mitigation cost while demonstrating—as long as it is documented—management’s acknowledgment of the need for expertise that is lacking within the organization and the plan for obtaining that expertise when necessary in order to achieve its financial reporting objective(s).

AUTHORITY AND RESPONSIBILITY According to COSO: Management and employees are assigned appropriate levels of authority and responsibility to facilitate effective internal control over financial reporting.7 Attributes of this principle include:

▪ Defining responsibilities. ▪ Assignment of authority and appropriate limitations for all employees, including the board of directors. Several approaches are noted for applying the principle:

▪ Defining objectives and responsibilities. Emphasis is placed on management’s responsibility for effective internal control over financial reporting.

▪ Audit committee reviewing key financial reporting positions. The audit committee reviews management descriptions of the position’s responsibilities and authorities and how these positions affect the strength of internal control over financial reporting.

ch05.indd 59

8/5/2011 11:41:05 AM

60

◾

COSO Framework and Financial Controls

▪ Assigning authority and responsibilities. Management considers the impact ▪ ▪

of assigning authority and responsibility on the control environment and the importance of maintaining effective segregation of duties. Empowering employees. Management empowers employees to correct problems or implement improvements with appropriate monitoring of these activities. Aligning positions with responsibilities and authorities. Management considers the nature of employee positions within the company when assigning responsibilities to individuals.

When developing and documenting job descriptions, management should be sure to include not only details of job responsibilities but also authority and authority limits.

HUMAN RESOURCES According to COSO: Human resources policies and practices are designed and implemented to facilitate effective internal control over financial reporting.8 The attributes of this principle include:

▪ Management establishes human resources (HR) practices that demonstrate its commitment to integrity, ethical behavior, and competence.

▪ Employee recruitment and retention for key financial reporting positions ▪ ▪

are guided by principles of integrity and competencies associated with key financial positions. Management provides training and tools to employees required to perform their financial reporting duties. Employee performance evaluation and company compensation practices support the achievement of financial reporting objectives. Several approaches are noted for applying the principle:

▪ Management develops and maintains position descriptions.

ch05.indd 60

8/5/2011 11:41:05 AM

Summary

◾

61

▪ The HR function develops and updates materials outlining the company’s HR policies and procedures.

▪ Management reviews resumes and performs reference checks for those ▪ ▪ ▪ ▪

▪ ▪

applying for key financial reporting positions. The HR function provides training and awareness programs to promote ethical behavior throughout the organization. Management establishes a review and appraisal process that confi rms knowledge of each employee’s progress and status within the organization. Exit interview processes should include inquiries about any concerns related to the company’s financial reporting and internal control. Executive compensation should include a significant portion tied to achievement of nonfi nancial goals (i.e., customer satisfaction) and not excessively correlated to short-term results as contained in fi nancial statements. The board of directors reviews management compensation plans to assess if the plans create a high risk of fi nancial reporting misstatements and implements controls to reduce risk to an acceptable level. Management evaluates the sufficiency and competency of personnel involved in recording and reporting financial information.

These approaches reinforce some of the suggestions cited earlier in this book. Some may not be practical. Numerous smaller companies do not have an HR group or function. In these cases, management should seek to ensure that each individual is aware of his or her role and responsibilities and that each is competent to perform them as well as informed regarding his or her performance.

SUMMARY Many organizations may benefit from using the COSO Framework to assess financial statement risk and mitigation. Subsequently, the entity can utilize this initiative as a platform for the design and implementation of an overall ERM program. This approach is both practical and effective. In addition, it is a beneficial activity because in the vast majority of cases, the result of the initiative is stronger internal control over financial reporting and disclosure.

ch05.indd 61

8/5/2011 11:41:05 AM

62

◾

COSO Framework and Financial Controls

NOTES 1 COSO, Internal Control over Financial Reporting—Guidance for Smaller Public Companies, June 2006. 2 Ibid. 3 Ibid. 4 Ibid. 5 Ibid. 6 Ibid. 7 Ibid. 8 Ibid.

ch05.indd 62

8/5/2011 11:41:05 AM

5A APPENDIX FIVE A

Excerpt from a Code of Ethics Policy

T

H IS CO D E O F B USI N E S S CO N D U C T A N D E T H I C S (the “Code”) describes the standard of ethical business conduct expected from all officers, directors, and employees (together “employees”) of ABC Company and their affiliates (collectively, the “Company”). All officers, directors, and employees are expected to be familiar with this Code of Ethics and to abide by all its principles and procedures. The purpose of this policy is to set forth basic principles and guidelines to direct employees in the proper conduct of their business and personal affairs as representatives of the Company. It does not provide detailed descriptions of all Company policies, and it in no way limits or restricts the applicability of any provision of any other Company policies. You should read this Code carefully and contact your supervisor or the Human Resources Department if you have any questions. This Code has been developed to communicate the Company’s expectations of our officers, directors, and employees and to promote the following conduct: 63

Appendix 5A.indd 63

8/5/2011 11:43:28 AM

64

◾

Excerpt from a Code of Ethics Policy

▪ Honest and ethical conduct, including the ethical handling of actual or apparent conflicts of interest

▪ Avoidance of conflicts of interest, including disclosure of any material ▪ ▪ ▪ ▪ ▪ ▪

transaction or relationship that reasonably could be expected to give rise to such a conflict Full, fair, accurate, timely, and understandable disclosure in reports and documents that we file with the Securities and Exchange Commission and in our other public communications Compliance with applicable governmental laws, rules, and regulations Ensuring that the Company’s legitimate business interests, opportunities, assets, and confidential information are always protected Prompt internal reporting of violations of the Code Deterrence of wrongdoing Accountability for adherence to the Code

OUR GUIDING PRINCIPLES AND VALUES All employees are required to observe the highest standards of business and personal ethics in the conduct of their duties and responsibilities. All employees are expected to devote their best efforts and attention to the performance of their responsibilities. Accordingly, every employee is expected to: 1. 2. 3. 4.

Use good judgment. Maintain the highest level of integrity and honesty. Comply with all applicable laws, rules, and regulations. Avoid actual or potential conflicts between his or her personal interests and the interests of the Company. 5. Maintain the Company’s confidential information when required.

CONFLICTS OF INTEREST General A conflict of interest occurs when personal interests interfere with your ability to exercise your judgment objectively or to do your job in a way that is certain to be in the best interest of the Company. Every employee must take active steps to avoid actual or potential conflicts of interest.

Appendix 5A.indd 64

8/5/2011 11:43:28 AM

Confidential Information; Intellectual Property

◾

65

Some examples of potential conflicts of interest include:

▪ Working for, consulting for, or providing information to a competitor or ▪ ▪ ▪ ▪ ▪

potential competitor of the Company Accepting favors in return for business from the Company Participating in transactions or arrangements related to the Company that provide personal financial gain Participating in business transactions or arrangements in which family members benefit from your involvement with the Company Accepting bribes or kickbacks Taking advantage of business or financial opportunities that result from information gained from your association with Company and not generally available to the public

If a potential conflict of interest arises, or if you are unsure if your actions will present a conflict of interest, you must:

▪ Present the situation to your supervisor for discussion or ▪ Follow the specified procedure for reporting the situation to the Human Resources Department. An employee and his or her immediate family may not own or hold any significant interest in a supplier, customer, or competitor of the Company, except where:

▪ Such ownership or interest consists of securities in a publicly owned company and

▪ Those securities are regularly traded on the open market. CONFIDENTIAL INFORMATION; INTELLECTUAL PROPERTY The protection of confidential business information, including financial information, trade secrets, product information, and customer-related data, is vital to our interests and success. Any employee who, without authorization, discloses trade secrets or confidential business information, including any information regarding our customers, employees, training materials, fi nancial matters, and so on, may be subject to disciplinary action up to and including termination and legal action.

Appendix 5A.indd 65

8/5/2011 11:43:28 AM

66

◾  Excerpt from a Code of Ethics Policy

You must continue to comply with the provisions of any confidentiality or similar agreement you may have signed. You also must comply with the Company’s Insider Trading Policy with respect to disclosure of material information for the purpose of trading any securities. You agree to make prompt, full, and complete disclosure to the Company regarding any and all inventions, developments, concepts, or ideas made or conceived by you (either alone or jointly) during the term of or in connection with your employment at the Company and to assign to the Company the entire, worldwide rights, title, and interest in the above-mentioned intellectual property. Such intellectual property shall include, without limitation, patentable and unpatentable inventions, ideas, or improvements that are:

▪▪ In any way within the scope of your employment or related to the Company’s business.

▪▪ Made or conceived during business hours or otherwise. ▪▪ Made or conceived on Company’s premises, at Company’s expense, using Company’s materials/labor or otherwise. You further agree that personal use of such intellectual property or a transfer of such intellectual property to a third party is a violation of this Code.

Employee Name: 

Appendix 5A.indd 66

      Date: 

8/5/2011 11:43:28 AM

5B APPENDIX FIVE B

Whistleblower Program

REPORTS REGARDING ACCOUNTING MATTERS ABC Company is committed to compliance with applicable laws, rules and regulations, accounting standards, and internal accounting controls. Every employee is expected to report any complaints or concerns regarding accounting standards, internal accounting controls, and auditing matters promptly. Reports may be made by telephone or in writing to the address and/or telephone number listed below. Reports may be made anonymously. All reports will be treated confidentially to the extent reasonably possible. No one will be subject to retaliation because of a good faith report of suspected misconduct or a complaint or concern regarding any of the accounting matters outlined above. The Company has established and published on its Web site a Compliance telephone number as well as a P.O. box for receiving written complaints

67

Appendix 5B.indd 67

8/5/2011 11:43:43 AM

68

◾

Whistleblower Program

regarding accounting matters from employees or others. The contact information is: ABC Company P.O. Box 555 Anytown, USA 12345 Attn: John Smith Telephone: 1-888-555-1234

INVESTIGATION OF SUSPECTED VIOLATIONS All reported violations will be investigated promptly and treated confidentially to the extent reasonably possible. It is imperative that reporting persons not conduct their own preliminary investigations. Investigations of alleged violations may involve complex legal issues, and acting on your own may compromise the integrity of an investigation and adversely affect both you and the Company.

DISCIPLINE FOR VIOLATIONS The Company intends to use every reasonable effort to prevent occurrence of conduct not in compliance with applicable laws, rules and regulations, accounting standards, internal accounting controls, and auditing matters and to halt any such conduct that may occur as soon as reasonably possible after its discovery. Subject to applicable law and agreements, Company personnel who violate any of the items listed above or other Company policies and procedures may be subject to disciplinary action, up to and including discharge.

Appendix 5B.indd 68

8/5/2011 11:43:43 AM

5C APPENDIX FIVE C

Approval Policy and Procedures

POLICY Management is responsible for establishing the approval and authorization requirements necessary to commit Company funds or assets.

PURPOSE To safeguard company assets by establishing levels of accountability in terms of transaction approval.

SCOPE This policy applies to company operations worldwide. 69

Appendix 5C.indd 69

8/5/2011 11:43:54 AM

70

◾

Approval Policy and Procedures

1.0 All employees must be aware of and adhere to their approval authorization limits. 2.0 The finance organization is responsible for ensuring compliance with these guidelines. Either the president or the chief financial officer may approve exceptions to this policy but not beyond the limits of their authority. 3.0 The authorization limits should be converted to the functional currency of the operation. It is the local finance manager’s responsibility to update the local levels as needed due to foreign currency exchange fluctuations. 4.0 Related Party Transactions. All related party transactions should be handled in accordance with the company policy titled “Related Party Transactions.” A related party transaction includes the purchase of goods or services from an employee of the Company, an immediate family member(s) of the employee, or a company, partnership, or other entity controlled by employee or their immediate family member(s). Related party transactions cannot be presumed to be carried out at arm’s length. Thus, all such related party transactions require preapproval by the corporate controller or chief financial officer. 5.0 Foreign Corrupt Practices Act. It is the company’s policy to comply with the provisions and statements of the Securities and Exchange Act of 1934 (the “Act”). A specific provision of the Act, the Foreign Corrupt Practices Act, prohibits payments or gifts to foreign individuals or organizations to influence acts and decisions.

APPROVALS/DOCUMENTATION 1.0 All commitments require appropriate documentation and approval in advance of the contemplated transaction. The requisition documentation should include the requester’s name, the business unit being charged for the goods/services, a brief description of the goods/service being requested, the cost of the request, and the signature of the individual approving the request. (See “Purchasing Policy.”) Frequently Asked Questions

Q: What if my designated approver is not available? A: Approval must be obtained from the individual at the next higher level according to the approval matrix. Alternatively, you may obtain approval from an authorized substitute signer.

Appendix 5C.indd 70

8/5/2011 11:43:54 AM



Approvals/Documentation  ◾

71

Q: When is this policy effective? A: This policy is effective immediately. 2.0 The originator of the requisition is responsible for obtaining all authorizing signatures. The purchasing department/purchasing agent will confirm that the authorizing signatures are appropriate prior to processing a purchase order. 3.0 The company’s authorization matrix contains a listing of the most common types of commitments and expenditures and the appropriate signature level required. Each requisition should also have the signature of the immediate supervisor in addition to the signature of the individual with the appropriate level of authorization. In addition, under certain circumstances, functional approval may also be required. 4.0 Employee expense reports and requisition documents must be approved by an individual’s next level of management. No employee shall approve his/ her own expenditures. 5.0 Employees are strictly prohibited from requesting that a supplier split the purchase amount on more than one invoice to meet the approval limits of this policy. 6.0 During an authorized signer’s absence from the office, signature authorization may be obtained from the individual at the next higher level. Alternatively, an authorized signer may designate a substitute signer with the approval of the next higher level. The delegation of signature authority by the authorized signer may be evidenced by signature on a facsimile or via electronic mail. Frequently Asked Questions

Q: How many signatures do I need for my requisition? A: At least two signatures are required—one from your immediate supervisor and one from the appropriate authorized approver in accordance with the approval matrix.

Q: What if I am located in a foreign office? A: The authorization limits should be converted to the functional currency of the operation. It is the local finance manager’s responsibility to update the local levels as needed due to foreign currency exchange fluctuations.

Appendix 5C.indd 71

8/5/2011 11:43:54 AM

72

Appendix 5C.indd 72

8/5/2011 11:43:55 AM

A

1,000 5,000 1,000 5,000

Software purchases

Capital asset purchases

Check requests

Wire transfers

-

Insurance

-

Leases of facilities, property, and equipment (4)

Contributions

-

-

50,000

1,000

Outside/other services

50,000

50,000

-

10,000

25,000

10,000

25,000

10,000

10,000

-

15,000

1,000

Consulting services (3)

B 5,000

Recruiting services (3)

5,000

Advertising

Payment against approved contracts

-

Sales/deals (2)

Establishment of contracts

1,000

-

1,000

General expenses

Purchase of goods and services

Licensing and royalty arrangements (2)

Employee expense reports

Expenditure Type

Approval Matrix C

-

-

100,000

50,000

100,000

100,000

100,000

100,000

150,000

100,000

150,000

100,000

100,000

-

10,000

D

-

-

150,000

50,000

150,000

150,000

250,000

250,000

250,000

250,000

250,000

250,000

250,000

-

15,000

50,000

1,000,000

500,000

100,000

500,000

500,000

500,000

500,000

500,000

500,000

500,000

500,000

500,000

500,000

25,000

EVP

250,000

2,500,000

1,000,000

150,000

2,000,000

2,000,000

2,000,000

2,000,000

2,500,000

2,000,000

2,500,000

2,000,000

2,000,000

2,000,000

50,000

CFO

500,000

10,000,000

2,500,000

200,000

4,000,000

4,000,000

4,000,000

4,000,000

10,000,000

4,000,000

10,000,000

4,000,000

4,000,000

4,000,000

100,000

CEO (1)

73

Appendix 5C.indd 73

8/5/2011 11:43:55 AM

-

-

Formation/capitalization of subsidiaries (5)

Bank/financial instruments (6)

Tax payments and settlement agreements (7)

1,000

Vehicle reimbursement

5,000

5,000

-

-

-

-

10,000

10,000

50,000

-

-

-

-

50,000

-

15,000

15,000

50,000

-

-

-

-

100,000

-

25,000

25,000

100,000

-

-

-

-

500,000

-

50,000

50,000

150,000

2,500,000

5,000,000

1,000,000

-

2,000,000

100,000

100,000

100,000

200,000

5,000,000

10,000,000

2,500,000

10,000,000

5,000,000

Prepared by: Approved by: Revision Date: Effective Date:

Notes (1) Commitments beyond the CEO’s authorization limit require board of director approval. (2) Must require general counsel preapproval. (3) Establishment of relationships with recruiting fi rms must require human resources director approval. (4) Facilities leases require director of facilities preapproval. (5) Requires preapproval by CFO and director of tax. (6) Requires preapproval by treasurer. (7) Requires preapproval by director of tax.

Authorization Categories A Includes supervisors and managers. B Includes country managers (net revenues under 20 million), local fi nance managers, U.S. district managers, and directors. C Includes country managers (net revenues over 20 million), international regional managers, regional fi nance managers, U.S. regional managers, senior directors, and fi nance directors. D Includes VP of Operations, VP and CIO, VP and treasurer, and corporate controller.

1,000

Discretionary bonuses

Relocation

-

-

Acquisitions/divestitures

-

-

Write-off/reserve of balance sheet items

-

-

Employee loans

6

CHAPTER SIX

Financial Controls and risk Assessment

riSK ASSeSSMeNT Risk assessment is the second component of the Framework of the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. The Framework provides a significant amount of guidance to an organization regarding the risk assessment process. It is also important to note that “management’s risk assessment process” is classified as an entity-level control. (A detailed discussion of entity-level controls is presented later in this chapter.) Consequently, an entity should consult the Framework when conducting its risk assessment. In addition, the organization should ensure that it has an appropriate level of documentation of management’s risk assessment process as evidence of the existence of the necessary entity-level control. “Risk assessment” is defined as the entity’s identification of relevant risks to achievement of its objectives, forming a basis for determining how risks should be managed. 74

ch06.indd 74

8/5/2011 11:41:32 AM

Financial Reporting Objectives

◾

75

There are three principles related to risk assessment: 1. Financial reporting objectives 2. Financial reporting risks 3. Fraud risks

FiNANCiAL rePOrTiNg OBJeCTiVeS According to COSO: Management specifies fi nancial reporting objectives with sufficient clarity and criteria to enable the identification of risks to reliable financial reporting.1 Attributes of this principle include:

▪ Financial reporting objectives are in accordance with generally accepted accounting principles.

▪ Disclosures include information that is classified and summarized in a rea▪ ▪

ch06.indd 75

sonable manner and financial statements are informative of matters that might affect their use, understanding, and interpretation. The financial statements reflect the underlying transactions and events. Supporting the objectives are financial statement assertions, which include: ▪ Existence. Assets, liabilities, and ownership interests exist at a specific date and recorded transactions represent events that occurred during a certain period. ▪ Completeness. All transactions that occurred during a specific period that should have been recorded in that period have been recorded. ▪ Rights and obligations. Assets are the rights and liabilities are the obligations of the entity at a given date. ▪ Valuation or allocation. Asset, liability, revenue, and expense components are recorded at appropriate amounts in conformity with appropriate accounting principles. Transactions are mathematically correct, appropriately summarized, and recorded in the entity’s books and records. ▪ Presentation and disclosure. Items in the financial statements are properly described, sorted, and classified. ▪ Concept of materiality. Considers the concept of materiality in considering the fairness of financial statements.

8/5/2011 11:41:32 AM

76

◾

Financial Controls and Risk Assessment

This principle and the related attributes parallel the guidance associated with the COSO Enterprise Risk Management—Integrated Framework. Both focus on the fact and expectation that management responsibility includes the development and documentation of clearly stated objectives, both overall for the business and as specifically related to financial reporting. Many smaller organizations have established financial reporting objectives implicitly rather than explicitly. The Framework principle suggests that in order for management to evaluate the risk to reliable financial reporting effectively and ultimately mitigate risk, the entity must clearly outline and communicate these objectives. An example of the application of this principle and its relationship to the risk assessment, risk response, and control activities is provided later in this chapter.

FiNANCiAL rePOrTiNg riSKS According to COSO: The company identifies and analyzes risks to the achievement of financial reporting objectives as a basis for determining how the risks should be managed.2 Attributes of this principle include:

▪ Consideration of business processes that impact the financial statements ▪ Consideration of the competency of personnel involved in the financial reporting process

▪ Consideration of the information technology infrastructure and processes ▪ Consideration of internal and external factors on achieving fi nancial reporting objectives

▪ Establishing criteria for reassessing risks as changes occur that might impact financial reporting objectives There are numerous considerations and approaches to applying this principle. A private company, in particular, has much more flexibility with the manner in which it conducts the initial analysis of internal control over financial reporting as well as the remediation plans and prioritization. Public companies are bound by compliance with Section 404 of the Sarbanes-Oxley Act (SOX) and therefore must follow a specific process and produce a considerable amount of

ch06.indd 76

8/5/2011 11:41:32 AM

Fraud Risk

◾

77

evidence in somewhat of a “standard practice” format. The required evidence includes documentation of each process, the walk-through of each process and control test results, as well as a significant amount of additional evidential matter. The appendixes to this chapter contain sample templates and suggestions for private entity use. All of the documents included can be modified for specific entity situations or purposes. Note: The options to be discussed cannot be adopted by public companies. As previously mentioned, registrants with the Securities and Exchange Commission have specific requirements for documentation and testing of internal controls based on mandatory compliance with Section 404 of SOX. Therefore, public entities do not have the option of modifying the process and/or the required documentation. When considering the guidance outlined thus far in this text regarding the suggested initial focus and importance of entity-level controls and the control environment, private entities may use an entity-level control questionnaire to assess existence of necessary controls at this level prior to evaluation of processlevel controls. (See Appendix 6A.) Upon completion of the questionnaire, management should review any identified deficiencies and remediate prior to continuing with its overall assessment of internal control over financial reporting. If there is a solid understanding of existing processes, management may elect to utilize a control self-assessment questionnaire (see Appendix 6B) or a control matrix (see Figure 6.1) prior to the development of complete process documentation, to quickly assess/confirm the existence or lack of internal controls at the process level. Ultimately, management may undertake a process documentation initiative. Entities should be reminded that the purpose of process documentation, in this case, is to identify and confi rm the existence of key internal controls within the process. Management should be cautioned against producing documentation at a level of detail that is unnecessary for this endeavor. A highlevel flowchart that clearly identifies controls is advised. (See Figures 6.2, 6.3, and 6.4.)

FrAuD riSK According to COSO: The potential for material misstatement due to fraud is explicitly considered in assessing risks to the achievement of fi nancial reporting objectives.3

ch06.indd 77

8/5/2011 11:41:32 AM

78

ch06.indd 78

8/5/2011 11:41:32 AM

Lack of a review process exposes the company to loss through processing errors, inappropriate disbursement activity, or fraud. Unapproved manual disbursement activity exposes the company to loss through theft or fraud and can result in misstatement of accounting records. Uncontrolled check stock exposes the company to loss through fraud. Unrestricted access to payment systems exposes the company to loss through theft or fraud. Lack of segregation exposes the company to loss through fraud or inappropriate purchasing activity. Vendor payments are inappropriately redirected, exposing the company to loss through theft or fraud.

Scheduled payments are reviewed and approved by appropriate personnel prior to or soon after initiation of payment run.

Manual checks are executed as a result of an approved check requisition process.

The authority to print checks is segregated from the ability to sign them. Physical checks are mailed to the remittance address contained within the vendor master file. Disbursement activity is recorded in the general ledger in the period the activity occurs. Financial statements are inaccurate.

Payments made ahead of negotiated terms expose the company to loss through increased interest expense or lost interest income. Late payments jeopardize critical vendor relationships.

Payments to vendors are scheduled according to the purchasing terms negotiated by the procurement function.

Use of check stock is logged and reconciled tocheck run information. Access to check processing equipment and physical checks is restricted to appropriate personnel.

Risk Consequence

Control Objective

Figure 6.1  Control Matrix

Control Number Reference Control Activity

Evidenced By Control Type

Financial Statement Assertions

Frequency of Performance

. ig l ss bl isc ve ne ed tati ve te e n O ./D l at le nc io & t n i ua om ve ect mp ste uat hts sen n t l t e g e a o i M Au Pr De C Ex Va Ri Pr Control Reliance (H, M, L)

Key Control (Y/N)

Design Gap (Y/N)

Oper. Gap (Y/N)

Comments

79

Department

Vendor

A/P will either pay or route for approval, depending on if it is a new contract

Vendor provides service or product, then invoice is sent to A/P

Employee is empowered to enter into a vendor contract

Start

New Contract?

Yes

Based on Approval Policy

Examples: cell phones, copier leases, utilities, contract services

Invoice is routed by A/P to responsible supervisor for approval

Figure 6.2  Procure to Pay Process Flow: Receipts

Accounts Payable

ch06.indd 79

8/5/2011 11:41:33 AM

No

This approval generally happens only for the first installment of an ongoing contract and only annually thereafter

Supervisor reviews invoice prior to approval Approved?

No

Employee is instructed to modify or terminate contract

To Recording, 01.01.30.02.8

Yes

End

80

ch06.indd 80

8/5/2011 11:41:33 AM

From Sales Order, 01.07.30.02.2

C8.1 Upon creation of a Receipt Transaction, System indicates on P.O. that A quantity was received

Invoices are received and processed daily by A/P; quantity information is then keyed into System, which creates Receipt Transaction

From Requisition, 01.07.30.02.4

C8.3

Simultaneous Process

C8.2

A/P does 3-way match between Invoice, P.O., and Receipt Transaction for both quantity and price

System matches P.O. with quantity received, and creates the Voucher Payable resulting from the Receipt Transaction

From Forecast, 01.07.30.02.3 From Non-P.O. 01.01.30.02.5

No

3-Way Match OK?

C8.4

A/P will review with requisitioner to correct discrepancy

Unvouchered receipts are recorded at this point (Dr. Inventory, Cr. A/P)

Figure 6.3  Procure to Pay Process Flow: Accounts Payable Recording

Accounting/Accounts Payable

Yes

To Payment, 01.01.30.02.9

C8.3

A/P enters Invoice Number into System and verifies data for completeness and accuracy, creating A/P record

Correct GL account number is assigned by requisitioner and/ or A/P

C8.5

From Quote to Cash, 01.06.30.04.5

From Tax Administration, 01.01.30.14.2 &3

C8.6

Subsequent GL distribution is reviewed by a knowledgeable party

From Expense Reports, 01.01.30.02.7

Non-P.O. Vendor invoices are recorded daily

From Freight, 01.01.30.02.6

81

ch06.indd 81

8/5/2011 11:41:33 AM

A/P hand-delivers printed checks to HR

A/P Manager instructs A/P to have System print approved checks

From Recording, 01.01.30.02.8

C9.7

A/P requests System to create Payment Transactions for all vendors due on specified date

A/P physically separates checks and matches carbon to their corresponding invoice or backup document

Only HR has access to check signing plates, which are kept in a padlocked cabinet

C9.5

System prompts A/P with beginning check number; Check stock is prenumbered, continuous form, duplex (original and carbon)

HR signs with check signing machine and hands back to A/P

C9.1

System automatically ages A/P according to Contract terms input from Vendor setup

Figure 6.4  Procure to Pay Process Flow: Payment

Accounting/Accounts Payable

A/P files carbon and backup document alphabetically

C9.6

Check stock is kept in a locked cabinet; only A/P has access

Preliminary Check Register is run

C9.4

C9.8

Checks are distributed by A/P via mail or handdelivered to requisitioner

A/P puts check stock in printer and prints; System also prints check number

C9.3

A/P Manager examines Check Register to determine which invoices to pay

C9.9

End

Final Check Register is printed and posted to System (G/L)

A/P tears off last check and returns stock to locked cabinet

Secondary Check Register is run (with A/P Manager changes reflected)

Manual checks are very infrequent, requiring multiple signatures including CFO

82

◾  Financial Controls and Risk Assessment

Attributes of this principle include:

▪▪ Management considers the incentives and pressures, attitudes, and rationalizations as well as opportunity to commit fraud.

▪▪ Risk factors that impact the possibility of someone committing a fraud and the impact of a fraud on financial reporting are considered.

▪▪ Responsibility and accountability for fraud policies and procedures reside with management of the business unit or process in which it resides. There are two categories of fraud: fraudulent financial reporting and misappropriation of assets. Fraudulent financial reporting may be accomplished by:

▪▪ Manipulation, falsification, or alteration of accounting records ▪▪ ▪▪

or supporting documents from which financial statements are prepared. Misrepresentation in or intentional omission from the financial statements of events, transactions, or other significant information. Intentional misapplication of accounting principles relating to amounts, classification, manner of presentation, or disclosure.4

Misappropriation of assets may be accomplished through stealing, embezzling, or individual or group facilitation of payment for goods or services that were not received. Fraud risk assessment is a critical component of the overall risk assessment process. However, often it is an area that does not receive enough consideration and analysis. As part of its full risk assessment, management should take the proper steps to ensure that adequate consideration is given to both the risk of fraudulent financial reporting and misappropriation of assets. Similar to the overall assessment of internal control, management should keep in mind that in assessing fraud risk, it is seeking to determine, and ultimately ensure, that the entity has controls in place and operating effectively that provide reasonable assurance regarding the mitigation of fraud. This is a reminder that absolute assurance is an impossible accomplishment. Management is cautioned against attempting to achieve such assurance. Doing so can lead to inefficiency in assessment as well as implementation. AU Section 316, Consideration of Fraud in a Financial Statement Audit (formerly Statement of Auditing Standards [SAS] 99), provides significant auditor

ch06.indd 82

8/5/2011 11:41:33 AM

Entity-Level Controls

◾

83

guidance when performing a fraud risk assessment. It is also a very valuable tool for management in completing this same exercise. The standard contains specific examples of incentives and pressures, attitudes, and rationalizations as well as opportunities to commit fraud in both categories of fraud: fraudulent financial reporting and misappropriation of assets. (See Appendix 6C.) Management should be mindful of several factors when utilizing AU Section 316. Some of the examples provided are fairly obvious and/or somewhat well known or common. The examples discuss various familiar circumstances related to several of the publicly reported accounting scandals that have been exposed subsequent to the discovery of fraud. For example, highly complex transactions are cited as a risk factor for possible opportunity to commit fraudulent financial reporting. This was one of the components of the activity that occurred in the Enron scandal. In addition, many examples have a direct relationship to items related to entity-level controls and the control environment. Ineffective support or enforcement of an entity’s values or ethical standards is cited as a risk factor for potential attitude/rationalization to commit fraudulent financial reporting. Controls within the control environment include the principle of integrity and ethical values (outlined in Chapter 5). All situations will not apply to every entity. In addition, the mere existence of a situation, inherently or otherwise, is not, in and of itself, an indication of a high possibility of the existence of fraud. Each situation must be evaluated for likelihood and impact as part of the risk assessment process. The examples listed in Appendix 6C provide excellent guidance for the organization as well as individuals who may or may not have been through the risk assessment process. The examples of fraud incentives, pressures and rationalizations can be very thought-provoking and helpful to every organization when assessing fraud risk.

eNTiTY-LeVeL CONTrOLS Entity-level controls are pervasive controls. Similar to the control environment, a deficiency in an entity-level control may negate existing process-level controls. Therefore, when assessing internal control over financial reporting, management should focus on mitigating risk in these areas and ensure the existence and evidence of the appropriate controls at the entity-level, as cited in the next example listing. This concentration is also consistent with the topdown risk-based approach discussed earlier.

ch06.indd 83

8/5/2011 11:41:33 AM

84

◾

Financial Controls and Risk Assessment

Auditing Standard No. 5—An Audit of Internal Control over Financial Reporting that is Integrated with an Audit of Financial Statements lists several examples of entity-level controls, including:

▪ Controls within the control environment ▪ Control over management override ▪ Centralized processing and controls, including shared services environ▪ ▪ ▪ ▪ ▪

ments The company’s risk assessment process Controls to monitor other controls, including activities of the internal audit function, the audit committee, and self-assessment programs Controls to monitor the results of operations Controls over period-end financial reporting process Policies that address significant business control and risk management practices

eXAMPLe: riSK ASSeSSMeNT AND FiNANCiAL CONTrOLS An organization can apply all of the guidance and concepts outlined in the COSO Framework along with the overall risk management process documented earlier in this book, including risk assessment, to begin building its enterprise risk management (ERM) program with a focus on financial reporting and disclosure. When executing, the company should engage in the next four-step high-level process, which combines the COSO guidance and risk management process: 1. Define and document financial reporting objectives. At minimum, an organization may have a single financial reporting objective, such as “Provide reliable, timely financial statements in conformity with generally accepted accounting principles that are free of material misstatement.” Additional objectives might focus on regulatory reporting requirements. 2. Conduct event identification and related risk assessment. Based on the stated financial reporting objectives, the entity would then consider what could go wrong that might prohibit or have a negative impact on its ability to achieve the stated objectives. Part of the assessment process in this area includes the ranking of risk (high, medium, low) in order to facilitate the risk response process.

ch06.indd 84

8/5/2011 11:41:33 AM



Example: Risk Assessment and Financial Controls  ◾

85

3. Determine risk response. This process ultimately involves mitigating risk. In this example, the entity should first consider mitigating identified high-risk events and/or areas. The organization should take care to remember that the goal, by definition, is to obtain reasonable assurance regarding the achievement of the stated objectives. Many entities struggle with their risk response by considering and/or developing too many controls. The focus should be on mitigation of high-risk events, thus providing management with reasonable assurance that the financial statements are reliable and free of material misstatement. Absolute assurance is not possible. 4. Determine control activities. The organization should keep in mind the suggested top-down, risk-based approach and initially focus on mitigation within the control environment at the entity level. The entity first should determine what, if any, control activities exist to mitigate the identified risks. If control activity is absent, implementation should be considered. When assessing and/or evaluating control activities, many smaller companies face segregation of duties issues. These organizations typically do not have adequate resources to establish all of the segregation required. This issue is the most common related to internal control for small companies. An organization should seek to mitigate this deficiency through thorough management review of period-end financial results. Evidence of a detailed management review of financial statements and related transactions, if necessary, prior to financial statement issuance is considered a strong mitigating control for most segregation of duties issues that exist within specific processes. In addition to the management review process just discussed, the organization should consider board examination of significant transactions in conjunction with its financial statement review. This not only helps mitigate any segregation of duties deficiency but also mitigates management’s ability to override transactions—a condition that exists in quite a few smaller companies. Implementation of this control activity requires management to outline parameters regarding what a significant transaction consists of (e.g., dollar amount, volume, unusual account posting, management journal entry postings, etc.) Doing this is important to ensure that the review is efficient as well as valuable to the overall process. The main goal is risk mitigation associated with management override capability. Therefore, when designing this process, the organization should consider what situations, accounts, and so on are at higher risk and vulnerability for manipulation and thus possess a higher likelihood for a material misstatement.

ch06.indd 85

8/5/2011 11:41:33 AM

86

◾

Financial Controls and Risk Assessment

eVALuATiNg DeFiCieNCieS SAS 115, Communicating Internal Control Related Matters Identified in an Audit, requires the auditor to communicate to management, in writing, deficiencies identified during the audit that are considered significant deficiencies or material weaknesses. A deficiency in internal control exists “when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis.”5 When analyzing identified deficiencies, an entity must consider likelihood and impact. This analysis aids in the categorization of deficiency based on determined severity. COSO states: A material weakness “is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility (likelihood is either reasonably possible or probable) that a material misstatement of the entity’s financial statements will not be prevented or detected and corrected on a timely basis.”6 COSO states: A significant deficiency is “a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.”7 SAS 115 lists these indicators of material weaknesses in internal control:

▪ Identification of fraud, whether or not material, on the part of senior management

▪ Restatement of previously issued financial statements to reflect the correction of a material misstatement due to error or fraud

▪ Identification by the auditor of a material misstatement of the

▪

financial statements under audit in circumstances that indicate that the misstatement would not have been detected by the entity’s internal control Ineffective oversight of the entity’s financial reporting and internal control by those charged with governance8

Management should evaluate internal controls over financial reporting specifically related to the activities and processes outlined in this standard to ensure strength in these areas.

ch06.indd 86

8/5/2011 11:41:33 AM

Notes ◾

87

SuMMArY Ultimately, the entity can follow the process described in this chapter to develop a complete risk management program. Upon completion of this exercise, management, employees, and the board should be more comfortable with the concepts, process, and expectations associated with overall risk management and risk assessment. A solid understanding of internal control concepts in the area of financial reporting and disclosure can be translated and applied effectively and efficiently, in the same manner, to the design and implementation of a comprehensive ERM program.

NOTeS 1 COSO, Internal Control over Financial Reporting—Guidance for Smaller Public Companies, June 2006. 2 Ibid. 3 Ibid. 4 AU Section 316, Consideration of Fraud in a Financial Statement Audit. 5 SAS 115, Communicating Internal Control Related Matters Identified in an Audit. 6 COSO, Internal Control over Financial Reporting—Guidance for Smaller Public Companies, June 2006. 7 Ibid. 8 SAS 115, Communicating Internal Control Related Matters Identified in an Audit.

ch06.indd 87

8/5/2011 11:41:33 AM

6A APPENDIX SIX A

Entity-Level Control Assessment

CONTROL ASSESSMENT OVERVIEW The Sarbanes-Oxley Act of 2002 (SOX) requires Securities and Exchange Commission (SEC) registrants to report on internal controls. Section 404 of SOX directs the SEC to adopt rules requiring annual reports of public companies to include an assessment, as of the end of the fiscal year, of the effectiveness of internal controls and procedures for financial reporting. The following questionnaire is a comprehensive evaluation of the internal controls at the entity level that may have a pervasive effect on the organization. According to the Public Company Oversight Accounting Board (PCAOB) ruling of March 9, 2004: [M]anagement is required to base its assessment of the effectiveness of the company’s internal control over financial reporting on a suitable,

88

Appendix 6A.indd 88

8/5/2011 11:44:06 AM

Control Assessment Overview

◾

89

recognized control framework established by a body of experts that followed due-process procedures to develop the framework. The Committee of Sponsoring Organizations (COSO) of the Treadway Commission developed such a framework, which is suitable to PCOAB. ABC Company has adopted the COSO Framework for its internal control evaluations. This questionnaire includes consideration of factors in each of the five components of internal control that can have a pervasive effect on the risk of errors or fraud. These five interrelated components included in the COSO Framework are: 1. Control environment. Establishes the foundation for an internal control system by providing discipline and structure to the organization. 2. Risk assessment. Involves the identification and analysis by management of relevant risks to achieving predetermined objectives, forming a basis for determining how those risks should be managed. 3. Information and communication. Supports all other control components by communicating control responsibilities to employees and providing information in a form and time frame that allow people to carry out their duties. 4. Control activities. Refers to policies and procedures to ensure that management objectives are achieved and that risk mitigation strategies are carried out. 5. Monitoring. Covers the oversight of internal controls by management or other parties outside the process or the application of independent methodologies—such as customized procedures or standard checklists—by employees within a process. Documenting and evaluating internal controls at the entity level does not, by itself, provide a complete perspective of internal control of an entity. However, it is an important starting point because the assessment of entity-level controls can have a significant effect on the overall assessment of the effectiveness of internal controls and procedures for financial reporting.

Appendix 6A.indd 89

8/5/2011 11:44:06 AM

90

◾

Entity-Level Control Assessment

CONTROL ENVIRONMENT The control environment reflects the tone set by top management and the overall attitude, awareness, and actions of the board of directors, management, owners, and others concerning the importance of internal control and the emphasis placed on control in the company’s policies, procedures, methods, and organizational structure. It is the foundation of all other components of internal control, providing discipline and structure. Instructions: Rate each component statement between 5 (strongly agree) to 1 (strongly disagree) by circling the number that reflects your opinion. Describe the process to support your response. Integrity, Ethical Values, and Behavior of Key Executives Component Statement

Rating

The company’s Code of Conduct and other policies regarding acceptable business practice, conflicts of interest, and expected ethical standards are comprehensive and relevant.

5 4 3 2 1

Employees fully understand the acceptable behavior as outlined in the Code of Conduct and know what to do when they encounter improper behavior.

5 4 3 2 1

Management, including the board of directors, demonstrates a commitment to integrity and ethical behavior, both in words and actions.

5 4 3 2 1

Management removes or reduces incentives or temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts.

5 4 3 2 1

Management addresses and resolves violations of behavioral and ethical standards consistently, timely, and equitably in accordance with the company’s Code of Conduct.

5 4 3 2 1

Employees generally will do the “right thing” when faced with pressures to engage in deviations from policies and procedures.

5 4 3 2 1

The existence of the Code of Conduct and the consequences of its breach are an effective deterrent to unethical behavior.

5 4 3 2 1

Management prohibits circumvention of established policies and procedures and takes appropriate disciplinary action when violations occur.

5 4 3 2 1

Appendix 6A.indd 90

Describe Process

8/5/2011 11:44:06 AM

Control Environment ◾

91

Commitment to Competence Component Statement

Rating

Management has defined the knowledge and skills necessary to perform jobs within each function.

5 4 3 2 1

Management has the specialized knowledge, experience, and training required to perform their duties.

5 4 3 2 1

Employees are properly trained and possess the requisite knowledge and skills to perform their job adequately.

5 4 3 2 1

Individual performance targets focus on both the long term and short term, and address a broad spectrum of criteria (such as quality, productivity, leadership, teamwork, and self-development).

5 4 3 2 1

Management demonstrates a commitment to provide sufficient accounting and financial personnel to keep pace with the growth and/or complexity of the business.

5 4 3 2 1

Describe Process

Board of Directors and Audit Committee Component Statement

Rating

The board of directors has sufficient knowledge, industry expertise, and time to serve effectively.

5 4 3 2 1

The board of directors and audit committee are independent from management.

5 4 3 2 1

The board constructively challenges management’s planned decisions, such as strategic initiatives and major transactions, and probes for explanations of past results.

5 4 3 2 1

A process exists for informing the board of significant issues and information is communicated timely.

5 4 3 2 1

The audit committee meets privately with the internal and external auditors to discuss the reasonableness of the financial reporting process, system of internal control, significant comments and recommendations, and management’s performance.

5 4 3 2 1

Appendix 6A.indd 91

Describe Process

8/5/2011 11:44:07 AM

92

◾

Entity-Level Control Assessment

Board of Directors and Audit Committee (Continued) Component Statement

Rating

The audit committee reviews the scope of activities of the internal and external auditors.

5 4 3 2 1

The audit committee includes at least one “financial expert.”

5 4 3 2 1

The audit committee has a charter outlining its duties and responsibilities

5 4 3 2 1

The board of directors has a charter outlining its duties and responsibilities

5 4 3 2 1

The board regularly receives key information, such as financial statements, major marketing initiatives, and significant contracts or negotiations, and believes the information is sufficient and comprehensive.

5 4 3 2 1

The board or compensation committee approves all management incentive plans tied to performance.

5 4 3 2 1

The board and audit committee are involved sufficiently in evaluating the effectiveness of the tone at the top and takes steps to ensure the appropriate tone.

5 4 3 2 1

The board or designated committee has issued directives to management detailing specific actions to be taken as a result of findings, including special investigations, when necessary. The board oversees and follows up as needed.

5 4 3 2 1

Describe Process

Management’s Philosophy and Operating Style Component Statement

Rating

Management accepts the appropriate amount of business risk.

5 4 3 2 1

Key personnel have not resigned unexpectedly or on short notice, and employee turnover is not excessive.

5 4 3 2 1

Employees feel they are adding value within the company’s overall strategy.

5 4 3 2 1

Management meetings are held periodically within each function, and senior management attends on a regular basis.

5 4 3 2 1

Appendix 6A.indd 92

Describe Process

8/5/2011 11:44:08 AM

Control Environment ◾

Component Statement

Rating

Valuable assets, including intellectual assets and information, are protected from unauthorized access or use.

5 4 3 2 1

Objectives established by senior management are realistic and achievable.

5 4 3 2 1

Management views accounting treatment for transactions or activities in a balanced manner, neither too aggressive nor too conservative.

5 4 3 2 1

Management views the accounting function as an important element in the overall system of internal control rather than an obstacle to be avoided or overcome.

5 4 3 2 1

Management routinely assesses various risks to achieving business objectives.

5 4 3 2 1

Management appropriately balances the focus on short-term reported results with long-term business objectives and does not exert inappropriate pressure to achieve earnings objectives.

5 4 3 2 1

Required estimates are based on sound models, verifiable market data, and fair assumptions.

5 4 3 2 1

93

Describe Process

Organizational Structure Component Statement

Rating

The organizational structure is appropriate for the size, operating activities, and locations of the company.

5 4 3 2 1

Management treats each function as an integral part of the company’s overall operations.

5 4 3 2 1

The company’s structure facilitates the flow of information both up and down and across all business functions.

5 4 3 2 1

Managers and process owners have ready access to senior management in addressing significant issues.

5 4 3 2 1

Responsibilities and expectations for the entity’s business activities are communicated clearly to the executives in charge of those activities.

5 4 3 2 1

Appendix 6A.indd 93

Describe Process

8/5/2011 11:44:08 AM

94

◾

Entity-Level Control Assessment

Organizational Structure (Continued) Component Statement

Rating

The organizational structure provides adequate supervisory and managerial oversight.

5 4 3 2 1

The executives in charge have the required knowledge, experience, and training to perform their duties.

5 4 3 2 1

Established reporting relationships (both formal and informal) are effective, and they provide managers information appropriate to their responsibilities and authority.

5 4 3 2 1

Management periodically evaluates the organizational structure in light of changes in the business or industry.

5 4 3 2 1

Managers and supervisors have sufficient time to carry out their responsibilities effectively.

5 4 3 2 1

Describe Process

Assignment of Authority and Responsibility Component Statement

Rating

Management designates who is responsible for committing to financial or contractual obligations through a formal delegation of authority.

5 4 3 2 1

Specific limits are established for certain types of transactions, and delegations are clearly communicated and understood by employees.

5 4 3 2 1

Job descriptions exist and contain specific references to control-related responsibilities.

5 4 3 2 1

Proper information is considered in determining the level of authority and scope of responsibility assigned to an individual.

5 4 3 2 1

Management is appropriately empowered with clear boundaries of authority.

5 4 3 2 1

Assignment of responsibilities is clear, including responsibilities for information system processing and program development.

5 4 3 2 1

Appropriate segregation of incompatible activities exist (i.e., separation of accounting for and access to assets).

5 4 3 2 1

Appendix 6A.indd 94

Describe Process

8/5/2011 11:44:09 AM

Overall Evaluation of Control Environment

◾

95

Human Resources Policies and Practices Component Statement

Rating

Human resources policies and procedures facilitate recruiting and developing competent and trustworthy personnel necessary to achieve the company’s objectives.

5 4 3 2 1

Policies and procedures are updated, communicated, and issued on a timely basis.

5 4 3 2 1

Employees new to each function’s activities are made aware of their responsibilities and management’s expectations.

5 4 3 2 1

Supervisory personnel meet periodically with employees to review job performance and opportunities for improvement.

5 4 3 2 1

Performance appraisals adequately address internal control responsibilities and set forth criteria for integrity and ethical behavior.

5 4 3 2 1

Written job descriptions, reference manuals, or other forms of communication inform personnel of their duties.

5 4 3 2 1

Appropriate corrective action is taken as a result of nonadherence to established policies.

5 4 3 2 1

Hiring policies require investigations, including background checks for criminal records, to ensure employee candidates model acceptable behavior as outlined in the code of conduct.

5 4 3 2 1

Promotion and salary increase criteria are detailed clearly so that individuals know what management expects prior to promotions or advancement.

5 4 3 2 1

Describe Process

OVERALL EVALUATION OF CONTROL ENVIRONMENT

▪ Effective ▪ Ineffective Summarize justification of overall evaluation:

Appendix 6A.indd 95

8/5/2011 11:44:09 AM

96

◾

Entity-Level Control Assessment

RISK ASSESSMENT Business risk is defined as “the threat that an event or action will adversely affect an organization’s ability to achieve its business objectives and execute its strategies successfully.” Risks affect each company’s ability to survive, to compete successfully within its industry, to maintain fi nancial strength, to present a positive public image, and to maintain the overall quality of its services, products, and people. Management must determine how much risk is acceptable and strive to mitigate these risks within manageable levels. Instructions: Rate each component statement between 5 (strongly agree) to 1 (strongly disagree) by circling the number that reflects your opinion. Describe the process to support your response.

Company-Level Objectives Component Statement

Rating

Management has established and communicated the company’s mission, strategy, and business objectives to employees and the board of directors.

5 4 3 2 1

Feedback mechanisms exist that enable management to periodically assess whether company-level objectives have been achieved.

5 4 3 2 1

The strategic plan supports the company-level objectives, including technology needs.

5 4 3 2 1

Key performance indicators and measurement criteria for achieving company-level objectives have been communicated and are uniformly understood.

5 4 3 2 1

Adequate mechanisms exist for identifying business risks, including changes in the business, economic, and regulatory environment.

5 4 3 2 1

Periodic (at least annual) risk assessments are performed by internal audit (or other appropriate group) and reviewed with senior management.

5 4 3 2 1

Management establishes and monitors acceptable risk tolerances when setting strategic direction.

5 4 3 2 1

The board of directors and/or audit committee oversees and monitors the risk assessment process and takes action to address any significant risks identified.

5 4 3 2 1

Appendix 6A.indd 96

Describe Process

8/5/2011 11:44:10 AM

Risk Assessment ◾

97

Process-Level Objectives Component Statement Process-level objectives are established and support company-level objectives; they are understood by employees responsible for achieving results.

Rating

Describe Process

5 4 3 2 1

Specific criteria have been established to measure 5 4 3 2 1 whether process-level objectives have been achieved. Resources are sufficient to achieve process-level objectives, and, if not, plans are in place to acquire them.

5 4 3 2 1

Employees participate in establishing process-level objectives and ultimately own business results for which they are responsible.

5 4 3 2 1

Management has identified the critical success factors to achieve company-level objectives.

5 4 3 2 1

Risk Identification Component Statement

Rating

Adequate mechanisms are in place to identify and assess barriers from internal (i.e., retention of key employees) and external (i.e., regulation) sources to achieving company-level objectives.

5 4 3 2 1

Adequate mechanisms are in place to identify and assess barriers from internal (i.e., retention of key employees) and external (i.e., regulation) sources to achieving process-level objectives.

5 4 3 2 1

The process used to analyze risks is clearly understood and includes estimating the significance of risks, assessing the likelihood of their occurring, and determining steps to mitigate them.

5 4 3 2 1

Describe Process

Managing Change Component Statement Formal and/or informal mechanisms exist that anticipate, identify, and respond to routine events or activities that could have an impact on achieving company-level or process-level objectives.

Appendix 6A.indd 97

Rating

Describe Process

5 4 3 2 1

8/5/2011 11:44:10 AM

98

◾

Entity-Level Control Assessment

Managing Change (Continued) Component Statement

Rating

Mechanisms exist to incorporate changes to the company mission and strategy into company-level and process-level objectives.

5 4 3 2 1

The process to acquire and divest significant businesses and assets is well controlled (e.g., finalized after the completion of due diligence procedures, reviewed by an appropriate level of management).

5 4 3 2 1

Budgets and forecasts are updated to reflect changing conditions.

5 4 3 2 1

Management reports to the board of directors and/ or the audit committee on changes that may have a significant effect on the company.

5 4 3 2 1

A process exists for the accounting department to identify and address GAAP changes.

5 4 3 2 1

A process is in place to ensure the accounting department is made aware of changes in the operating environment so it can review the changes and determine what, if any, affect the changes may have on the company’s accounting practices.

5 4 3 2 1

A process is in place to ensure the accounting department is made aware of changes in regulations/rules so it can review the changes and determine what, if any, affect the change may have on the company’s accounting practices.

5 4 3 2 1

A process is in place to ensure the accounting department (and board of directors and/or audit committee) is aware of significant transactions with related parties so it can determine whether such transactions are accounted for and disclosed appropriately.

5 4 3 2 1

Describe Process

OVERALL EVALUATION OF RISK ASSESSMENT

▪ Effective ▪ Ineffective Summarize justification of overall evaluation:

Appendix 6A.indd 98

8/5/2011 11:44:11 AM

Control Activities

◾

99

CONTROL ACTIVITIES Control activities are policies and procedures that help ensure that management’s directives are met. They help ensure that necessary actions are taken to address risks to achievement of the entity’s objectives. Control activities occur throughout the organization, at all levels and in all functions. They include activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties. Instructions: Rate each component statement between 5 (strongly agree) to 1 (strongly disagree) by circling the number that reflects your opinion. Describe the process to support your response. The component statements associated with the Control Activities component are absent. They were definitely included in the Questionnaire document that was submitted.

Policies and Procedures Component Statement

Rating

Appropriate policies and procedures have been developed and implemented for each major process.

5 4 3 2 1

Appropriate and timely actions are taken on exceptions to policies and procedures.

5 4 3 2 1

Policies and procedures identify how processes are to be performed and monitored and who is responsible for carrying them out.

5 4 3 2 1

Policies and procedures for each major process are documented, communicated, and understood by employees involved in the process.

5 4 3 2 1

Policies and procedures are reviewed and updated periodically for appropriateness.

5 4 3 2 1

Describe Process

Control Activities in Place Component Statement Control activities described in policy and procedure manuals actually are applied the way they are intended to be applied and relate clearly to identified risks and internal controls.

Appendix 6A.indd 99

Rating

Describe Process

5 4 3 2 1

8/5/2011 11:44:11 AM

100

◾

Entity-Level Control Assessment

Control Activities in Place (Continued) Component Statement

Rating

Supervisory personnel periodically review the functioning and overall effectiveness of controls.

5 4 3 2 1

Effective procedures have been established for the routine verification of the accuracy of data when they are entered, processed, generated, distributed, or transferred.

5 4 3 2 1

Effective contingency plans have been developed for each function to deal with service interruptions if they occur.

5 4 3 2 1

Periodic tests of contingency and disaster recovery plans take place to make sure they are current, operational, and effective.

5 4 3 2 1

Duties are logically divided or segregated (either manually or through information technology setup) among different people to reduce the risk of fraud or inappropriate actions (segregation of duties).

5 4 3 2 1

Financial reporting, legal, and regulatory requirements are identified and complied with.

5 4 3 2 1

Individuals have appropriate responsibility for control over assets and data and the processing of transactions.

5 4 3 2 1

Describe Process

OVERALL EVALUATION OF CONTROL ACTIVITIES

▪ Effective ▪ Ineffective Summarize justification of overall evaluation:

Appendix 6A.indd 100

8/5/2011 11:44:11 AM

Information and Communication

◾

101

INFORMATION AND COMMUNICATION Pertinent information must be identified, captured, and communicated in a form and time frame that enable people to carry out their responsibilities. Information systems produce reports containing operational, financial, and compliance-related information that make it possible to run and control the business. They deal not only with internally generated data but also with information about external events, activities, and conditions necessary to informed business decision making and external reporting. Effective communication also must occur in a broader sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There also needs to be effective communication with external parties, such as customers, suppliers, regulators, and shareholders. Instructions: Rate each component statement between 5 (strongly agree) to 1 (strongly disagree) by circling the number that reflects your opinion. Describe the process to support your response.

Information Component Statement

Rating

Mechanisms are in place to obtain relevant external information on market conditions, competitors’ programs, legislative or regulatory developments and economic changes.

5 4 3 2 1

Information-gathering mechanisms are in place to capture and process data so that transactions can be conducted in an orderly and efficient manner.

5 4 3 2 1

Reports generated and/or used by management are adequate and contain sufficient and meaningful information.

5 4 3 2 1

Internally generated information critical to achievement of the company’s objectives, including that relative to critical success factors, is identified and regularly reported.

5 4 3 2 1

Mechanisms exist for identifying emerging information needs.

5 4 3 2 1

Appendix 6A.indd 101

Describe Process

8/5/2011 11:44:12 AM

102

◾

Entity-Level Control Assessment

Information (Continued) Component Statement

Rating

An information technology plan has been developed that is linked to achieving the company’s objectives.

5 4 3 2 1

Information is available on a timely basis to allow effective monitoring of events and activities— internal and external—and prompt reaction to economic and business factors and control issues.

5 4 3 2 1

Sufficient resources (managers, analysts, programmers with the requisite technical abilities) are provided as needed to develop new or enhanced information systems.

5 4 3 2 1

Financial management ensures and monitors user involvement in the development of programs, including the design of internal control checks and balances.

5 4 3 2 1

Management has established a disaster recovery plan for all primary data centers.

5 4 3 2 1

A business continuity plan is established that incorporates the disaster recovery plan and end user department needs for timely recovery of critical business functions, systems, processes, and data.

5 4 3 2 1

The disaster recovery and business continuity plans are tested periodically (at least annually).

5 4 3 2 1

The disaster recovery and business continuity plans are updated for changing conditions, then communicated throughout the company.

5 4 3 2 1

Describe Process

Communication Component Statement

Rating

Management clearly and effectively communicates employees’ roles and responsibilities regarding internal control and risk assessment. These roles and responsibilities are uniformly understood.

5 4 3 2 1

Information is communicated effectively up, down, and across the organization.

5 4 3 2 1

Appendix 6A.indd 102

Describe Process

8/5/2011 11:44:12 AM

Information and Communication

Component Statement

Rating

A clear communication channel is available to report suspected improprieties.

5 4 3 2 1

Persons who report suspected improprieties are provided feedback and have immunity from reprisals.

5 4 3 2 1

Information provided by persons who report suspected improprieties is kept confidential and anonymous, as much as legally possible.

5 4 3 2 1

All reported potential improprieties are reviewed, investigated, and resolved in a timely manner.

5 4 3 2 1

Realistic mechanisms are in place for employees to provide recommendations for improvement.

5 4 3 2 1

Good employee suggestions are acknowledged by providing incentives or other meaningful recognition.

5 4 3 2 1

Changes with respect to company-level objectives and strategies are communicated timely and effectively to all affected personnel.

5 4 3 2 1

Mechanisms exist for open and effective communication with customers, suppliers, and other external parties regarding information on changing customer needs.

5 4 3 2 1

Outside parties understand the company’s ethical and behavioral standards and expectations regarding dealings with the company.

5 4 3 2 1

Management is receptive to comments by internal and external auditors regarding control deficiencies or suggestions for process improvements. Appropriate actions are taken and documented.

5 4 3 2 1

Management takes timely and appropriate follow-up action as a result of communications received from customers, vendors, regulators, or other external parties.

5 4 3 2 1

Appendix 6A.indd 103

◾

103

Describe Process

8/5/2011 11:44:13 AM

104

◾

Entity-Level Control Assessment

OVERALL EVALUATION OF INFORMATION AND COMMUNICATION

▪ Effective ▪ Ineffective Summarize justification of overall evaluation:

Appendix 6A.indd 104

8/5/2011 11:44:13 AM

Monitoring

◾

105

MONITORING Internal control systems need to be monitored—a process that assesses the quality of the system’s performance over time. This is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities and other actions personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board. Instructions: Rate each component statement between 5 (strongly agree) to 1 (strongly disagree) by circling the number that reflects your opinion. Describe the process to support your response.

Ongoing Monitoring Component Statement

Rating

Operating management compares information obtained in the course of their daily activities to systems-generated information.

5 4 3 2 1

Integration or reconciliation of operating information is combined with data generated by the financial system to manage operations.

5 4 3 2 1

Personnel responsible for reports are required to sign off on their accuracy and integrity and are held accountable if deficiencies are discovered.

5 4 3 2 1

Management has established performance measures for its processes and receives periodic reports of results against those measures.

5 4 3 2 1

In the event of known control breakdowns or deficiencies, controls that should have prevented or detected problems are reassessed and modified as appropriate.

5 4 3 2 1

Regulators communicate information to the company regarding compliance or other matters that reflect on the functioning of the internal control system. Appropriate action is taken based on the communication.

5 4 3 2 1

Appendix 6A.indd 105

Describe Process

8/5/2011 11:44:13 AM

106

◾

Entity-Level Control Assessment

Ongoing Monitoring (Continued) Component Statement

Rating

Physical assets, such as inventory and securities, are checked periodically against the accounting system. Differences between actual counts and recorded amounts are corrected.

5 4 3 2 1

Financial reviews and/or credit checks of third-party companies take place prior to finalizing all contract negotiations.

5 4 3 2 1

Management implements internal control recommendations made by internal and external auditors and corrects known deficiencies on a timely basis.

5 4 3 2 1

An internal audit function with competent and experienced staff exists to assist in monitoring activities. This staff adheres to professional standards, such as those issued by the Institute of Internal Auditors.

5 4 3 2 1

The internal audit function has access to the board of directors or audit committee.

5 4 3 2 1

Internal audit’s scope, responsibilities, and audit plans are appropriate to the company’s needs.

5 4 3 2 1

The internal audit function is independent (in terms of authority and reporting relationships) of the activities it audits.

5 4 3 2 1

Internal audit activity results are reported to senior management, board of directors, and/or independent auditors.

5 4 3 2 1

Training seminars, planning sessions, and other meetings provide feedback to management on whether controls operate effectively.

5 4 3 2 1

Personnel are required periodically to acknowledge compliance with the code of conduct.

5 4 3 2 1

Signatures are required to evidence performance of critical control functions, such as reconciliations.

5 4 3 2 1

Appendix 6A.indd 106

Describe Process

8/5/2011 11:44:14 AM

Monitoring

◾

107

Separate Evaluations Component Statement

Rating

Controls most critical to mitigating high-priority risks are evaluated regularly.

5 4 3 2 1

Evaluations of the entire internal control system are performed when there are major strategy changes, major acquisitions or dispositions, or changes in operations and methods of processing financial information.

5 4 3 2 1

The audit function has personnel who have the experience and skills necessary to understand the company’s operations.

5 4 3 2 1

An appropriate level of documentation is developed to facilitate the understanding of how the internal control system works.

5 4 3 2 1

Describe Process

Reporting Deficiencies Component Statement

Rating

Internal control deficiencies that can affect the attainment of the company’s objectives are reported to those who can take necessary action and also to at least one level of management above the person directly responsible.

5 4 3 2 1

Control deficiencies are identified during separate evaluations of the internal control system.

5 4 3 2 1

Control deficiencies are identified by ongoing monitoring activities of the company, including managerial activities and everyday supervision of employees.

5 4 3 2 1

Senior management ensures that necessary follow-up actions are taken in response to reported control deficiencies.

5 4 3 2 1

Appendix 6A.indd 107

Describe Process

8/5/2011 11:44:14 AM

108

◾

Entity-Level Control Assessment

OVERALL EVALUATION OF MONITORING

▪ Effective ▪ Ineffective Summarize justification of overall evaluation:

Appendix 6A.indd 108

8/5/2011 11:44:14 AM

Summary Assessment ◾

109

SUMMARY ASSESSMENT Internal control is broadly defined as a process, effected by an entity’s board of directors, management, and other personnel, to provide reasonable assurance regarding the achievement of objectives in three categories: 1. Effectiveness and efficiency of operations 2. Reliability of financial reporting 3. Compliance with applicable laws and regulations The first category addresses an entity’s basic business objectives, including performance and profitability goals and safeguarding of resources. The second relates to the preparation of reliable published financial statements, including interim and condensed financial statements and selected financial data derived from such statements, such as earnings releases, reported publicly. The third category deals with complying with those laws and regulations to which the entity is subject. These distinct but overlapping categories address different needs and allow a directed focus to meet the separate needs. Instructions: Rate each category statement between 5 (strongly agree) to 1 (strongly disagree) by circling the number that reflects your opinion. Provide the final assessment rating (effective or ineffective) based on the outcome of this evaluation. Note any comments to support your overall assessment.

Summary Assessment Category Statement

Rating

Taking into consideration my evaluation of the components of internal control in previous sections in this evaluation, the internal control objective of effectiveness and efficiency of operations has been met.

5 4 3 2 1

Taking into consideration my evaluation of the components of internal control in previous sections in this evaluation, the internal control objective of reliability of financial reporting has been met.

5 4 3 2 1

Taking into consideration my evaluation of the components of internal control in previous sections in this evaluation, the internal control objective of compliance with laws and regulations has been met.

5 4 3 2 1

Appendix 6A.indd 109

8/5/2011 11:44:15 AM

110

◾

Entity-Level Control Assessment

OVERALL ASSESSMENT OF INTERNAL CONTROLS

▪ Effective ▪ Ineffective Comments:

Signature: Title: Date:

Appendix 6A.indd 110

8/5/2011 11:44:15 AM

6B APPENDIX SIX B

Accounts Payable: Preliminary Controls Assessment Questionnaire

T

H IS IS A N E X A M PL E O F A PR EL I M IN A RY A SSE SSM EN T Q U E S T IO NN A IRE that can be presented to managers or process owners prior

to conducting a review. It is intended to help understand existing business processes and understand management’s view of the internal control environment. The survey is a sample and may not be applicable to all businesses without modification and customization.

PURCHASING CONTROLS QUESTIONNAIRE Questionnaire Instructions: This questionnaire has been prepared by the department to assist us in helping you determine whether the controls you have established are operating effectively. Please respond to these questions as accurately as possible and feel free to insert comments and further explanations as you deem necessary. 111

Appendix 6B.indd 111

8/5/2011 11:44:29 AM

112

◾

Accounts Payable: Preliminary Controls Assessment Questionnaire

Process Background Information Manager responsible for process Number of full-time equivalents in accounts payable process Average number of invoices processed per month Average number of disbursements/checks per month Days payable outstanding Number of information system(s) used in processing accounts payable Is accounts payable system directly linked to the general ledger?

INTERNAL CONTROL ASSESSMENT How would you evaluate the effectiveness of the current process in achieving the following control objectives? Use a scale of 1 to 5, with 1 = Not effective and 5 = Highly effective.

Internal Control Control Objective

Evaluation 1

2

3

4

5

Accounts payable and cash disbursements/electronic fund transfer disbursements are properly authorized. All liabilities are recorded on a timely basis. Accounts payable are accurately and completely recorded on a timely basis. Cash disbursements/electronic fund transfer disbursements are accurately and completely made and recorded on a timely basis. Accounts payable and cash disbursements/electronic fund transfer disbursements are reliably processed and reported. Recorded accounts payable balances are substantiated. Recorded accounts payable balances are evaluated.

Appendix 6B.indd 112

8/5/2011 11:44:29 AM

Internal Control Assessment ◾

113

Performance measures used to control and improve the process are reliable. Employees and management are provided with the information they need to control the accounts payable process. Costs are reduced as much as possible. Processing time is minimized. Management develops alliances with key suppliers.

Are there internal control concerns related to this process that require immediate attention? If yes, please describe.

Are there adequate resources to effectively and efficiently perform this process? If not, please describe.

How would you rate the overall quality of this process? Use a scale of 1 to 5, with 1 = Poor and 5 = Best Practice or Best in Class. 1

2

3

4

5

Are there any other general concerns related to this process that should be brought the attention of the internal audit team as part of its review? If yes, please describe.

Appendix 6B.indd 113

8/5/2011 11:44:29 AM

6C APPENDIX SIX C

Fraud Risk Factors: AU Section 316

RISK FACTORS RELATING TO MISSTATEMENTS ARISING FROM FRAUDULENT FINANCIAL REPORTING Examples of risk factors relating to misstatements arising from fraudulent financial reporting are presented next. Incentives/Pressures to Commit Fraudulent Financial Reporting Risk Factors ▪ Financial stability or profitability is threatened by economic, industry, or entity operating conditions, such as (or indicated by): ▪ High degree of competition or market saturation accompanied by declining margins. ▪ High vulnerability to rapid changes such as changes in technology, product obsolescence, or interest rates. 114

Appendix 6C.indd 114

8/5/2011 11:44:42 AM

Risk Factors Relating to Misstatements

◾

115

▪ Significant declines in customer demand and increasing business failures in either the industry or the overall economy.

▪ Operating losses making the threat of bankruptcy, foreclosure, or hos-

▪

▪

▪

Appendix 6C.indd 115

tile takeover imminent. ▪ Recurring negative cash flows from operations or an inability to generate cash flows from operation while reporting earnings and earnings growth. ▪ Rapid growth or unusual profitability especially compared to that of other companies in the same industry. ▪ New accounting, statutory or regulatory requirements. Excessive pressure exists for management to meet requirements or expectations of third parties due to: ▪ Profitability or trend-level expectations of investment analysts, institutional investors, significant creditors, or other external parties (particularly expectations that are unduly aggressive or unrealistic) including expectations created by management in, for example, overly optimistic press releases or annual report messages. ▪ Need to obtain additional debt or equity financing to stay competitive—including financing of major research and development or capital expenditures. ▪ Marginal ability to meet exchange listing requirements or debt repayment or other debt covenant requirements. ▪ Perceived or real adverse effects of reporting poor financial results on significant pending transactions, such as business combinations or contract awards. Information available indicates that management or the board of directors’ personal financial situation is threatened by the entity’s financial performance arising from: ▪ Significant financial interests in the entity. ▪ Significant portions of their compensation (e.g., bonuses and stock options) being contingent on achieving aggressive targets for stock price, operating results, financial position, or cash flow. ▪ Personal guarantees of debts of the entity. There is excessive pressure on management or operating personnel to meet financial targets set by the board of directors or management, including sales or profitability incentive goals.

8/5/2011 11:44:42 AM

116

◾  Fraud Risk Factors: AU Section 316

Opportunities to Commit Fraudulent Financial Reporting Risk Factors ▪▪ The nature of the industry or the entity’s operations provides opportunities to engage in fraudulent financial reporting that can arise from: ▪▪ Significant related party transactions not in the ordinary course of business or with related entities not audited by another firm. ▪▪ A strong financial presence or ability to dominate a certain industry sector that allows the entity to dictate terms or conditions to suppliers or customers that may result in inappropriate or non–arm’s-length transactions. ▪▪ Assets, liabilities, revenues, or expenses based on significant estimates that involve subjective judgments or uncertainties that are difficult to corroborate. ▪▪ Significant, unusual, or highly complex transactions, especially those close to period-end, that pose difficult substance-over-form questions. ▪▪ Significant operations located or conducted across international borders in jurisdictions where differing business environments and cultures exist. ▪▪ Significant bank accounts or subsidiary or branch operations in taxhaven jurisdictions for which there appears to be no clear business justification. ▪▪ Management incentive plans may be contingent on achieving targets relating only to certain accounts or selected activities of the entity, even though the related accounts or activities may not be material to the entity as a whole. ▪▪ There is ineffective monitoring of management as a result of: ▪▪ Domination of management by a single person or small group (in a nonowner-managed business) without compensating controls. ▪▪ Ineffective board of directors or audit committee oversight over the financial reporting process and internal control. ▪▪ There is a complex or unstable organizational structure as evidenced by: ▪▪ Difficulty in determining the organization or individuals who have controlling interest in the entity. ▪▪ Overly complex organizational structure involving unusual legal entities or managerial lines of authority. ▪▪ High turnover of senior management, counsel, or board members. ▪▪ Internal control components are deficient as a result of:

Appendix 6C.indd 116

8/5/2011 11:44:42 AM



Risk Factors Relating to Misstatements  ◾

117

▪▪ Inadequate monitoring of controls including automated controls and ▪▪ ▪▪

controls over interim financial reporting (where external reporting is required). High turnover rates or employment of ineffective accounting, internal audit, or information technology staff. Ineffective accounting and information systems, including situations involving significant deficiencies.

Attitudes/Rationalizations to Commit Fraudulent Financial Reporting Risk Factors ▪▪ Ineffective communication, implementation, support, or enforcement of the entity’s values or ethical standards by management or the communication of inappropriate values or ethical standards. ▪▪ Nonfinancial management’s excessive participation in or preoccupation with the selection of accounting principles or the determination of significant estimates. ▪▪ Known history of violations of securities laws or other laws and regulations or claims against the entity, its senior management, or board members alleging fraud or violations of laws or regulations. ▪▪ Excessive interest by management in maintaining or increasing the entity’s stock price or earnings trend. ▪▪ A management practice of committing to analysts, creditors, and other third parties to achieve aggressive or unrealistic forecasts. ▪▪ Management failing to correct known reportable conditions on a timely basis. ▪▪ An interest by management in employing inappropriate means to minimize reported earnings for tax-motivated reasons. ▪▪ Recurring attempts by management to justify marginal or inappropriate accounting on the basis of materiality. ▪▪ The relationship between management and the current or predecessor auditor is strained, as exhibited by: ▪▪ Frequent disputes with the current or predecessor auditor on accounting, auditing, or reporting matters. ▪▪ Unreasonable demands on the auditor, such as unreasonable time regarding the completion of the audit or the issuance of the auditor’s report. ▪▪ Formal or informal restrictions on the auditor that inappropriately limit access to people or information or the ability to communicate effectively with the board of directors or audit committee.

Appendix 6C.indd 117

8/5/2011 11:44:42 AM

118

◾  Fraud Risk Factors: AU Section 316

▪▪ Domineering management behavior in dealing with the auditor, especially involving attempts to influence the scope of the audit or the selection or continuance of personnel assigned to or consulted on the audit engagement. Incentives/Pressures to Commit Misappropriation of Assets Risk Factors ▪▪ Personal financial obligation may create pressure on management or employees with access to cash or other assets susceptible to theft to misappropriate those assets. ▪▪ Adverse relationships between the entity and employees with access to cash or other assets susceptible to theft may motivate those employees to misappropriate those assets. For example, adverse relationships may be created by: ▪▪ Known or anticipated future employee layoffs. ▪▪ Recent or anticipated changes to employee compensation or benefit plans. ▪▪ Promotions, compensation, or other rewards inconsistent with expectations. Opportunities to Commit Misappropriation of Assets Risk Factors ▪▪ Certain characteristics or circumstances may increase the susceptibility of assets to misappropriation. For example, opportunities to misappropriate assets increase when there are: ▪▪ Large amounts of cash on hand or processed. ▪▪ Inventory items that are small in size, of high value, or in high demand. ▪▪ Easily convertible assets, such as bearer bonds, diamonds, or computer chips. ▪▪ Fixed assets that are small in size, marketable, or lacking observable identification of ownership. ▪▪ Inadequate internal control over assets may increase the susceptibility of misappropriation of those assets. For example, misappropriation of assets may occur because there is: ▪▪ Inadequate segregation of duties or independent checks. ▪▪ Inadequate management oversight of employees responsible for assets (e.g., inadequate supervision or monitoring of remote locations). ▪▪ Inadequate job applicant screening of employees with access to assets. ▪▪ Inadequate record keeping with respect to assets.

Appendix 6C.indd 118

8/5/2011 11:44:42 AM



Risk Factors Relating to Misstatements  ◾

119

▪▪ Inadequate system of authorization and approval of transactions (e.g., in purchasing).

▪▪ Inadequate physical safeguards over cash, investments, inventory, or ▪▪ ▪▪ ▪▪ ▪▪ ▪▪

fixed assets. Lack of complete and timely reconciliations of assets. Lack of timely and appropriate documentation of transactions (e.g., credits for merchandise returns). Lack of mandatory vacations for employees performing key control functions. Inadequate management understanding of information technology, which enables information technology employees to perpetrate misappropriation. Inadequate access controls over automated records, including controls over and review of computer systems and event logs.

Attitudes/Rationalizations to Commit Misappropriation of Assets Risk Factors Auditors may become aware of these attitudes or behavior of employees who have access to assets susceptible to misappropriation: ▪▪ Disregard for the need for monitoring or reducing risk related to misappropriations of assets ▪▪ Disregard for internal control over misappropriation of assets by overriding existing controls or by failing to correct known internal control deficiencies ▪▪ Behavior indicating displeasure or dissatisfaction with the company or its treatment of the employee ▪▪ Changes in behavior or lifestyle that may indicate assets have been misappropriated

Appendix 6C.indd 119

8/5/2011 11:44:42 AM

7

CHAPTER SEVEN

Ongoing Compliance Overview

ORIgIN OF THE SARBANES-OXLEY ACT A handful of companies have become household names mostly because of their demonstration of corporate greed, fraud, and accounting improprieties. The activities of these few organizations are not representative of the majority of companies in the United States, yet the result of their abuses has left a significant mark on public corporations. Considered the most significant legislation to impact the accounting profession since the Securities Acts of 1933 and 1934, the Sarbanes-Oxley Act of 2002 (SOX) is comprised of 11 titles that outline complex compliance requirements affecting a public company’s entire organization, including its relationship with its external auditor. SOX was signed into law to improve the accuracy and transparency of financial reporting and corporate disclosures as well as to reinforce the importance of corporate ethical standards. In turn, it has placed significant responsibility on issuers to design, implement, and maintain effective systems of 120

ch07.indd 120

8/5/2011 11:41:58 AM

Generating Value from Compliance

◾

121

internal controls to ensure adequate financial reporting to the Securities and Exchange Commission (SEC) and investors. In addition, SOX imposes significant criminal penalties and fines on corporate executives who do not comply. Ultimately, the requirements of SOX seek to enhance the quality, accuracy, and timeliness of financial data to allow shareholders to make informed decisions regarding their investments.

gENERATINg VALuE FROM COMPLIANCE The resultant changes from SOX, specifically SEC requirements and regulations, have forced businesses to reevaluate their organizational structures and systems of internal control and to create and/or modify the roles of individuals involved in the fi nancial reporting process. Executive management is now explicitly responsible for establishing and maintaining a system of internal control over fi nancial reporting and conducting an annual assessment and the chief executive officer and chief fi nancial officer (CFO) must certify the accuracy of fi nancial reports fi led with the SEC under the risk of criminal penalties and fi nes. Other members of the executive management team are responsible for the new requirements relating to codes of ethics, record retention, insider trading, whistleblower policies, as well as other legal and human resources issues. While SOX does not specifically mention any requirements of managers and supporting staff, in most cases these individuals are directly responsible for the majority of the additional work required for initial and subsequent ongoing compliance, and they must adhere to the same ethical standards as executive management. Companies have experienced significant increases in costs and time necessary to achieve and maintain compliance with the provisions of SOX and the related regulatory changes. Unequivocally, the most significant cost increases have been related to the external auditor attestation of internal control over financial reporting and the internal and external cost of complying with the provisions of Section 404 of SOX. The cost of compliance has varied mainly based on the size of the company, the number of operations, and the complexity of the business, but nonetheless it remains significant for the vast majority of organizations. Initial implementation of SOX’s provisions for internal controls over financial reporting (Section 404) and executive fi nancial statement certification (Section 302) has undoubtedly been time consuming and costly. The daunting requirements and evolving landscape in year one forced most organizations

ch07.indd 121

8/5/2011 11:41:58 AM

122

◾  Ongoing Compliance Overview

initially to take a short-term minimum requirement approach to compliance and forgo process improvement and technology implementation opportunities. In subsequent years, most companies are seeking to reduce the cost of ongoing compliance while realizing greater benefits. In moving beyond initial compliance, organizations should view the mandated changes as an opportunity to revitalize business practices, drive improved performance, and boost investor confidence in an effort to generate a return on their investments in initial and ongoing compliance. Compliance can be used successfully as a platform for the development and implementation of an enterprise risk management (ERM) strategy and plan. An organization should adopt a risk-based, top-down approach to compliance by applying a formal ERM framework. Most organizations applied limited risk management concepts during initial compliance and utilized this model only as far as what is dictated by SOX requirements. As a result, these companies have not appropriately identified and considered all of the risks and/or events that may positively or negatively impact their business. Organizations should begin to consider risk more seriously as part of their daily operations. Integrating risk with performance measurement initiatives such as business performance management (BPM) can provide a realistic expectation of future performance through the monitoring of risk indicators that will alert management to changes to the risk profile. Tracking a limited number of key performance indicators and key risk indicators gives management the concise, actionable information needed to determine how the company currently is performing and may perform in the future. However, such proactive management of performance—and the creation of shareholder value—is possible only when BPM and ERM are fully integrated. Integrating ongoing compliance activities with risk management, performance management, automation, and process improvement activities—and aligning all initiatives with overall company strategy and objectives—will result in increased efficiency, a stronger control environment, and a lower cost of operations and compliance. Prior to the passage of SOX, CFOs and chief auditors often sought to focus on “value-added” activities, such top-line initiatives, strategic acquisitions, and operational improvements. In today’s environment of compliance where internal controls—previously regarded as secondary considerations—are front and center, the challenge is to identify ways to help the finance department remain a valued partner to the business in an environment of increased governance. The listed activities can help finance continue to deliver value to stakeholders while ensuring continued compliance.

ch07.indd 122

8/5/2011 11:41:59 AM

Moving Beyond Initial Compliance ◾

123

▪ Identify the enterprise strategy and communicate it throughout the finance

▪

▪

▪

organization. Control remediation and process improvement should meet short-term goals and deliver long-term value. An organization’s financial objectives are typically a combination of liquidity and working capital optimization, profitability, and growth. The strategic goals of senior management should be understood by finance and incorporated into everyday activities. Consider the risk implications of the enterprise strategy and counsel management accordingly. Develop a finance strategy to support the enterprise strategy. Reevaluate existing key metrics to address crucial SOX processes. Identify internal and external stakeholders and the information they need to make insightful decisions. Define, develop, and deploy measurements to satisfy information objectives, such as key performance indicators and balanced scorecards. The organization should benchmark against industry leaders and key competitors to establish a performance baseline, then set goals and define a plan to achieve them. Generate a capacity to provide analytical and consultative services. Remove non–value-added processes that were identified in Section 404 documentation. Develop an analytical and consulting capacity within the finance function. This competency is critical to transformation. Measure your own processes. Simplify and streamline transaction and reporting procedures through shared services, outsourcing, and accelerated close methodologies. Leverage technology to deliver and distribute results. Avoid manual workarounds, and reduce the cost of ongoing compliance through use of technology. Use automation as a key enabler to transformation. Leverage the capabilities of existing enterprise resource planning system(s) and integrate wherever practical. Eliminate spreadsheets as a focal point of the reporting process by implementing consolidation and reporting packages. Consider business intelligence and Web-based distribution (eXtensible Business Reporting Language [XBRL]) applications to improve the timeliness and accessibility of critical information.

MOVINg BEYOND INITIAL COMPLIANCE SOX accelerated filers spent countless hours and resources on initial compliance and in preparation for the filing of their fi rst Section 404 certification. As the focus shifts to ongoing monitoring and maintenance, organizations

ch07.indd 123

8/5/2011 11:41:59 AM

124

◾  Ongoing Compliance Overview

must avoid complacency and recognize that compliance is not a one-time event. There is a significant risk of noncompliance beyond year one if an organization does not have a long-term strategy and comprehensive compliance plan implemented that will support the required quarterly and annual certifications. Compliance planning for subsequent years necessitates a reassessment of requirements and an approach definition that differs from the first-year compliance readiness plan. A more sustainable and practical program that is based on new and/or clarified guidelines must be developed and implemented. The plan may involve the implementation of new technology and a modified focus on process and policy that will support a more efficient and cost-effective approach to ongoing compliance. An efficient and effective infrastructure that enables repeatable, reliable activities such as documentation reviews and updates, testing, and remediation is key to ongoing compliance. Since SOX requires the linking of Section 404 monitoring efforts to quarterly reporting under Section 302, companies must have the capability to conduct quarterly evaluations and to report any changes in internal controls over financial reporting that either have or could have a material effect on the financial statements. Companies must develop the ability to keep their assessment of internal controls over financial reporting current throughout the year. An organization cannot wait until the end of the fiscal year to evaluate changes in internal control for its annual assessments. To maintain a strong control environment and derive the maximum value from an ongoing compliance program, the answers to the next questions should be continuously evaluated:

▪▪ Are you satisfied that there are no critical gaps and overlaps in the owner▪▪ ▪▪

ship of your financial reporting processes and in the underlying internal controls? Are you utilizing Section 404 documentation to identify opportunities to build in quality, reduce costs, and gain efficiencies while reducing financial risk? Do you have an appropriate structure and detailed plan for ensuring continued compliance with Sections 302 and 404?

Good governance, as evidenced by an effective system of internal control, and adding value to the business do not have to be conflicting objectives. Many forward-thinking organizations have recognized the compatibility of the two goals and have incorporated both perspectives into their planning and compliance programs.

ch07.indd 124

8/5/2011 11:41:59 AM

Reevaluating the Compliance Program

◾

125

The following list presents best practice considerations for ongoing compliance plans.

▪ Modify the compliance approach (based on the SEC Releases 5/05, 5/06) ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪

to adopt a more risk-based approach. Develop a formal detailed ongoing compliance plan. Define the compliance organization structure and roles/responsibilities. Communicate the ongoing compliance plan to the external auditor. Communicate the ongoing compliance plan to employees. Develop a practical, comprehensive, integrated testing plan. Reduce testing through key control review/rationalization, control automation, and eliminate redundant controls. Implement a compliance management tool for status reporting. Implement a control monitoring tool. Develop an ERM strategy and plan. Identify and implement business process improvement opportunities.

REEVALuATINg THE COMPLIANCE PROgRAM One of the intended results of SOX was a heightened process owner awareness of financial controls and risks as well as increased responsibility and accountability for those controls and risks. In year one, compliance documentation and testing often was managed and/or performed by external resources, which prevented process owners from fully embracing ownership of the control environment. To encourage greater internal resource involvement, the ongoing compliance plan should be designed to drive greater awareness through continued education/training as well as documentation and testing approval. Specifically, each organization should reevaluate its compliance program from four perspectives: ongoing compliance, remediation prioritization, process improvement, and operational structure and efficiency.

Ongoing Compliance The next principles should be considered when planning and developing an ongoing compliance strategy:

▪ Communicate a positive tone at the top. The tone at the top significantly influences behavior throughout the organization, so certifying officers

ch07.indd 125

8/5/2011 11:41:59 AM

126

▪▪

▪▪

▪▪

▪▪

ch07.indd 126

◾  Ongoing Compliance Overview

and senior executives continually should reinforce executive support and commitment to reliable financial reporting and continuous improvement of the internal control structure and environment. The tone of executive management will drive the success of ongoing compliance efforts. If management projects compliance as a burden, it will be perceived as a burden by employees and much of the value will be lost. Compliance objectives still may be met; however, control breakdowns may occur more frequently and the opportunity to recognize value from process improvements will most likely be forfeited. Develop a supportive organizational structure. Adequate organizational support is critical to successful compliance in year two and beyond. An organizational structure that supports ongoing compliance should be defined and established, and the role of internal audit (where applicable) should be outlined specifically. Organizations should consider integrating the annual audit test plan with Sections 302 and 404 certification testing. Reinforce the roles and responsibilities of process owners. The importance of the process owner role in the success of ongoing compliance cannot be overstated. Businesses can hire teams of external auditors and consultants to design, implement, and test systems of internal control, but they cannot ensure that those systems will be used properly and that internal controls will be followed once the teams leave. Since process owners are accountable for the existence and effectiveness of internal controls, their roles and responsibilities in the ongoing compliance process should be defined clearly. Only then can accountability and control ownership be truly reinforced. An effective self-assessment process can assist in facilitating this reinforcement and help ensure that any control breakdowns are detected early and corrected. Invest in compliance education and training. Continuous compliance education and training is vital to the success of an ongoing compliance program. Employees need to receive sufficient training on overall company compliance requirements and be educated about their individual roles in the compliance process in order to perform their jobs well and support the organization’s success in meeting the requirements of SOX on an ongoing basis. Implement a continuous monitoring and maintenance process. Since Section 302, Section 404, and Section 409 (Real Time Issuer Disclosures—requires disclosure of material changes in financial condition) each require ongoing compliance, every organization should design and implement a detailed continuous monitoring and maintenance process. Doing this will help to

8/5/2011 11:41:59 AM



Reevaluating the Compliance Program  ◾

▪▪

▪▪

▪▪

127

ensure that any identified remediation is completed in a timely manner. Organizations can take advantage of numerous software applications that have built-in monitoring capabilities and/or implement internal control self-assessments. Any tools that are used to facilitate the process will be dependent on the knowledge base and commitment of employees in the organization. Eliminate redundant closing and financial reporting activities. Organizations should review their current closing and financial reporting procedures and compare them against Section 302 and Section 404 certification requirements. A consolidated checklist/schedule can then be developed to enable the most efficient process and to eliminate redundant ­activities. Implement a process change procedure. Section 302 requires quarterly disclosure of any changes that materially affect internal control over financial reporting. A formal process change recognition and update procedure will help to ensure timely quarterly disclosure, an efficient annual certification process, and continued confidence in the internal control environment supporting financial reporting. Implement process improvement. During the initial compliance effort, a vast amount of process and control information was obtained and documented. Organizations can utilize this knowledge to foster positive change and potentially realize a return on the compliance investment. Value can be recognized through process improvement, control remediation, and expansion beyond compliance through the development or enhancement of ERM and corporate governance programs.

Remediation Prioritization Prioritizing compliance and remediation efforts is crucial to the certification of financial reports, the annual management assessment of internal control over financial reporting, and the related external auditor attestation engagement. Remediation efforts should be designed to improve the efficiency and productivity of operating processes as well as to strengthen internal controls. Each internal control remediation plan should address not only how the corrective action improves the overall control environment but also how it streamlines transaction process flow. The timing of remediation efforts should also be considered. Companies should determine to what extent remediation could be conducted in conjunction with compliance activity. It is a best practice to plan for parallel

ch07.indd 127

8/5/2011 11:41:59 AM

128

◾  Ongoing Compliance Overview

documentation, control gap identification, gap remediation, and testing for both initial and ongoing compliance, as parallel execution can have a dramatic impact on the cost and the timeline of compliance efforts. The first step in coordinating various remediation requirements effectively is to categorize them by type of improvement. Category examples are listed next. Control Improvements ▪▪ Mitigate missing or deficient controls. ▪▪ Eliminate unnecessary or redundant controls. ▪▪ Minimize process risks. ▪▪ Eliminate policy and/or authorization deficiencies. ▪▪ Establish control process metrics. ▪▪ Eliminate manual controls (automate). SOX Compliance and Financial Reporting Improvements ▪▪ Establish SOX reporting package. ▪▪ Establish standardization across financial processes and financial reporting (internal and external). Productivity Improvements ▪▪ Eliminate non–value-added tasks/activities. ▪▪ Automate manual activities/processes. ▪▪ Establish universal data and/or process standards. ▪▪ Update/revise policies. ▪▪ Align business activities and efforts with perceived value. Improvement opportunities should then be prioritized based on business impact and complexity. (See Figure 7.1.) High-impact improvements address material business issues that can be accomplished in a short time with minimal business disruption. They mitigate significant business risk and typically yield results quickly. Implementation should not extend beyond 90 days. Medium-impact improvements also focus on material business issues; however, they require an extended period of time and strong participation from the business. Implementation typically takes between three to six months. Prioritizing remediation activities based on process improvement opportunities will advance finance’s position as a valued business partner.

ch07.indd 128

8/5/2011 11:41:59 AM

Reevaluating the Compliance Program  ◾

Immediate Priority

Secondary Priority

• • • •

• Material business impact • Extended time to realize benefits—look to segregate into components • Requires significant business participation • Mitigates significant risk

Material business impact Short duration effort Minimal business disruption Mitigates significant risk

Secondary Priority

Last Priority

• Questionable (low) business impact • Short duration effort • Minimal business disruption • Not related to material business risk

• Questionable (low) business impact • Extended time to realize benefits—look to identify value-added components only • Requires significant business participation • Not related to material business risk

Low

Business Impact

High



Low

Level of Complexity

129

High

Figure 7.1  Prioritization Based on Business Impact and Level of Complexity

Process Improvement Documentation efforts required for Section 404 compliance have prompted many companies to take the first step in business process improvements (e.g., documentation of current processes and identification of redundancies and inefficiencies). As control remediation continues, companies are well ­positioned to incorporate additional process improvements into their compliance infrastructures.

Operational Structure and Efficiency An increased pressure to do things faster, better, and more cost effectively has prompted companies to pursue various strategies to improve operational effectiveness. What functions should be performed within the business units? Who should select, purchase, and operate the supporting technologies? When should business units be free to choose operating standards and when should corporate mandate consistency? These questions are answered differently based on a company’s operating style, industry, and market focus. Since there are benefits to both centralization and decentralization, companies should closely examine both approaches before making any operational changes.

ch07.indd 129

8/5/2011 11:41:59 AM

130

◾  Ongoing Compliance Overview

Benefits of Centralization/Standardization ▪▪ Redundancy in operations is reduced. ▪▪ Management time and attention is leveraged. ▪▪ Economies of scale can be realized. ▪▪ Best practice approaches are more easily implemented. ▪▪ There are more defined career paths for professionals in support functions. ▪▪ Maintenance costs and effort are reduced. ▪▪ There is more efficient utilization of information technology resources (e.g., technical infrastructure, application support and licensing, and modifications) Benefits of Decentralization/Customization ▪▪ Processes and systems can be tailored to each business unit’s unique needs. ▪▪ Local systems can be more responsive to changes in business conditions. ▪▪ Local operations can help foster a culture of ownership. ▪▪ Local operations that are integrated through a monthly feed of summarized financial information to corporate can be incorporated or divested more easily. While there are benefits to decentralization, compliance requirements driven by SOX likely will increase the focus on economies of scale and therefore require greater centralization. The expense and time required to review process documentation and retest annually will increase with each separate department engaged in auditable activity. This will be particularly true where operations are not only separate but also vary in terms of systems, formats, and process design. Centralization is not an easy change. Companies often are reluctant to move away from their decentralized structures (even if they know they are ineffective) because the social, technical, and financials costs of change can be high. Nonetheless, more organizations are finding that the additional cost of complying with SOX warrants the decision to centralize or even employ a shared services model. Public companies spent significantly more than they had estimated to comply with Section 404. Informal estimates indicate annual ongoing costs for monitoring and compliance currently amount to as much as 50% to 70% of the initial compliance costs. Organizations should conduct operational and budget reviews to prevent future costs from skyrocketing. Companies that have maintained critical financial functions at the divisional level should reconsider centralizing those functions in order to take advantage of greater economies of scale.

ch07.indd 130

8/5/2011 11:41:59 AM

Summary

◾

131

SuMMARY Leading companies have shifted SOX efforts from “project” to “process,” moving toward a more sustainable infrastructure that will support ongoing financial management operations. Immediately addressing the four critical areas of ongoing compliance, remediation prioritization, process improvements, and operational structures and efficiency will help organizations leverage the knowledge obtained through compliance activities and capitalize on the opportunity to improve business processes while maintaining a solid control environment. This approach will enable finance to add value while ensuring good corporate governance.

ch07.indd 131

8/5/2011 11:41:59 AM

8

CHAPTER EIGHT

Ongoing Compliance Challenges

F

OR MOS T COMPANIES, ACHIE VING SEC TION 4 0 4 COMPLIANCE H A S PR OV EN to be much more challenging, and more costly, than ini-

tially anticipated. In most cases, for accelerated filers, initial and year one compliance efforts strained company resources while still leaving internal control issues. Their burden continues through year three and beyond. Nonaccelerated fi lers have fi led an initial certification more recently. These organizations are not required to submit an auditor attestation with their certification. In reality, several of these smaller organizations do not have all of the required evidence to support their certification, and many not have conducted the appropriate level of control testing. As a result, these companies have spent little or no time focused on ongoing compliance planning or execution, factors that may result in lack of efficiency, higher cost, and potential risk of noncompliance in the future. These resultant issues also magnify the importance of the role of the board and audit committee in assessing risk and ensuring compliance, which is discussed later in this chapter.

132

ch08.indd 132

8/12/2011 10:20:54 AM

Future State Opportunity: Compliance Optimization ◾

133

In general, both accelerated and nonaccelerated fi lers are faced with a number of ongoing compliance challenges, including:

▪ The majority of compliance activity time continues to be spent on ▪ ▪

remediation, leaving little time to develop a long-term compliance plan or create more efficient processes. The cost of compliance actually has grown in some cases due to a substantial rise in material weakness disclosures and restatements as well as an increase in audit fees. Many organizations do not have an appropriate infrastructure and implementation plan sufficient to sustain compliance, minimize risks, and reduce costs.

Therefore, any discussion about sustaining compliance should be focused on developing an integrated plan that facilitates cost reduction/minimization, increases reliability/confidence with fi nancial results, and delivers benefits/ value.

FuTure STATe OPPOrTuNiTY: COMPLiANCe OPTiMiZATiON The Sarbanes-Oxley Act (SOX) in many ways created an inverted pyramid affect. The majority of entity focus was directed toward compliance achievement. Organizations spent thousands of dollars and hours on process documentation and transaction level internal control testing. Thus, risk assessment and risk management were somewhat of an afterthought and often disregarded. The recommended approach to risk management is a top-down risk view: governance, risk management, and compliance. Proper governance should drive cultural behavior and activity throughout an organization. It begins with executive management tone at the top. Senior leadership is responsible for fostering a culture of high ethics and integrity as well as conveying in words and actions an expectation of ethical behavior and integrity among all members of the organization. This commitment to the appropriate tone at the top is critical to creating a consensus about identification, assessment, and response to risk. Companies should seek to optimize their ongoing compliance programs to improve control effectiveness, realize cost savings, and provide tangible benefits to the organization. Doing this entails defining the organizational structure,

ch08.indd 133

8/12/2011 10:20:54 AM

134

◾  Ongoing Compliance Challenges

roles and responsibilities, ongoing compliance process, training and communication (including the audit committee and board of directors), and reporting and incorporating the use of technology within the ongoing compliance process. Specifically, a comprehensive, long-term program should be structured similar to Figure 8.1.

Governance A good governance approach requires that the tone at the top be established and reinforced continuously. The organization should develop an integrated compliance strategy and objectives should be clearly outlined and communicated. Senior executives should seek to establish and foster a culture of integrity and high ethical standards. Ultimately, developed governance policies as well as adherence to these established guidelines should be monitored continuously, and ownership, responsibility, and accountability for good

Governance • Tone at the top • Integrated compliance strategy • Outline objectives • Establish culture—foster integrity and high ethics • Develop policies and monitoring • Embed ownership, responsibility, and accountability

Enterprise Risk Management • Identify and assess risk • Develop a risk response strategy • Document control activities • Apply risk management to gain competitive advantage

Compliance Ensure adherence to laws and regulations

Figure 8.1  Organization View of Risk Management

ch08.indd 134

8/12/2011 10:20:54 AM



Future State Opportunity: Compliance Optimization  ◾

135

governance and internal controls should be embedded throughout the culture of the ­organization.

Enterprise Risk Management The creation of a comprehensive ERM program requires these activities and considerations:

▪▪ ▪▪ ▪▪ ▪▪

Identify and assess risk. Develop a risk response strategy. Document control activities. Apply risk management to gain competitive advantage.

(See Chapters 2 and 4 for additional detailed discussion regarding roles, responsibilities and the risk assessment process.)

Compliance

Technology

Processes

The compliance component requires that the organization focus on ensuring adherence to all applicable laws and regulations. The objective/focus should be on efficiency coupled with accuracy. A fully integrated, streamlined, efficient process leads to cost reduction/minimization and potential increase in shareholder value. Figure 8.2 outlines the major components of the compliance optimization process including the use of technology.

.

Define organization, roles, responsibilities, and processes

• Automate compliance

tasks • Automate compliance workflow

Rationalize controls based on risk

Integrate close and compliance processes

Measure, monitor, improve

• Automate close tasks • Automate notification of design and/or control changes

• Automate scoping

• Automate testing

Figure 8.2  Compliance Optimization Process: Major Components

ch08.indd 135

8/12/2011 10:20:54 AM

136

◾

Ongoing Compliance Challenges

iSSueS TO CONSiDer WHeN OPTiMiZiNG COMPLiANCe Several years after the passage of SOX and certification filing, U.S. corporations are still grappling with the complex array of regulations and the enormous costs required to comply with SOX. While many gray areas remain, forwardthinking companies can reduce the burden of ongoing compliance by taking action to improve the efficiency and accuracy of their financial processes. The following commonly reported deficiencies and issues should be closely considered when developing a monitoring and maintenance plan that will sustain compliance:

▪ Financial close. This process typically is complex and involves high-risk

▪

▪

▪

ch08.indd 136

activities performed in a short time period. In many cases, organizations lack formal defined and documented processes and controls for financial close activity. Ongoing compliance is at risk in this situation. A major compliance focus is on the process of providing information reported on the financial statements. Organizations should seek to automate this process wherever possible, to integrate the fi nancial close and compliance processes, and to continuously seek to strengthen fi nancial reporting and disclosure procedures. Reporting and disclosure. Many organizations continue to demonstrate a lack of: process definition, resource dedication, technical knowledge/expertise/skill set, and adequately documented process and evidence of approval regarding the financial reporting and disclosure activity. Similar to the financial close process, there is major focus on the methods that organizations utilize to report and disclose critical information regarding their financial position. Information technology controls. Many organizations found they had inadequate documentation of IT controls. In particular, companies lacked sufficient detail in such general control areas as backup, recovery, and program change control. Inadequate documentation must be supplemented with enough detail to reflect a stable control environment. Inefficiency of manual controls and the inability to automate these controls quickly enough to meet initial compliance requirements are also frequent problems. Postmerger integration. It is generally very difficult to maintain a strong system of internal control during merger and acquisition activity due to the merging of people, processes, and technology and the time constraints placed on the resources involved in the transaction. As a result,

8/12/2011 10:20:55 AM



Issues to Consider When Optimizing Compliance  ◾

▪▪

▪▪

137

organizations often neglect the control environment, creating a high risk of control weaknesses, gaps, and/or deficiencies. Outsourced functions. Many organizations have outsourced one or more basic functions or business processes. In most cases, the process activity has had a significant impact on financial reporting. The organization should request a Statement of Auditing Standards 70 type II letter that clearly outlines the expectations of the vendor and the requirements of the contents of the letter. The certifying organization must be able to obtain adequate information about the vendor’s control environment and the controls over financial reporting in order for management and the external auditors to certify and attest to the overall control environment (including the outsourced activity). Personnel. Many companies experienced deficiencies in the segregation of duties, staffing, and training. For example, many companies simply do not have the necessary finance/accounting staff to meet their needs, so individuals with insufficient skills and inadequate experience often perform critical tasks. In addition, the same person may perform multiple tasks, such as approving and paying invoices, duties that should be segregated between individuals.

Many companies disclosed (and are still attempting to overcome) these issues and deficiencies. These organizations should review their remediation plans and timing periodically with their external auditors and provide regular status reports on their progress. Depending on the severity of the identified deficiencies, the external auditor typically expects a company to complete remediation by the following year-end. Companies can address such deficiencies effectively by:

▪▪ Taking a practical approach when testing for fraud. Companies should evaluate ▪▪

▪▪

ch08.indd 137

their organization based on such factors as size and industry and concentrate their efforts on areas with the greatest potential/risk for fraud. Focusing and evaluating company-wide controls first. Controls are used to prevent and detect potential errors in financial reporting. In the past, many organizations focused on a wide range of controls simultaneously in order to comply with SOX requirements rapidly. Auditors and organizations should refocus their efforts by looking at the entity-level control landscape and drilling down only where absolutely necessary. Automating controls wherever possible to minimize year-to-year testing. Replacing manual controls with automated controls strengthens the

8/12/2011 10:20:55 AM

138

▪ ▪

◾

Ongoing Compliance Challenges

control environment and reduces the amount of testing required on an annual basis. Leveraging past compliance efforts. When planning their ongoing compliance efforts, companies should review past compliance initiatives to better maximize their results. Integrating audits of internal controls with audits of financial statements. Integrating these audits helps minimize redundancy when companies conduct testing and gather evidence, resulting in significant savings in time and cost.

ONGOiNG COMPLiANCe PLAN The initial SOX compliance plan should be modified to eliminate the one-time efforts of initial compliance such as pilot programs and full documentation requirements and should be refined to include a current review and risk assessment. The risk assessment of the control environment also should include analyses of software automation opportunities, general controls documentation requirements, outsourced functions, and process changes that have occurred since the prior compliance period. This process should be conducted through interviews with key members of the applicable management team and key process owners. A thorough control self-assessment questionnaire can be an effective tool for addressing all relevant issues in the risk assessment process. After completing the risk assessment of the control environment, the ongoing compliance plan should be modified to include the risk assessment results. With this data as a foundation, a specific work plan with well-defined roles and responsibilities, including compliance owners, should be developed. This plan also should include:

▪ ▪ ▪ ▪ ▪

Specific tasks to be completed and their sequence Expected duration of the tasks Task assignments Expected outcomes from the tasks listed Critical milestones Next, seven steps should be performed:

1. Define roles and responsibilities. 2. Appoint an overall compliance owner or project manager.

ch08.indd 138

8/12/2011 10:20:55 AM



Ongoing Compliance Plan  ◾

139

3. Define the role of the internal audit function in ongoing compliance. 4. Define the roles of process owners and business units. 5. Finalize a training and communication plan. 6. Define the status-reporting hierarchy, structure, content, and frequency. 7. Determine the role of technology and software. In addition, the methods and procedures should be defined for:

▪▪ ▪▪ ▪▪ ▪▪ ▪▪ ▪▪

Process review Documentation review and update Policy review and update Control issue escalation Gap analysis Remediation and prioritization

Ongoing Reporting For Section 302 compliance, all future quarterly and annual financial reports must include a certification executed by the chief executive officer and the chief financial officer (CFO). Section 404 mandates that required annual reports include (1) an internal control report stating management’s responsibility for internal control and management’s assessment of internal controls for the most recent fiscal year; and (2) the external auditor’s attestation to, and report on, management’s assessments (accelerated filers). To expedite the final reporting process, information generated by the project team and process owners should be utilized to draft the required certification report. The report cannot be finalized until the remediation plan and any additional testing are completed. Preparation of the documents in anticipation of the results of any required retesting will facilitate the final report process. The draft report should be provided to the steering committee and the audit committee for review and comment. Once the remediation plan and required control activity testing are complete, the draft certification disclosures and management’s assessment of internal control over financial reporting can be finalized for inclusion in the required quarterly or annual report. The final certifications and assessment reports, along with a final report of findings from the project team indicating the status of internal control over financial reporting and the resolution of both the remediation plan and the corrective action log, should be presented to the

ch08.indd 139

8/12/2011 10:20:55 AM

140

◾  Ongoing Compliance Challenges

steering committee, audit committee, and certifying executives for final review, modification, and approval.

Customize the Compliance Plan There is no one-size-fits-all solution for ongoing compliance. Many different factors affect the organization structure, role and responsibility definition, and monitoring and reporting processes that comprise an organization’s compliance program. When developing such a plan, the long-term compliance strategy should be outlined clearly and evaluated to ensure that it is forward-looking and aligned with overall company objectives as well as other tactical initiatives that may be under way. Specific factors that can influence a compliance strategy/plan include:

▪▪ Culture. Is the organization ready for change? ▪▪ Organizational complexity. Is the organization centralized or decentralized? Geographically dispersed?

▪▪ Organizational structure. What is the company reporting hierarchy? ▪▪ Current status and focus of compliance efforts. Is the current compliance plan ▪▪ ▪▪ ▪▪

integrated with other company initiatives and requirements as well as with the overall company strategy and objectives? Percentage of manual processes. How much control automation exists? Sophistication of current technology. Are disparate systems present? Resource availability and skill sets. Do you have the internal bandwidth and expertise to execute an effective compliance program?

After examining the company’s compliance strategy, the entity should consider integrating the ongoing compliance program with other strategic initiatives, such as business performance management (BPM), ERM, and business process improvement/automation. An integrated framework not only minimizes costs but also improves information quality and increases transparency, which, in turn, enables more proactive decision making and strengthens the overall control environment. A comprehensive approach also can maximize shareholder value. ERM, when combined with BPM, provides a complete view of past, present, and future performance, which encourages the proactive management of the business and supports rapid decision making.

Rightsizing Best Practices In year three of compliance and beyond, companies should shift their focus from implementation to sustainability and adopt tools and practices that will facilitate the rightsizing of their existing compliance program through

ch08.indd 140

8/12/2011 10:20:55 AM



Ongoing Compliance Plan  ◾

141

increased efficiency and streamlined business processes. The next paragraphs outline areas that should be considered when defining the scope of the compliance effort and building a sustainable, cost-effective process. Outsourcing Now that all processes have been formally and thoroughly documented, many organizations are in a better position to take a closer look at process improvements options, such as outsourcing. Once viewed as primarily a tactical, costcutting measure, outsourcing has matured into a sophisticated and proven business process improvement measure that also can improve the control environment and streamline compliance activities. Outsourcing a specific process or function, such as accounts payable or accounts receivable, can strengthen a deficient or weak control environment by enhancing segregation of duties and increasing control automation. Outsourcing select processes to the appropriate partner can provide an organization with a method of reducing ongoing compliance cost through greater efficiency as well as reducing risk. In addition, outsourcing can provide a greater process visibility, enhance control, and ensure the accuracy of financial statements. Currently, the leading outsource providers are very sophisticated and offer high quality, efficiency, and increased work capacity through streamlined processes and advanced technology. Control Testing The objective of control testing is to provide an appropriate basis for management to determine the operational effectiveness of the key internal controls identified during documentation. The results from the test procedures will form the basis of, and support, management’s assertion on internal control over financial reporting included in annual reports. External auditors also may review the results of testing during their attestation of, and report on, management’s assessment of internal control over financial reporting. Appropriate testing procedures include inquiry, observation, inspection, performance of control activities, and examination of evidence necessary to support account balances. Since controls should be tested at both the entity level and at the transaction or application level, it is a best practice to integrate test plans and reduce the number of controls through:

▪▪ Risk assessment ▪▪ Rationalization

ch08.indd 141

8/12/2011 10:20:55 AM

142

◾  Ongoing Compliance Challenges

▪▪ Process standardization/centralization ▪▪ Process improvement ▪▪ Automation Control Automation Control automation can reduce testing, eliminate manual controls, increase preventive controls while decreasing detective controls, and strengthen the control environment. It also can significantly reduce costs and improve the timeliness and quality of status reporting. Noteworthy cost contributors include systems costs as well as the number of full-time employees (FTEs) required to execute the compliance process. Top-performing organizations typically implement technology to support the compliance process and/or have automated controls as part of their ongoing compliance efforts. As a result, cost savings are generated through a reduction in one or more of these areas:

▪▪ Number of FTEs involved in the compliance process ▪▪ Control violation identification time ▪▪ Internal and external reporting time The strategic use of technology can help companies contain the cost and effort required to achieve regulatory compliance; however, an integrated approach should be adopted to fully achieve such benefits. A number of software vendors currently offer integrated solutions that can help organizations complete compliance requirements more efficiently. (See Chapter 9.)

Accelerate the Close Process Accelerated reporting requirements have prompted many organizations to examine their close process and identify methods to increase the accuracy and timeliness of financial information. Software can automate compliance and the close process by unifying financial reporting, close tasks, and internal controls, thereby reducing the risk of material weakness disclosures and financial restatements. By capturing and securing all transactions and documents associated with close and compliance activities, these tools can preserve data integrity and reduce costs through process improvement. While technology certainly can be an enabler, by itself, it cannot move a company from a ten-day to a two-day close. A faster close can be accomplished only by improving the processes that collect and feed data into the system.

ch08.indd 142

8/12/2011 10:20:55 AM

Role of Internal Audit: Balancing the Compliance and Audit Functions

◾

143

rOLe OF iNTerNAL AuDiT: BALANCiNG THe COMPLiANCe AND AuDiT FuNCTiONS Increased compliance requirements have required a great deal of attention from internal audit departments. Internal auditors, with their expertise in business processes analysis, control testing, and risk management, have been involved in various compliance initiatives that have led to a dramatic increase in workload without an increase in resources. Many organizations allocated as much as 50% or more of their internal audit groups to initial Section 404 work. The end result was predictable: Traditional internal audit work—assessing controls, generating value, and improving operations— often was neglected in order to meet the more pressing demands of regulatory compliance. In many cases, the internal audit group possessed more controls expertise than any other part of the company and, therefore, took on the majority of the compliance burden. Yet such an unbalanced deployment of internal audit resources is not sustainable or practical for most organizations. As companies move beyond year three of SOX compliance, they should seek to rebalance internal audit activities and restructure the function’s role to maximize its overall effectiveness and minimize ongoing compliance cost. In addition, specific consideration and attention should be given to ensuring that a conflict does not exist between any third parties performing internal audit outsourcing and control gap remediation support. Meeting compliance requirements as well as maintaining compliance is obviously important, but not to the neglect of internal audit’s standard auditing responsibilities. Failure to address key strategic and operational risks in conjunction with compliance risk undermines the value of internal audit and exposes the company to greater operational and financial risks. Today, more than ever, a properly structured internal audit function can be a tremendous benefit to an organization, impacting not only regulatory compliance but also operational excellence. Companies can take the fi rst step in obtaining a balanced, high-performing internal audit function by:

▪ Defining internal audit’s role to again include operational risk as well as compliance support. Focusing internal audit on the basic audit function can better position the group to participate in risk management activity, strategize on how to streamline operations, and enhance competitiveness through cost reductions and greater shareholder value. Audit work should be balanced thoughtfully among financial, operational, strategic, compliance,

ch08.indd 143

8/12/2011 10:20:55 AM

144

▪▪

▪▪

◾  Ongoing Compliance Challenges

and information technology risk assessment. This may be accomplished by transitioning some of the first-year compliance responsibility to business units and process owners, which would allow internal audit to devote more time to its traditional responsibilities. Determining whether the internal audit function is staffed properly and contains the proper skill mix to perform its responsibilities successfully. Compliance and the need for knowledgeable resources to assist with compliance plan implementation and continuous monitoring has created a shortage of qualified resources. Many individual company Section 404 certifications contained disclosures on issues or weaknesses with the capabilities and/or competency of the accounting and finance group. In addition, many companies have developed an ongoing compliance plan that involves utilizing the internal audit group in some capacity. Each company should confirm that the appropriate number of qualified resources (based on the ongoing compliance plan) exist within both the accounting and the internal audit groups. Doing this will help to ensure that organizations are able to execute the company’s compliance plan as well as verify compliance with SOX from a personnel capability standpoint. Leveraging testing conducted independently by internal audit in order to minimize external audit testing and costs. External auditors cannot rely completely on the results of management testing when formulating their opinion regarding the control environment; however, the Securities and Exchange Commission/Public Company Accounting Oversight Board pronouncement of May 2005, Auditing Standard No. 2—An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, affirmed that external auditors can rely on the work of independent third parties. Therefore, auditors can rely on testing conducted by internal auditors if the testing is independent of management testing. If this structure is adopted, external auditors can reduce the amount of their control testing, which would reduce external audit fees and encourage organizations to capitalize on the concentrated skill sets within their internal audit groups.

The new compliance requirements have challenged companies to redefine the structure, staffing, and role of their internal audit groups. Organizations should determine the most efficient, cost-effective way to structure and use the internal audit function while giving specific consideration to how the group can be best utilized to facilitate ongoing compliance cost reduction.

ch08.indd 144

8/12/2011 10:20:55 AM

Evolving Role of the Audit Committee ◾

145

eVOLViNG rOLe OF THe AuDiT COMMiTTee The role of the audit committee has expanded and changed at an unprecedented rate due to the passing of SOX and an increased focus on corporate governance. Today’s audit committee members are empowered and more influential, but they also have increased responsibilities and greater accountability. Rules outlining the composition of the audit committee and its independence have emerged; however, rules alone will not provide the foundation needed to build the relationships and leadership that will ensure the committee’s effectiveness and the integrity of a company’s financial information. In today’s environment, boards of directors and audit committee members are asking significantly more questions of management in order to understand a company’s business, risks, and control environment more thoroughly. An increased need for information, driven by the need to make informed decisions, requires audit committees to spend more time preparing and interacting with management, external auditors, and internal auditors in order to fully understand a company’s strategy and approach to compliance. Many audit committees have not adopted best practices, despite the regulatory microscope under which committee members currently operate. The percentage is surprisingly low for a group that plays such an important role in the welfare and integrity of a company. An audit committee can implement a number of best practices to enhance its performance and role within an organization. Some of the primary ones include:

▪ Do not do management’s job. Committee members should ask appropriate

▪

ch08.indd 145

questions to understand management’s long- and short-term approach to initial and ongoing compliance to ensure that an effective control compliance program is in place. Ultimately, the audit committee’s role should be to understand how management has designed and intends to implement the company’s compliance plan. Since this group has the last plan review opportunity, the committee has a responsibility to make sure that management is doing what it needs to do to safeguard shareholder value. Such knowledge should create a comfort level with the strategy and plan that will allow the audit committee to support management in the communication and implementation of compliance initiatives. If a comfort level with the plan does not exist, the audit committee should guide the organization in revising the strategy and/or plan in order to support it fully. Support the tone at the top. The overall effectiveness of the control environment is dependent on setting and maintaining the tone at the top, which

8/12/2011 10:20:55 AM

146

▪▪

▪▪

▪▪

◾  Ongoing Compliance Challenges

is shaped by executive management. Given its expanded role, the audit committee represents the ultimate tone at the top and therefore needs to demonstrate support for the compliance program both internally to all employees (from senior management to process owners) as well as externally to shareholders and investors. This support can be demonstrated only if audit committee members have a good understanding and comfort level with the compliance strategy and plan. Allow adequate meeting time. The expanded role of the audit committee has warranted, in many cases, more frequent and lengthy meetings in order to provide adequate financial and regulatory oversight outlined by SOX. Ample time should be allotted for discussing the status of the company’s compliance program and examining both control strengths and weaknesses. Monitor control gap remediation efforts against plans. Audit committees should review the gap remediation strategy and plan and have, at a minimum, a general understanding of existing control gaps as well as the effect they may have on the company’s compliance status and certification. Members should be prepared to provide or arrange guidance if remediation prioritization assistance is required. In addition, gap remediation should be monitored closely for progress and completion. Support cost-effective initiatives that strengthen internal controls. The high costs of ongoing compliance have sharpened the focus and need for initiatives that can streamline the compliance process as well as improve the overall internal control environment. Audit committee members should review and inquire regarding compliance efforts to ensure that the company has created an ongoing compliance plan that concentrates not only on strengthening the control environment but also on receiving optimum value and/or return on compliance investment.

Here are five important questions audit committees should be asking to help organizations effectively identify and address compliance risks, challenges, and opportunities: 1. Is the company’s relationship with its auditor conflict free? SOX strictly prohibits registered public accountants who are conducting a financial statement audit from performing nonauditing services, such as the design and implementation of financial information systems, appraisals, valuations, fairness opinions, internal audit outsourcing, and management functions. Even if a company is not subject to SOX, the audit committee should

ch08.indd 146

8/12/2011 10:20:55 AM



Evolving Role of the Audit Committee  ◾

147

examine relationships with outside auditors to ensure that they are independent and objective, so the company avoids both actual conflicts and perceived conflicts of interest. 2. What is the long-term strategy for ongoing compliance, and does it focus on cost reduction? Organizations can minimize costs by designing and implementing a comprehensive ongoing compliance program, employing process enhancements, and selectively using technology. Such investments actually can generate a return through increased overall operational efficiency resulting from streamlined processes. Furthermore, it is estimated that organizations that adopt comprehensive compliance management architecture may spend as much as 50% less on ongoing compliance than those that do not. 3. How is the organization integrating SOX compliance with other compliance requirements? Maintaining separate systems or procedures for different compliance requirements can create silos that are difficult to manage across the organization. An integrated compliance framework will streamline processes, eliminate duplicate work, provide more effective risk management, and reduce overall compliance costs. 4. Does the company have a formal ERM program? If not, is there a plan in place to build one or expand the current ERM program based on SOX compliance? With a comprehensive, integrated ERM framework, all identified risks and controls can be managed more effectively across business units, functions, and activities, including those affecting SOX compliance. Implementing a common framework for addressing all regulatory requirements can provide considerable savings through greater operational efficiency over the cost of multiple stand-alone initiatives and responses. 5. Does the organization have a formally approved and tested business continuity plan? Recent disasters have left companies with a heightened awareness of their vulnerability to business disruptions and the associated costs. A company should have a business continuity plan in place to help it operate in the event of a natural or man-made disaster. Business continuity planning is focused primarily on the recovery of cross-functional business operations and resources as opposed to computer systems. Engaging in such planning will allow organizations to minimize the risk of revenue loss due to disruptions in business processes, customer service, and regulatory compliance. Audit committees are charged with the task of providing the leadership required for a company to achieve the highest corporate governance standards.

ch08.indd 147

8/12/2011 10:20:55 AM

148

◾

Ongoing Compliance Challenges

This task has been complicated, in part, by the high costs of both initial and ongoing compliance. According to estimates, in many cases between 40% and 70% of the cost of initial compliance is being spent by organizations on ongoing compliance. Since most CFOs will not condone such a high level of expense for the long term, companies must find ways to minimize costs. The audit committee plays a vital role in focusing companies on the need to examine their compliance efforts and identify opportunities to gain efficiency. The audit committee should suggest and support initiatives and investments that will reduce ongoing compliance costs through a strengthened control environment and a streamlined compliance process.

SuMMArY Ongoing compliance solutions will vary widely, depending on the company. However, every organization should seek to optimize the ongoing compliance process. In doing so, the entity should consider maximizing control effectiveness while minimizing compliance costs. In addition, the use of technology and software options should be examined for practical applicability to each individual organization.

ch08.indd 148

8/12/2011 10:20:55 AM

9

CHAPTER NINE

Addressing Compliance and Risk Management Challenges through Automation

O

RGA NIZ AT IONS IN V E S T ED MIL L IONS OF D OL L A RS on initial

compliance and subsequently spent as much as 80% of those same dollars in year two refining documentation, testing, and remediating control weaknesses. Now that they have moved past year three and beyond, companies are exploring automation as a means for making the ongoing compliance process more efficient and less costly. As a result of several factors, not the least of which is a lack of integrated testing as well as a significant amount of manual compliance testing and reporting, external audit costs increased—in many cases, significantly. In addition, the anticipated reduction of subsequent-year audit fees has not been realized. Lack of automation also has contributed to the high cost of compliance. In many organizations, a high number of manual controls still remain, and a substantial amount of manual testing continues to occur. Compliance monitoring, testing, and reporting automation can play a key role in achieving process improvement and efficiency. When implemented 149

ch09.indd 149

8/5/2011 11:42:39 AM

150

◾  Addressing Compliance and Risk Management Challenges

effectively, technology enables an efficient, repeatable, and reliable process that can significantly lower the cost of compliance and offer increased visibility into the business. It also can strengthen the control environment, increase data integrity, improve process efficiency, and minimize risk by providing better visibility into control issues, allowing organizations to address known concerns earlier and avoid misstatements or certification issues. The reasons most often cited for not implementing technology are lack of time, resources, and expertise. Companies typically utilized existing systems and processes to meet stringent compliance deadlines during early years of compliance. Most did not have the capabilities to identify, evaluate, and implement technology as part of their initial compliance efforts. After the significant investment required for initial compliance, many organizations were not willing and/ or able to invest additional dollars for the purchase and implementation of software. Also, most companies were weary from the extensive time and resource burden involved in the first few years of compliance and were not interested in initiating another project. Other organizations delayed automation until they could determine how Sarbanes-Oxley (SOX) compliance integrated into their overall long-term business strategies. Still others chose to wait until the software market and available tools were more mature and sophisticated. These reasons for delaying automation are no longer valid in the current regulatory environment, where 100% accuracy and integrity in financial reporting are expected. In order to address the demand for an efficient, cost-effective method of compliance, senior finance executives are elevating the importance of automation within their organizations. These executives justifiably expect automation to provide a complete and accurate view of the controls, which in turn will create a higher level of confidence in senior management’s ability to monitor and direct compliance efforts. With several years of compliance certification behind us, it is an ideal time for a company to consider implementing a tool that facilitates the execution of its strategy. The current software market offers a comprehensive array of tools that support the automation of the compliance management, monitoring, and reporting processes. These tools also can effectively integrate SOX compliance with related areas such as internal audit, enterprise risk management (ERM), and additional regulatory requirements. While much work remains for companies to achieve an optimal framework for sustainable compliance, automation plays a vital role in providing that framework and significantly reducing both short-term and long-term costs. Numerous companies face the challenge of documenting controls across multiple locations and disparate accounting systems. According to a recent

ch09.indd 150

8/5/2011 11:42:39 AM

Software Can Add Value Beyond Compliance

◾

151

study, the average $1 billion company maintains 48 financial programs along with nearly three enterprise resource planning (ERP) systems. Such challenges have enticed over 100 vendors to develop various software solutions aimed at governance, risk, and compliance. The list includes ERP vendors, content management and business-process management specialists, start-ups, and industry giants. With so many choices available, determining which product to implement is not an easy decision. As a result, software selection projects are becoming a necessary means for reaching a consensus on what tool should be used to facilitate ongoing SOX compliance.

SOFTWARE CAN ADD VALUE BEYOND COMPLIANCE Most public companies would agree that Section 404 of SOX and its reporting deadlines have made manual documentation and control testing increasingly difficult. The need to demonstrate sound financial controls over key business processes and test those controls annually has led many organizations down the path of automation. The benefits of technology are certainly compelling. SOX-specific software can provide clear evidence that internal controls are in place and operating effectively, which can give executive management added confidence when certifying the effectiveness of controls. Perhaps even more important is technology’s ability to improve ongoing compliance efforts (and alleviate staff frustration) by streamlining documentation and facilitating continuous improvement. Before employing automation, organizations should seek fi rst to incorporate a compliance mind-set into their culture. A compliance software implementation coupled with the rollout of a complete ongoing compliance process can help facilitate this integration, so that compliance ultimately becomes another business process that is woven into the culture of the organization. Implementing compliance software offered by one of the leading providers can help companies improve their compliance as well as business processes. Such products provide distinctive capabilities in compliance monitoring, maintenance, and reporting automation and offer unique features and benefits beyond just compliance management. Certain tools identify and score enterprise-wide risks based on significance and likelihood of occurrence and measure variance from targeted risk standards. Other software applications unify financial reporting and close tasks with internal controls, thereby increasing the precision and timeliness of fi nancial statements and reducing the risk of material weakness disclosures. Overall, these tools can add

ch09.indd 151

8/5/2011 11:42:39 AM

152

◾

Addressing Compliance and Risk Management Challenges

significant value above and beyond compliance management when tailored to a company’s individual requirements.

MONITORING SOFTWARE Automation, specifically the use of continuous monitoring, can facilitate ongoing compliance goals, such as reducing costs, strengthening the control environment, increasing data integrity, minimizing risk, and improving business processes. Real-time transaction inspection and reporting software can assist with strengthening the control environment, sustaining SOX compliance, reducing ongoing compliance costs, and minimizing risk, and potentially can deliver a return on investment (ROI). Implementation of a continuous monitoring software can reduce audit costs, increase the reliability of segregation of duties controls, increase antifraud control effectiveness, and improve overall financial governance. These applications can access data from multiple financial systems and employ techniques and tests used by auditors, fraud examiners, and forensic accountants to identify fraud, misuse, and errors in business transactions. In addition, continuous monitoring of financial processes and real-time transaction inspection and reporting software can sustain SOX compliance and potentially deliver a ROI by continuously monitoring financial processes, automating manual controls, and facilitating process improvement. Serving as an automated audit, transaction integrity monitoring software can be instrumental in:

▪ ▪ ▪ ▪

Monitoring the effectiveness of preventive controls Asserting the compliance of individual transactions Identifying exceptions before they become control deficiencies Alerting compliance officers to control violations

Errors in day-to-day fi nancial transactions consistently result in adjustments, reversals, and rework. Continuous monitoring drives defect-free financial processes to eliminate potential weaknesses in the control environment by inspecting each step of every fi nancial transaction in real time for errors and control violations, thus eliminating associated costs. Increasing the quality of fi nancial operations leads to an accelerated, more accurate close process and validates policy compliance. The application aids in reducing business-process risk by inspecting each step of every fi nancial transaction in real time for errors, control violations, and fraud. In most cases, control monitors are embedded directly into the enterprise application. This allows

ch09.indd 152

8/5/2011 11:42:39 AM

Utilization of Continuous Monitoring

◾

153

an organization to address any identified issues immediately and proactively while minimizing the associated cost of correction. In addition, automated controls and the implementation of real-time transaction inspection deliver results that give executive management the confidence to sign the Sections 302 and 404 certifications. Monitoring software vendors have elevated continuous controls monitoring to the next level by combining controls testing with real-time transaction inspection to identify problems in a business process. Their platform automates the entire life cycle of finding problems, fi xing them, and proving they were resolved effectively. By inspecting each step of individual transactions across systems, this automated process identifies all errors and control violations, drives defect-free processes, and sustains SOX compliance in a cost-effective manner. Many organizations have expanded the use of monitoring tools beyond compliance and have recognized a significant ROI. In addition to assisting in sustaining SOX compliance, real-time transaction inspection can transform compliance expense into a return on compliance investment. Transaction integrity monitoring serves as an automated audit. In addition, it minimizes control testing, streamlines the monitoring and reporting process, and, most important, provides a cost-effective ongoing compliance process.

UTILIZATION OF CONTINUOUS MONITORING: CONTROL TESTING AND CONTROL AUTOMATION Use of continuous monitoring for control testing involves monitoring a control that is already in place (defined and performed within the existing process). In this case, the monitoring for control breakdowns has been automated. In other words, a control exists, and activity is being monitored to identify exceptions or control violations. Subsequently, those specific incidents/instances are addressed and/or corrected. An example would be monitoring journal entry approval for exceptions, such as approval by the preparer. Use of continuous monitoring for control automation involves removing manual activity from the procedure by replacing manual control with an automated process that contains the control. An example would be monitoring for duplicate vendor payments. Continuous monitoring can serve many purposes. Many organizations successfully have employed continuous monitoring for control testing and control automation, which has resulted in ongoing compliance cost reduction via a reduction in testing.

ch09.indd 153

8/5/2011 11:42:39 AM

154

◾

Addressing Compliance and Risk Management Challenges

Use of technology for these purposes has been reinforced by the regulatory agencies. The Securities and Exchange Commission (SEC) guidance provided in its May 2005 and 2006 releases supports this type of automation. Both releases reinforced a risk-based approach and, more important for this discussion, automated application controls and testing. In the May 2005 release, Auditing Standard No. 2—An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, the SEC stated regarding automated application controls: Auditors may conclude that automated application control continues to be effective, without repeating the prior year testing of the application if:

▪ General controls over program changes, access to programs, and computer operations are effective and continue to be tested AND

▪ The auditor verifies that the automated application control has not changed since he or she last tested the application control The key message in this statement is a resultant reduction in testing, thus a reduction in cost, driven by automation, more specifically continuous monitoring.

BENEFITS OF CONTINUOUS MONITORING Several benefits can be derived from both automated control testing and control automation through continuous monitoring. Primarily, automation of control testing and monitoring reduces cost by reducing the overall compliance control testing effort required. It inherently strengthens the control environment and minimizes risk resulting from the increase in preventive control and the reduction in manual processing/human intervention. Elimination of manual activity minimizes risk. Continuous monitoring applications provide a detailed audit trail and automated status reporting. Both of these functions facilitate an efficient external audit through a reduction in the amount of internal and auditor resource time spent on preparation and review of information. These applications also aid in fraud reduction and policy enforcement. In addition, automated control testing and control automation can facilitate overall process improvement, which can lead to cost reduction and allow for a focus on more value-added activity. Many organizations have been utilizing external resources for compliance testing. A reduction in manual testing

ch09.indd 154

8/5/2011 11:42:39 AM

Continuous Monitoring Process ◾

155

and an increase in control automation can lead to a decrease in the use of external resources, which, in turn, results in cost reduction.

CONTINUOUS MONITORING TOOL CONSIDERATIONS In evaluating continuous monitoring tools, these functions should be considered:

▪ Monitoring beyond just the ERP application. An organization should seek to

▪

▪

have the ability to access all source systems. Inclusion of all applications provides a comprehensive data set for an independent analysis versus the qualified assertions that come with exclusive ERP monitoring. Single-exception identification (in other words, a monitoring system that identifies an exception only one time). With single-exception identification, if an application is being monitored and reported on daily and an exception is documented today, this same exception would not show on the exception log again tomorrow with newly identified exceptions. Duplicate reporting would warrant reconciliation, which requires resource time and attention and increases cost. False-positive minimization. Certainly there is a cost to implementing a continuous monitoring system and a cost to handling identified exceptions. The goal is to minimize false positives that require time and money to address.

A continuous monitoring application should provide a unified view of process integrity that includes not only compliance considerations but also the entire business process. This holistic approach can lead to overall business process improvement and cost reduction.

CONTINUOUS MONITORING PROCESS The continuous monitoring process, at its very simplest, requires data acquisition, storage/warehousing, and analysis as well as definition of a violation remediation process.

Data Acquisition The data and transaction acquisition process facilitates data gathering from multiple disparate systems/applications. It allows for implementation of batch

ch09.indd 155

8/5/2011 11:42:39 AM

156

◾  Addressing Compliance and Risk Management Challenges

data extractions on a periodic basis (e.g., daily, weekly) based on any partial/ changed data according to a defined “data changed” field. This method of extraction normalizes and standardizes data across applications and therefore creates a universal transaction flow. If real-time extractions are performed based on algorithms, the process can be executed without impacting or interrupting application performance.

Data Warehousing Subsequent to data extraction, a read-only copy of detailed data can be stored, and a complete archived history of all data becomes a permanent record in a compliance monitoring vault. This storage process operates independently of all source systems, and data snapshots are maintained for specific moments in time and states of the business. Therefore, transaction streams can be replayed for retrospective inspection and analysis.

Data Analysis Inspection of stored data facilitates the identification of data concerns, such as internal control issues and segregation of duties. In addition, data comparisons can be executed that identify exact duplicates and/or transactions that exceed specified thresholds. Customized rules can be utilized to report yes/no conditions and signal alerts based on dollar-value thresholds. Intelligent reasoning can be applied to the analysis process, and transactions within a network of related documents, processes, and actions can be reviewed for these considerations:

▪▪ Multisystem segregation of duties ▪▪ Process-level out-of-sequence events, which may be an indication of ­collusion

▪▪ Real-time, risk-based analysis ▪▪ Usage abuse and/or privileged user abuse, which may be an indication of ▪▪

collusion Identification of errors of omission

Exception Remediation The final step in the continuous monitoring process offers a violation resolution method that is automated from start to finish. Proof of remediation and compliance is provided.

ch09.indd 156

8/5/2011 11:42:39 AM

Risk Management Software

◾

157

Identified violations are addressed in this way:

▪ Actionable alerts are communicated via e-mail to designated individuals. ▪ Prioritization and escalation is based on predetermined thresholds or conditions, and issues are escalated through the proper resolution channel.

▪ Issues are identified and addressed prior to the close and reporting in order to avoid problems during the month-end process.

▪ Corrections are detected and performed. A long-term compliance plan that includes implementation of technology that performs continuous monitoring for the purposes of control monitoring and/or control testing can effectively minimize cost, strengthen the control environment, facilitate accurate fi nancial reporting and disclosure, and improve processes.

RISK MANAGEMENT SOFTWARE A lack of standardized, automated, and integrated processes can lead to inefficiency and increased cost. In addition, it can hinder an organization’s ability to make informed and accurate decisions about ERM. Every organization can benefit from taking a holistic view of risk in relation to its long- and short-term strategic goals. Risk management software facilitates this process by helping executives, risk managers, and process owners analyze effectively all relevant risks impacting their organizations. These platforms integrate SOX compliance, general compliance, internal audit, and risk management through a central data repository that produces more accurate information and promotes the consistency of internal controls. An effectively implemented risk management system ultimately can assist an organization in improving regulatory compliance, reducing earnings volatility, enhancing process efficiency, and optimizing cash flow. ERM software allows an organization to identify, assess quantify, monitor, and manage risks through an integrated technology-enabled process. It consolidates all data related to risk management, including assessments, controls, key risk indicators, identified issues, and remediation plans. This single solution allows an organization to make more informed, efficient strategic decisions regarding risk response. Several standard reports and reporting features exist within this type of solution (e.g., dashboards, scorecards, and heat maps) that outline and categorize the risks that can impact the business. Extensive ad hoc reporting

ch09.indd 157

8/5/2011 11:42:39 AM

158

◾  Addressing Compliance and Risk Management Challenges

capabilities also are available that can produce customized reports without relying on information technology (IT) support. Such an approach provides a comprehensive risk management solution that provides a detailed view of all identified material and relevant risks in order to reduce deficiencies in internal controls, streamline business processes, and facilitate a proactive approach to risk management. Utilizing technology to build and monitor an ERM program can help an organization:

▪▪ ▪▪ ▪▪ ▪▪ ▪▪

Continuously monitor risks and controls Integrate and link risks and controls Track remediation Integrate audit and assurance activity Disseminate risk assessment information throughout the organization

Risk management technology provides the visibility into all categories of internal and external risks that executives and boards currently demand in order to manage the organization’s long-term strategy effectively. The software provides every level of the organization with the current status of the risk management program through risk analysis and monitoring tools. Additionally, many risk management solutions currently contain integrated internal audit functionality that provides an organization with the capability to manage audit-related activity and data that support risk management. The technology provides functionality for the complete audit life cycle from audit planning and data collection through to remediation and reporting. It can be utilized for all types of audits, including financial, operational, and quality audits. Overall, risk management software improves business integrity by ensuring the accuracy of information and internal controls. Perhaps even more important is the software’s ability, in many cases, to eliminate the need for multiple technology solutions, thereby dramatically reducing the time, resources, and costs associated with compliance, risk management, and audit initiatives. A number of additional benefits can be realized through the use of risk management technology. Greater transparency and visibility enable management to manage higher-risk initiatives more closely. Integrated corporate governance, risk management, and compliance processes lead to lower overall compliance and governance costs. Good corporate governance translates to better reputation, which may positively affect stock price or company value. Finally, robust risk management and internal controls lead to better operating performance for the organization.

ch09.indd 158

8/5/2011 11:42:39 AM

Determining the Right Solution

◾

159

UNIFYING FINANCIAL STATEMENTS, CLOSE TASKS, AND SOX CONTROLS Experts estimate that most senior fi nancial executives believe their current processes and systems are insufficient to deliver sustained, cost-effective compliance with SOX. Most companies complete their SOX assessment after their financial close, which can delay the detection of failed key controls. Discovering failed controls after the financial close requires the reevaluation of financial results and may lead to material weakness disclosures and financial restatements. This can be an expensive, time-consuming, and risky process in today’s environment of increasingly complex accounting rules and regulatory requirements.1 There is an inherent risk in continuing to rely on manual and/ or disparate processes for financial reporting and compliance. Regulatory guidance instructs companies to integrate the SOX review of internal controls with the periodic preparation and audit of financial statements, yet until the recent arrival of sophisticated software tools, the ability to do so has eluded most companies. Some of these tools directly link financial controls and close tasks to a company’s financial statements, creating a system of record for both financial close and financial compliance. Streamlining and automating manual financial close and compliance processes allows chief financial officers to minimize one of their largest expenses: external audit fees. Every organization should seek to automate the financial close process and link financial controls to financial statements. Doing so minimizes the risk of material weakness disclosure and financial restatement, increases financial statement accuracy and improves audit efficiency.

DETERMINING THE RIGHT SOLUTION When selecting a software solution, an organization fi rst should consider its overall short- and long-term strategies and evaluate how each software option will facilitate the achievement of those goals. In addition, the company should determine what compliance activities it would like to automate. Specific highlevel application functionality requirements may include some or all of these:

▪ ▪ ▪ ▪

ch09.indd 159

Document management Control testing/assessment/certification automation Monitoring management Risk management

8/5/2011 11:42:39 AM

160

◾  Addressing Compliance and Risk Management Challenges

Consider the next methodology when determining which software is most appropriate for support of the ongoing compliance process.

Define Business Requirements An analysis of the current and anticipated activities that would be required to comply with SOX legislation and support a risk management initiative should be conducted. This analysis will help establish a point of reference for assessing the benefits of implementing a software tool to reduce the costs of compliance and manage the compliance and risk management process more effectively. Tasks to Define Business Requirements ▪▪ Develop an estimate of the activities associated with compliance, including the number of documented processes, total number of documents to be stored and maintained, controls activities to be monitored, and estimated annual employee hours dedicated to compliance. ▪▪ Document any existing issues with the current compliance process, such as document management and version control, scheduling of control evaluations/tests, data integrity, control testing, and status reporting. ▪▪ Conduct interviews with senior managers in departments such as internal audit, financial reporting, and operational management to obtain input regarding requirements and existing challenges. ▪▪ Prepare and prioritize a list of functionality, technical preferences, and desired vendor characteristics from the results of the interviews, including long-term plans for risk management program implementation.

Identify Vendor Candidates Currently a significant number of software options are available. These tools range from expensive, robust solutions that fully integrate many components of SOX compliance and risk management to inexpensive, freestanding solutions that are not specifically designed for SOX but are well suited to address particular aspects of compliance, such as document management. From this extensive list, candidates that meet the documented business requirements should be contacted for initial discussions and potential product demonstrations.

Select Tool and Plan Implementation After software vendors perform product demonstrations and provide initial investment quotes and product information, they should be scored based on

ch09.indd 160

8/5/2011 11:42:39 AM

Note ◾

161

their ability to meet the documented requirements. Scores and analysis should be weighed, and the next factors should be strongly considered when making a final vendor decision:

▪ The technical requirements of the software and its alignment with organizational and IT strategy

▪ Software flexibility and expansion of use based on long-term organi▪ ▪ ▪ ▪

zational goals Remarks offered by references Application user-friendliness (ease of design and use) Implementation requirements (e.g., time, resources, cost) Cost

Once the vendor is selected, implementation planning can begin.

SUMMARY For many companies, the benefits of automation greatly outweigh the up-front investment when coupled with the risk of noncompliance. Technology itself is not the ticket to hard cost savings (a common misconception) but rather is an investment that facilitates change and helps the company remain dynamic in an environment burdened by increased corporate governance, the costly burden of compliance, and an amplified focus on risk management.

NOTE 1 “Restatements—Traversing Shaky Ground,” Glass Lewis & Co., January 2006.

ch09.indd 161

8/5/2011 11:42:39 AM

10 CHAPTER TEN

Ongoing Compliance and IFRS

INTERNATIONAL FINANCIAL REPORTING STANDARDS The Sarbanes-Oxley Act of 2002 (SOX) was a specific response to improve the accuracy and transparency of financial reports and corporate disclosures in the United States, yet the implications of the legislation have had a global reach. Following the passage of SOX, other countries have taken steps that seek to improve accuracy transparency and comparability of fi nancial reports and disclosures. Worldwide response has come in the form of adoption of International Financial Reporting Standards (IFRS). In July 2002, the European Commission announced that publicly traded companies would be required to apply a single set of international accounting standards for the preparation of their consolidated financial statements. A number of countries followed with this same requirement. IFRS has been reported to be the “biggest thing to happen to accounting for 150 years.”

162

ch10.indd 162

8/5/2011 11:42:54 AM

International Financial Reporting Standards

◾

163

The introduction of IFRS is intended to give investors and other shareholders access to high-quality financial information that, for the fi rst time, can be compared across international borders. IFRS is a comprehensive set of accounting principles defined and issued by the International Accounting Standards Board (IASB), an international independent standard-setting body. Adoption of the international standards has gained significant momentum over the past several years. All European Union–listed and Australian-listed companies are required to prepare their financial statements based on IFRS for periods beginning on or after January 1, 2005. Key countries including Brazil, Canada, India, Korea, and Mexico all have adopted IFRS. Worldwide, there are, at this writing, over 100 countries that require preparation and presentation of financial statements in accordance with IFRS. The number of adopting countries is expected to rise to over 150 within the next one to two years. It is estimated that IFRS adoption has affected over 12,000 companies to date. In November 2008, the Securities and Exchange Commission (SEC) issued a proposed rule that outlined a road map that could lead to mandatory use of IFRS for U.S. publicly traded companies. The SEC subsequently modified that timeline. As of February 2010, the proposed timeline for U.S. adoption of IFRS would require larger publicly traded companies to apply IFRS beginning in 2015. The SEC will decide in the second half of 2011 whether to adhere to this timeline. In July 2009, the International Accounting Standards Board (IASB) issued International Financial Reporting for Small and Medium-sized Entities (SMEs). This is a stand-alone document issued for use by smaller companies with no public accountability. It is a 230-page simplified version of the full IFRS that eliminates discussion of many accounting topics, such as earnings per share, that generally are not relevant to private companies. In May 2008, the American Institute of Certified Public Accountants formally recognized the IASB as an acceptable standard-setting body. Therefore, currently, U.S. “nonissuers” have an option to voluntarily adopt the use of IFRS if it is acceptable to their intended financial statement users. Adoption by U.S. private companies, at what rate, if at all, remains to be seen. Some argue that U.S. private companies may find the simplified IFRS for SMEs more relevant and less costly, making it a very attractive alternative to complicated and voluminous U.S. generally accepted accounting principles (GAAP). Currently, there are several ongoing debates regarding U.S. adoption of IFRS. Many believe that the SEC is fully committed to this initiative and dedicated to adherence to a short-term adoption timeline, even if modified. Others do not agree and feel strongly that U.S. public companies will never be required

ch10.indd 163

8/5/2011 11:42:54 AM

164

◾

Ongoing Compliance and IFRS

to adopt IFRS. Extensive data document and argue both the benefits and the challenges associated with U.S. adoption. Both public and private companies will face many challenges if and when IFRS adoption is mandated and implementation commences. There is significant risk associated with this type of initiative, whether it is required or voluntary. There are numerous considerations including cost, project planning, and training. Each company must consider the impact on personnel, processes, and technology and plan accordingly. All of these implications should be incorporated into the risk management and risk assessment process.

COMMUNICATING THE IMPACT If the SEC requires IFRS adoption, it will have a significant impact on a number of specific accounting issues, including financial instruments, derivatives, business combinations, and foreign exchange. There are several major substantive differences between U.S. GAAP and IFRS. For example, IFRS:

▪ Prohibits the last-in-first-out method of inventory accounting ▪ Requires component depreciation in certain cases ▪ Permits property, plant, and equipment revaluation, and requires impairment reversal IFRS-related accounting issues impacting a business will be a major determinant in assessing the technical complexity, financial/business impact, and difficulty in implementing IFRS requirements. When evaluating the specific accounting issues and technical recommendations, it is clear that IFRS compliance is more than just another finance project. It is a multifaceted requirement that encompasses various issues relating to accounting and reporting, systems and processes, people, and the business as a whole. These issues go well beyond the mere technical issues of applying the IFRS to accounting and reporting.

Accounting Naturally, the advent of IFRS is an accounting issue. It is not just the accounting itself that will change. The presentation and reporting of financial results also will be affected (e.g., segmental reporting and reclassification of certain

ch10.indd 164

8/5/2011 11:42:54 AM



Communicating the Impact  ◾

165

equity items as debt). Furthermore, decisions will need to be made on how to introduce these changes effectively.

Systems and Processes The changes in accounting and the approach adopted will have, in some instances, a significant impact on information technology (IT) systems. Companies will need to determine early in the process if their existing legacy systems have the capability to deal with the IFRS financial reporting requirements as well as the ability to support transaction tracking at the appropriate level of detail necessary for compliance with certain IFRS accounting. Depending on the transition approach adopted, an organization may require an enterprise resource planning and reporting system that can handle both GAAP and IFRS. This may be especially true of companies that need to report in the United States and to other regulatory reporting agencies. The disclosure of sales, profit, and asset allocation to a company’s primary segment is likely to result in changes in data capture requirements. Currently, the readiness of software vendors to offer solutions that embrace IFRS varies, but this does not relieve businesses of their responsibility to comply with the standards. Current IT infrastructure may not easily or readily support mapping to IFRS, and IT general and application controls may require modification. Unfortunately, a business may be at risk for manual workarounds if its systems cannot deal effectively with the IFRS requirements. In addition, the design and operating effectiveness of internal control over financial reporting will be impacted in the transition to IFRS and likely will require adjustment to accommodate the new requirements. As a result, process and control documentation will need to be modified for any changes in accounting and financial reporting. Additional controls may be mandatory, and control testing plans will require amendment. In some cases, dual-reporting (GAAP and IFRS) may be necessary, which also would affect controls design and control testing.

Business The transition to IFRS affects both internal and external stakeholders and has fundamental implications for all complying companies. Some examples of the implications are:

▪▪ Accounting changes will alter reported profits, which may require a complete review of a company’s remuneration structure to the extent that the organization’s compensation schemes are related to profit.

ch10.indd 165

8/5/2011 11:42:54 AM

166

◾

Ongoing Compliance and IFRS

▪ Changes in reported profit will affect equity and reserves, which will require each company to evaluate and possibly modify its dividend policy.

▪ The reclassification of some forms of equity as debt may cause debt cov▪ ▪ ▪

enants to be breached and may require renegotiation of loans. Segmental reporting may disclose more information in the financial statements than previously reported. Companies will need to be prepared to explain such information to investors and analysts. Key performance metrics may change in value under new accounting rules and therefore may need to be evaluated to determine whether they still are relevant and an accurate measure of the underlying business. Organizations may not be able to understand the fi nancial impact and manage the business effectively during the transition.

People Like most significant change initiatives, the success of the business’s IFRS transition will depend heavily on the employees of the business. First, the initiative must have strong and visible sponsorship from executive management. If the proper tone at the top is set from the start by executive management, employees will be more motivated and likely to support the change. Cultural and language barriers should not be ignored. Often subtle issues are missed during communication because of differences in language or culture. These issues can cause problems, and an organization should strive to ensure that communication is clearly understood by all. It should recognize that IFRS initiatives are going to require a significant investment in employee resources. It is critical that resource needs be identified early in the process to ensure that skilled employees are available at the appropriate time. For all of the reasons listed, the implementation of IFRS must be board sponsored and involve all areas of the organization. The board must set the tone at the top, set it early, and involve all applicable functional areas.

PREPARING FOR IFRS Some foreign companies delayed preparation for IFRS while they waited for the final text of the standards and had to make rapid progress in IFRS implementation. Those companies had to move ahead rapidly with their plans and make swift progress while also managing other large corporate changes, such as SOX requirements.

ch10.indd 166

8/5/2011 11:42:54 AM

Comprehensive IFRS Transition Approach

◾

167

An organization must make the decision as whether to adopt an IFRS-light approach, which would require implementing only the bare minimum required for compliance, or seek to maximize the value from the investment required to improve the overall effectiveness of the finance function. It is very likely that additional modifications to the existing standards will be published prior to U.S. adoption. Therefore, it may be worthwhile to take an approach that goes beyond mere compliance to examine current processes and systems.

COMPREHENSIVE IFRS TRANSITION APPROACH This comprehensive IFRS transition approach outlines a detailed way to transition to the new accounting standards that improves data transparency and comparability through process improvements.

Step 1: Establish the IFRS Program (Plan) The objectives in Step 1 are to initiate the project, mobilize a senior management team, and, most important, understand IFRS requirements. Many similar project plans begin with an assessment of the impact of IFRS on the company without serious consideration being given to IFRS itself. The comprehensive approach dedicates a separate step for understanding IFRS, its background, and its relationship to other IASB projects, especially GAAP convergence. This method will provide a much better basis on which to proceed to Step 2 (analyze). During Step 1, the governance for the project (including the formation of a steering committee created from members across the business) is established and an initial project plan is prepared and approved. The plan delineates key activities, milestones, and resources. Key Step 1 activities include:

▪ Establish a program director and core team. ▪ Form a corporate governance steering committee. ▪ Compare and understand IFRS and its association with country-specific accounting requirements, U.S. GAAP, and SOX requirements.

▪ Align IFRS efforts with current initiatives. ▪ Define project scope. ▪ Mobilize executive management as the program champions.

ch10.indd 167

8/5/2011 11:42:54 AM

168

◾  Ongoing Compliance and IFRS

Step 2: Assess the Impact of IFRS (Analyze) While a main principle of any set of accounting standards is to promote transparency, comparability, and consistency in accounting treatment, the migration to the current set of revised international accounting standards does allow for some options. In particular, it might be argued that with IFRS, the IASB has opted to sacrifice a degree of comparability in an effort to reduce the costs of transition. In Step 2, therefore, it is essential to determine what options are available during transition and what treatments will not apply after the transition year. Using scenarios will be very useful at this point. At the end of Step 2, the company should have a clear idea of the impact of IFRS and be able to determine the implications for internal control, policy, process, and IT system changes. A communication plan can then be developed to inform internal and external stakeholders. Key aspects of Step 2 include:

▪▪ Determine the effect of IFRS on key metrics. ▪▪ Understand and communicate implications for budgeting, strategic plans, ▪▪ ▪▪ ▪▪ ▪▪ ▪▪

and investor expectations. Consider change management aspects. Conduct results, simulations, and what-if analysis. Determine IT system requirements. Consider change in management role/responsibilities. Refine project scope.

Step 3: Create the New IFRS Accounting Framework (Design) The detailed preparation begins during this step. Cross-functional design teams are assigned the task of developing the practical means for the transition to IFRS and identifying the implications beyond the transition year. The proposed solutions will be tested, and final sign-off of an agreed-on solution will be secured. The exact project structure, number of design teams, and work to be conducted during this phase will depend on the results of Step 2. At the end of this step, a company will have a detailed migration plan, a revised project plan, and a resource budget, and will have commenced the communications program. During Step 3, training needs and materials also will have been identified and developed.

ch10.indd 168

8/5/2011 11:42:54 AM



Comprehensive IFRS Transition Approach  ◾

169

Key aspects of Step 3 include:

▪▪ ▪▪ ▪▪ ▪▪ ▪▪ ▪▪ ▪▪

Define new policies, procedures, practices, and processes. Develop a new chart of accounts or mapping. Configure IT systems. Plan and execute potential restatements. Establish data migration parameters. Produce training materials and employee training schedule. Finalize the cut-over strategy.

Step 4: Execute the New IFRS Accounting Framework (Build and Implement) Step 4 is where the design is implemented. Design teams transition to implementation teams, and a pilot and/or parallel run is conducted to ensure that expected results are achieved. The communications program is executed, and investors as well as analysts are made aware of the implications of an effective implementation on the company’s financial reporting. During this step, it is also essential to determine how the further implementation of IFRS will be sustained beyond the transition year since there will be additional changes to incorporate in year two. Key aspects of Step 4 include:

▪▪ ▪▪ ▪▪ ▪▪ ▪▪ ▪▪

Roll out new systems, test, and reconcile. Conduct training. Create support/help desk. Cut over to new systems. Stabilize new systems, controls, and processes. Create new reporting organizations.

Step 5: Continue Compliance (Sustain) During this final step, companies should embed IFRS in subsidiaries, if not already completed, and continue to monitor the relevance and link between management information and IFRS. Scenario analysis also should be continued as new or revised standards are published. Underpinning each step will be the need for strong program management to ensure that milestones are being adhered to, risks are identified and managed, and costs of implementation are controlled. The benefits of introducing other changes to support IFRS (e.g., management reporting) also should be tracked to ensure that they are being achieved.

ch10.indd 169

8/5/2011 11:42:54 AM

170

◾

Ongoing Compliance and IFRS

The transition to IFRS should be undertaken as a major change event within an organization and should secure board sponsorship and the utilization of cross-functional project teams. Treating the change effort as a financeonly project will severely compromise a successful implementation. Key aspects of Step 5 include:

▪ ▪ ▪ ▪

Transition steering committee to deal with ongoing compliance. Ensure the steering committee is aware of new IFRS requirements. Embed IFRS in subsidiaries. Continue to monitor the relevance and linkage between management information and IFRS.

KEY ELEMENTS OF AN EFFECTIVE IFRS IMPLEMENTATION The preceding five steps outline a comprehensive approach to IFRS transition and compliance. To get the most out of this approach, additional issues should be analyzed and considered. In addition to the five-step approach, the next issues should be considered and modified as appropriate based on the businessspecific circumstances.

Ensure Board-Level Buy-In At a minimum, financial managers must secure the support of the chief executive officer (CEO), chief operating officer (COO), chief information officer (CIO), audit committee, and operating controller. This step is probably the most critical for ensuring a successful implementation; therefore, financial managers must make it their responsibility to champion change, justifying their proposition to these individuals to ensure their support.

Set Up an IFRS Transition Team While team requirements and structure will vary among companies, there are certain key roles that must be filled on each project. Financial managers should recruit people for several positions.

▪ Steering committee. This group should have representation from all interested parties, from relevant board members such as the CEO, COO, and CIO through representatives from finance and IT.

ch10.indd 170

8/5/2011 11:42:54 AM



Key Elements of an Effective IFRS Implementation  ◾

171

▪▪ Project manager. Appointed by the steering committee, this person will be

▪▪

▪▪

▪▪

▪▪ ▪▪

responsible for: managing the project on a day-to-day basis; addressing the risks and issues; and achieving the project’s objectives related to time, budget, and quality. Change and communications manager. This critical position focuses on the people, internal or external, who are affected by the change to ensure their commitment is obtained and the project realizes its full benefits. An IFRS implementation project will involve changes to a company’s IT systems, financial processes, and internal and external communications and may require the development of new roles and responsibilities and the acquisition of new skills by end users. Technical accounting and policy lead. This person is responsible for: understanding the company’s IFRS requirements; identifying what additional data are required to fulfill these requirements; communicating these requirements to the process reengineering lead; understanding the nature of any material changes to the financial statements; and identifying where changes need to be made to the current IT systems and communicating those changes to the IT lead. Process reengineering lead. This position focuses on implementing necessary change. The individual who fills this role must: determine the source of additional data; redesign the processes to ensure the additional data are captured; assess the impact of these changes on the close process; work closely with the technical accounting and IT leads to prepare systems requirements; and test the redesigned systems and processes. IT lead. This individual will take the systems requirements and redesign and test the IT infrastructure, as necessary. Training lead. This person must work with each lead to identify training requirements; therefore, he or she should be finance and IT savvy. Responsibilities include developing and conducting the training with the required user groups.

Agree on Deliverables Once the project team is in place, financial managers should agree on the deliverables to ensure that project objectives are met. Specific tasks to complete at this point in the effort include:

▪▪ Set the project objectives. ▪▪ Introduce team members and their project roles.

ch10.indd 171

8/5/2011 11:42:54 AM

172

◾

Ongoing Compliance and IFRS

▪ Highlight the timetable. ▪ Clarify the internal reporting and communication requirements. Overall Process Financial managers should trust the team to deliver the objectives and allow the project manager and other team leads to work toward achieving key milestones. Financial managers should stay abreast of any significant changes to financial statements and communicate those changes in a timely manner to stakeholders. In the final analysis, IFRS implementation is much more than a finance issue. It requires input and active involvement of employees from virtually all levels of the business, from the board to process owners and from the corporate office to each operating location. Combining the five-step approach with the appropriate level of employee involvement will help to ensure success.

SUMMARY As of this writing, U.S. adoption of IFRS remains uncertain. However, if mandatory adoption ultimately is required, it certainly will have a significant impact on both overall risk management and internal controls over financial reporting. The requisites will, at minimum, affect public entities and eventually may influence requirements for private companies and nonprofit organizations.

ch10.indd 172

8/5/2011 11:42:54 AM

About the Author

A

N N E M . M A R C H E T T I has 25 of years of fi nance and accounting experience in both private industry and public accounting. She is a Sarbanes-Oxley subject matter expert focused on the design, implementation, analysis, and optimization of internal control systems and corporate governance and risk management programs. As a thought leader in this area, she has spoken at numerous conferences and has published several articles on this subject. Ms. Marchetti has worked globally with both public and private entities in most industries as well as with organizations of all sizes. She regularly interacts with Big Four, middle-market, and local external audit fi rms as a liaison on behalf of these organizations. She has authored two books, Beyond Sarbanes-Oxley Compliance—Effective Enterprise Risk Management (John Wiley & Sons, 2005) and Sarbanes-Oxley Ongoing Compliance Guide (John Wiley & Sons, 2007). Ms. Marchetti served as the global service line director–governance and risk management practice at Parson Consulting. As the practice director, she worked with numerous clients on SOX compliance initiatives and frequently collaborated and presented to boards of directors in regard to SOX compliance, corporate governance, and ERM. Ms. Marchetti leverages this experience with a unique blend of technical skills that include management of ERP software implementations from a technology, process, and accounting perspective. She has designed training programs for boards of directors and audit committees as well as end users and consultants on various business software applications, SOX compliance, ERM, and IFRS and has conducted over 200 formal training seminars. Ms. Marchetti is a member of the AICPA faculty and regularly provides instruction on:

▪ International Financial Reporting Standards ▪ International versus U.S. Accounting ▪ Current issues and critical ethical judgments

173

About the Author.indd 173

8/5/2011 11:44:58 AM

174

▪▪ ▪▪ ▪▪ ▪▪ ▪▪

◾  About the Author

Internal control design and documentation Management assessment of internal control Auditor’s risk assessment process: tackling the risk assessment SASs Identifying and communicating internal control deficiencies under SAS 115 Internal control deficiencies: assessment and reporting under SAS 115

Ms. Marchetti served as an assistant controller for a manufacturing company and held positions in public accounting as well as provided expertise in consolidation and financial reporting with Hyperion Solutions. She currently operates Account-Ability Consulting and provides advisory and consulting services in the areas of SOX compliance, internal controls optimization, corporate governance, enterprise risk management, IFRS, financial system implementation, and training/education. Ms. Marchetti received a B.S. in economics from Providence College and an M.S. in accounting from the University of Hartford.

About the Author.indd 174

8/5/2011 11:44:58 AM

Index

A accounting scandals, 9, 83 accounts payable questionnaire, 111–13 agreements, labor, 39 American Institute of Certified Public Accountants, 163 analytical and consultative services, 123 application controls, 44 approval matrix, 72–73 approval policy and procedures, 69–73 audit committee, 7, 54, 56, 60, 91–92, 145–48 Auditing Standard No. 2, 144 Auditing Standard No. 5, 84 Auditing Standards Board Risk Assessment SASs (SAS 104–111), 4–5, 8 Statement of Auditing Standards (SAS 115), 4, 8–9, 86 Audit of Financial Statements, 144 auditor attestation, 132 AU Section 316, Consideration of Fraud in a Financial Statement Audit, 82–83, 114–19 authority and responsibility, 33–34, 59–60 automation, 149–55, 159, 161 B best practices, 140–42, 145 board of directors activities, 55

COSO and, 55–57 ERM duties and responsibilities, 21, 23 ERM-Integrated Framework, 33 executive compensation, 61 fiduciary responsibility and accountability, 18 IFRS initiatives, 166 opinion survey, 91 oversight and stewardship, 18 risk management, 5, 7, 17–19, 36 BPM. See business performance management (BPM) brand, 29–30 business process improvement/automation, 140 requirements, defining, 160 risk, 2, 7–8, 145 business performance management (BPM), 122, 140 C capital allocation, 13, 39 certification issues, 150 CFO. See chief financial officer (CFO) CFO Magazine, 10 change management protocols, 39 chief auditors, 122 chief executive officer (CEO), 21–22, 121 chief financial officer (CFO), 121, 147 code of ethics, 20, 54, 57, 63–66, 121 collusion, 48

175

Index.indd 175

8/5/2011 11:46:56 AM

176

◾  Index

Committee of Sponsoring Organizations (COSO), 3 authority and responsibility, 59–60 board of directors, 55–57 control environment, 52–53, 90–95 deficiencies, evaluating, 86 entry level controls, 83–84 ERM—Integrated Framework, 4, 25, 28, 31–34, 76 financial controls, 49–52 financial reporting competencies, 58–59 financial reporting objectives, 75–76 financial reporting risks, 76–77 Framework, five components of, 51 fraud risk, 77–83 human resources, 60–61 integrity and ethical values, 53–55 internal control, defined, 4, 51, 58 internal control evaluations, 89 Internal Control—Integrated Framework, 51 Internal Control over Financial Reporting, 53, 55, 57, 59–60, 75, 77, 86 management philosophy and operating style, 57 organizational structure, 57–58 oversight, 47 risk assessment, 74–75 risk assessment and financial controls example, 84–85 top-down risk-based approach, 52 communication, 45–46, 101–3 information and, 27–28 compensation schemes, 165 competence commitment, 34 completeness, 75 compliance monitoring, 149, 151, 156 objectives, 37–38 optimization, 133–34 optimizing, 133–38 plan, ongoing, 138–39 software, 151–52 component depreciation, 164 computer controls, 44

Index.indd 176

confidential information, 65–66 conflict of interest, 64–65 Consumer Protection Act (2010), 9 continuous monitoring benefits of, 154–55 process, 155–57 tool considerations, 155 control activities, 27, 43–44, 85, 99–100 automation, 142, 153–55 environment, 52–53, 90–95 improvements, 128 self-assessment questionnaire, 77 testing, 141–42, 149, 151, 153–54, 157, 159–60 corporate culture, 19–20 Corporate Executive Board, 10 corporate governance, 17, 23, 127, 131, 134, 147 corporate scandals, 7, 18 COSO. See Committee of Sponsoring Organizations (COSO) credit/cash management, 30 criminal penalties and fines, 121 cultural and language barriers, 166 customer satisfaction/dissatisfaction, 39 D data, 155–56 debt and equity structure, 30 debt covenants, 166 Department of Labor, 31 designated approver, 70 disclosure, 133, 136, 139, 142, 144 dividend policy, 166 Dodd-Frank Wall Street Reform, 9 downside risk, 11–12 E economic factors, 38 employee empowerment, 60 Enron, 9, 18, 83 enterprise risk management (ERM) activities of, 26–27 benefits of, 12–13 board of directors, 21 business case for, 11–13

8/5/2011 11:46:56 AM



communication, 45–46 compliance plan, 140 components of, eight, 27–28 control activities, 43–45 definition, 1, 7, 25–28 design and implementation, 35–47 event identification, 38–40 executive support, 13 external events, 38–39 frameworks and standards, 3 informal, 2, 8 information controls, 44 internal audit, 23 internal factors, 39 management, 21–22 objectives, 28 in organizational view, 6 oversight, 47 policies and procedures, 44 publications, 3 requirements, 135 risk and strategy, 14 risk and uncertainties, 7 risk assessment, 40–42 risk effects, 26 risk monitoring, 46–47 risk officer, 22–23 risk response, 41–43 risks, high, 15 roles and responsibilities, 20–23 strategy and objective definition, 36–38 success, keys to, 13–15 top-down monitoring, 17–18 enterprise strategy, 123 entity-level control, 74, 77, 83–84, 88–110 entry level controls, 83–84 equity as debt, reclassifying, 166 ERM. See enterprise risk management (ERM) ERM—Integrated Framework, 4, 25, 28, 31–34, 76 ethical behavior, 20, 54–55, 133 ethical standards, 120, 124, 134 European Commission, 162

Index.indd 177

Index  ◾

177

event identification, 27, 38–40, 84 exception remediation, 156–57 executive compensation, 61 executive management, 5, 7, 92–94, 121, 124, 166 executives, 90–91 external communication, 46 external risks, 30 F false-positive minimization, 155 finance strategy, 123 financial close, 136, 159 controls, 49–52 restatements, 133, 142 risks, 30 statement, 53, 85 financial reporting about, 3, 30, 50, 127–28 competencies, 58–59 misstatements, 61 objectives, 75–76, 84 positions, 60 risks, 76–77 Foreign Corrupt Practices Act, 70 fraud, 7–10, 82 policies and procedures, 82 risk, 77–83, 114–19 fraudulent activities, 39 financial reporting, 3, 82–83 transactions, 39 FTEs. See full-time employees (FTEs) full-time employees (FTEs), 142 functional activity management, 43 G generally accepted accounting principles (GAAP), 163–65, 167 H high-risk incidents, 35 human resources, 60–61, 95 I IASB. See International Accounting Standards Board (IASB)

8/5/2011 11:46:56 AM

178

◾  Index

IFRS. See International Financial Reporting Standards (IFRS) impairment reversal, 165 information, 31, 43 risks, 101–2 technology controls, 136 information technology (IT), 165, 171 infrastructure, 39 insider trading, 121 integrated risk, 3 integrity and ethical values, 33, 53–55 intellectual property, 65–66 interest rate fluctuations, 30 internal audit, 23, 143–44 internal control, 8 assessment, 112–13 concepts, 87 deficiency in, 86 defined, 4, 51, 58 entity level survey, 88–110 evaluations, 89 of financial reporting, 50, 121 monitoring survey, 105–8 testing, 132–33 internal environment, 27, 31–34 Internal Revenue Service, 31 International Accounting Standards Board (IASB), 163, 167–68 International Financial Reporting for Small and Medium-sized Entities (SMEs), 163 International Financial Reporting Standards (IFRS), 162–72 L last-in-first-out method of accounting, 164 M management ERM duties and responsibilities, 21–24 override, 48, 85 philosophy and operating style, 57 material misstatement, 77, 84–86 weakness, 86

Index.indd 178

materiality concept, 75 metrics, key performance, 166 misappropriation of assets, 82–83 misstatements, 150 mitigation, 2 monitoring, 28, 105–8 monitoring software, 152–53 N natural environment, 39 New York Stock Exchange, 18 nonaccelerated filers, 132–33 O objective setting, 27 Occupational Safety and Health Administration, 31 operational risks, 30–31 operations objectives, 37 organizational structure, 33, 57–58, 93–94, 121, 126 outsourced functions, 137 outsourcing, 39, 141 overall risk, 49–50, 52 P PCAOB. See Public Company Accounting Oversight Board (PCAOB) performance indicators, 43 period-end financial results, 85 personnel, 39, 137 physical controls, 43 political events, 39 postmerger integration, 136–37 presentation and disclosure, 75 process change procedure, 127 documentation, 40 execution errors, 39 improvement, 122–23, 125–29, 131 level control, 52 modification, 39 procure to pay process flow, 80–81 production stoppages, 39 productivity improvements, 128 Public Company Accounting Oversight Board (PCAOB), 4, 88–89

8/5/2011 11:46:56 AM



purchasing controls questionnaire, 111–12 R record retention, 121 regulatory guidance, 7 regulatory risks, 31 related party transactions, 70 remediation about, 76, 133, 137, 139, 143, 146 prioritization, 127–29 reporting automation, 149, 151 reporting objectives, 37 reputation, 30 reputational damage, 39 revaluation, 165 rights and obligations, 75 risk acceptance, 29 appetite, 28–29, 33, 35, 38 assessment standards, 8 avoidance, 29 categories, 30–31 control matrix, 78 governance, 17 identification, 2 incidents, 35 intelligent culture, 13–14 limits, 29 management philosophy, 32–33 management software, 157–58 management technology, 158 mitigation, 5, 7, 20, 29, 50 monitoring, 46–47 of noncompliance, 132, 161 officer, 22–23 profile, 1, 3, 35 thresholds, 8 tolerance, 23, 29 transfer, 29–30 transparency, 12 risk assessment, 27 aggregate entity consequences in, 2 compliance with laws and regulations, 6 control activities in place, 99–100

Index.indd 179

Index  ◾

179

of control environment, 138 COSO and, 74–75 defined, 74 ERM and, 40–42 event identification and, 84 managing change, 97–98 objectives, company-level, 96 objectives, process-level, 97 policies and procedures, 99 process, 2, 6 risk identification, 97 risks identified by control activities, 6 stakeholder value and uncertainty, 2 survey, 96–98 risk management, 8 barriers, perceived, 11 business processes, 3 centralized, 3 corporate governance, 17, 23 deficiencies in, 47 defined, 1 importance and benefits, 2 as offensive weapon for management, 3 organizational view of, 134 organization view of, 5–6 pressure for, 8–9 risks in multiple business areas, 2 “silos,” 2, 12 risk response, 41–43, 46, 85 categorization of, 36 definition, 29–30 ERM process, 27, 35–36, 40–44, 46 S Sarbanes-Oxley Act (SOX), 4, 31, 50 centralization/standardization, 130 compliance, generating value from, 121–23 compliance, moving beyond initial, 123–25 compliance, ongoing, 125–27 compliance, optimizing, 136–38 compliance and financial reporting, 128 compliance optimization process, 135

8/5/2011 11:46:56 AM

180

◾  Index

Sarbanes-Oxley Act (SOX) (Continued) compliance plan, ongoing, 138–39 compliance program, reevaluating, 125–27 control improvements, 128 costs and time for compliance, 121 criminal penalties and fines, 121 decentralization/customization, 130 ERM strategy and, 122 internal controls, 88 operational structure and efficiency, 129–30 origins of, 120–21 prioritization on business impact and complexity, 129 process improvement, 129 productivity improvements, 128 remediation prioritization, 127–29 Section 302, 121, 124, 126–27 Section 404, 5, 76–77, 88, 121, 123–24, 126–27, 129–30, 132, 139, 143–44 Section 409 — Real Time Issuer Disclosures, 126 transparency of financial reports, 162 SAS 115, Communicating Internal Control Related Matters Identified in an Audit, 8–9, 86 SEC. See Securities and Exchange Commission (SEC) Securities Acts of 1933, 120 Securities Acts of 1934, 70, 120 Securities and Exchange Commission (SEC) about, 4, 31, 77, 121 COSO Framework, 51 IFRS roadmap, 163 risks, information on, 9–10

Index.indd 180

top-down risk approach, 4 security breaches, 39 segmental reporting, 164, 166 segregation of duties, 43 senior management team, 12, 43, 53 significant deficiency, 86 single-exception identification, 155 SMEs. See International Financial Reporting for Small and Medium-sized Entities (SMEs) social events, 39 software vendors, 153, 160 SOX. See Sarbanes-Oxley Act (SOX) Statement of Auditing Standards 70 type II letter, 137 strategic risks, 31 systems downtime, 39 T technological events, 39 technology leverage, 123 transaction processes, supporting, 50 transparency, 120, 162, 167–68 Treadway Commission, 3, 25, 51, 74, 89 U unethical activity, suspected, 54–55 upside risk, 11–12 U.S. “nonissuers,” 163 V valuation or allocation, 75 value creation, 17 vendor candidates, identifying, 160 W whistleblower, 20, 54, 57, 67–68, 121 workplace accidents, 39 WorldCom, 9

8/5/2011 11:46:57 AM