EXECUTIVE
SUMMARY |
MANAGEMENT IS RESPONSIBLE
FOR EVALUATING and reporting on
a company’s controls. The external
auditors are responsible for auditing
management’s assertion and independently
coming to their own conclusions about the
company’s internal control effectiveness.
They must evaluate management’s assessment
and also perform their own, independent
tests in many areas, including the control
environment.
THE CONTROL ENVIRONMENT
HAS A PERVASIVE structure
that affects many business process
activities. It includes elements such as
management’s integrity and ethical
values, operating philosophy and
commitment to organizational competence.
ADDING TO THE DIFFICULTY
OF THE TASK is the fact that
the control environment is not
transaction-oriented. Tests of
controls that auditors are accustomed to
performing, such as walk-throughs or the
reperformance of the control for a
sample of items, will not be possible.
And focusing solely on activity-level
controls is inappropriate.
TESTS OF THE CONTROL
ENVIRONMENT will consist of a
combination of procedures, including a
review of relevant documentation of the
design, inquiries of management and
employees and direct observation.
AUDITORS WILL HAVE TO
PROBE for understanding and
awareness and try to understand the
company’s attitude toward internal
control over financial reporting. They
also should ask management for a
self-assessment. | MICHAEL RAMOS, CPA, is the
author of How to Comply with
Sarbanes-Oxley Section 404: Assessing
the Effectiveness of Internal Control,
John Wiley & Sons, 2004. Other
articles he has written on section 404 can
be found on the AICPA Web site. “SOX 404
Consulting: Where to Begin” is available
on the AICPA private companies practice
section (PCPS) Web site at www.pcps.org
. “SOX 404 Compliance: A Structured
Approach” can be viewed at www.aicpa.org.
Mr. Ramos’ e-mail address is michaeljramos@mac.com
. |
eginning with the first yearend on
or after November 15, 2004, many companies will
have to comply with the internal control reporting
requirements of the Sarbanes-Oxley Act of 2002.
The control environment is one of the key
components of an entity’s internal control; it
sets the tone of an entity, influences the control
consciousness of people within an organization and
is the foundation for all other components of the
internal control system. In this article
management and independent auditors will find some
suggestions for addressing one of the most
challenging requirements of assessing internal
control: evaluating the effectiveness of the
control environment. Management has always
been responsible for the design and maintenance of
the company’s internal control. Now, because of
Sarbanes-Oxley, management has the added
responsibility to annually evaluate, test and
report on the entity’s internal control over
financial reporting. The external auditors are
responsible for auditing management’s assertion as
to the effectiveness of this internal control and
coming to their own, independent conclusions. They
must evaluate management’s assessment and perform
their own, independent tests of controls,
including the control environment. Thus, the
suggestions provided in this article on testing
the control environment may be helpful to
management and auditors alike. As opposed
to an activity-level control (for example,
checking the mathematical accuracy of a vendor
invoice), which is limited to one processing
stream, the control environment has a pervasive
structure that affects many business activities.
It includes elements such as management’s
integrity and ethical values, operating philosophy
and commitment to organizational competence.
Designing and performing tests at the control
environment level will be a complex and
challenging task—for example, a company may point
to its code of conduct as documenting its ethical
values. Ultimately though, the mere existence of
the documentation of a control is not sufficient
to support a conclusion about its operating
effectiveness. Management and auditors must do
more than demonstrate that a code exists; they
must evaluate the effectiveness of the code’s
implementation. For example, the entity’s
implementation procedures may include training
sessions for management and employees on the
company’s code and the establishment of formal
channels for the confidential communication of
code violations to senior management. To
determine whether the code of conduct has been
implemented effectively, these questions need to
be asked:
How is the code communicated?
Do the entity’s employees and
management follow the code?
How is compliance with the code
monitored?
Does compliance with the code improve
the effectiveness of other control policies and
procedures? Adding to the difficulty of
the testing requirement task is the fact that the
control environment is not
transaction-oriented. The tests of controls
auditors are accustomed to performing, such as
walk-throughs or the reperformance of the control
for a sample of items, will not be possible.
DON’T NEGLECT THE CONTROL ENVIRONMENT
At this early stage of complying
with section 404 requirements, most companies have
focused on the documentation, evaluation and
testing of activity-level controls. For example,
bank reconciliations, the matching of shipping
documents to invoices and computerized checks of
data entered into the accounting system all are
examples of activity-level controls. As
defined by the Committee of Sponsoring
Organizations of the Treadway Commission (COSO)
framework, activity-level controls are just one
component of internal control over financial
reporting. In an evaluation of internal control,
both management and the auditors need to consider
all its components. If they focus exclusively on
activity-level controls to draw a conclusion about
all elements of internal control, they
may reach inappropriate conclusions about internal
control taken as a whole. For example,
consider the entity that requires its board of
directors to approve all significant decisions
made by the CEO. Suppose, however, the philosophy
of the CEO is that he or she alone knows what’s
best for the organization. Suppose, too, the CEO,
through a committee he or she controls, is able to
handpick the majority of the board members. And
because the primary criterion for advancement
within the organization is personal loyalty to the
CEO, the information that senior management
presents to the board is tightly controlled and
presented in a way that makes ratification of the
CEO’s agenda a foregone conclusion.
Focusing solely on the activity-level control
is inappropriate. Read the minutes and you’ll
undoubtedly find the board approved all the
transactions it should have. On the surface,
internal control looks good. In reality it is not.
Only by looking at the control environment
directly—as in management’s philosophy and
operating style and its commitment to
competence—does a true picture of the organization
begin to emerge. So how can we take a more
direct approach to evaluating and testing the
control environment? Here are some suggestions.
ESTABLISH A BENCHMARK
The COSO framework provides
criteria and information on the control
environment, but this guidance is at a fairly high
level since the framework was tailored for all
organizations. For example, COSO identifies
integrity and ethical values as important pieces
of the entity’s control environment and makes a
compelling argument for why this is so. But the
purpose of COSO is not to explain how to measure
or evaluate whether an ethical climate is
“effective.” Once management gathers information
about the control and its design, it is left to
them to decide how to determine and test its
relative effectiveness. Help in judging
the relative effectiveness of a software
development process came several years ago when a
group of IT software professionals developed a
“capabilities maturity model.” This model was
quickly adopted by the profession as part of its
“control objectives for information and related
technology” (COBIT) model for gauging IT-control
effectiveness. Some of the larger accounting firms
recently adapted the model for use in determining
the relative effectiveness of internal control of
their clients (see “
Choose the Right Tools for Internal Control
Reporting ,” JofA , Feb.04, page
34).
Summary
of Internal Control
Reliability Model |
|
Characteristics
of reliability
|
Reliability level
|
Documentation
|
Awareness and
understanding |
Perceived value
| Control
procedures |
Monitoring
| Initial
| Very limited |
Basic awareness |
Unformed | Ad hoc,
unlinked | |
Informal |
Sporadic, inconsistent |
Understanding not
communicated beyond management
| Controls are separate
from business operations |
Intuitive, repeatable |
|
Systematic |
Comprehensive and consistent
| Formal communicationand
some training | Controls
integral to operations |
Formal, standardized |
|
Integrated |
Comprehensive and consistent
| Comprehensive training
on control-related matters |
Control processes considered
part of strategy |
Formal, standardized |
Periodic monitoring begins
| Optimized |
Comprehensive and consistent
| Comprehensive training
on control-related matters |
Commitment to continuous
improvement | Formal,
standardized | Real-time
monitoring
| |
Note: This table and a
description of the model first appeared in
How to Comply with Sarbanes-Oxley
Section 404: Assessing the Effectiveness
of Internal Control, by Michael
Ramos, John Wiley & Sons, 2004.
| The model
describes several different levels of reliability
or maturity of an internal control system—for
example, levels may range from “initial,” the
lowest level of reliability, to “optimized,” the
highest. The exhibit above
summarizes a five-level model based on the various
characteristics used to gauge system reliability.
The internal control reliability model can
be helpful in designing tests of a control
environment’s effectiveness. The overall
reliability of the system depends on the
characteristics that describe each level. Auditors
should design the control environment tests to
determine the relative reliability of each of
these characteristics, as discussed below.
DESIGNING TESTS
In evaluating the design and
operating effectiveness of the control
environment, auditors’ tests will consist of a
combination of procedures, including
A review of relevant
documentation—for example, the company’s code of
conduct.
Inquiries of management and
employees, either verbally, in writing or both.
Direct observation. Here are
some tips for designing these procedures:
Start with a review of documentation
relating to the control environment. The most
likely sources of information include the
company’s
Code of conduct.
Personnel policies.
Board of directors and audit
committee charters.
Disclosure committee charter.
Other, informal communications from
senior management about control environment
matters such as ethics or management philosophy.
Remember that documentation is only a
start—not the be-all and end-all. Ask management
direct questions about the actions it took to
assess how management or employees complied with,
or violated, stated management philosophies or
standards of behavior. Examples of such questions
include
Have you observed unacceptable
behavior on the job? If so, what did you observe?
If you were to report unacceptable or
unethical behavior to senior management, what
action do you think management would take?
Probe for employees’ understanding
and awareness. Do managers and other employees
know the relevance and importance of their
control-related activities? Do the board and the
audit committee have a full appreciation of their
oversight responsibilities?
Try to understand the company’s
attitude toward internal control. Is it a
“necessary evil,” or is it viewed as an integral
part of the company’s management? Suppose you
asked senior management and the board the
following questions about the company’s code of
conduct.
What was the main reason for
developing the company’s code of conduct?
How often is the code reviewed and
updated? The answers to these questions
may be revealing—for example, a manager who says
the code was developed because the lawyers
recommended it and that it has not been reviewed
or updated in the last 10 years tells you a great
deal about the attitude of senior management
toward the value of an effective control
environment.
Ask for a self-assessment. Direct
questions can be quite effective. Ask management
or operations personnel about how various control
environment elements work:
Do you believe the company has
established standards of behavior that create an
overall appreciation for and compliance with its
documented control policies and procedures?
How would you describe management’s
operating style and philosophy?
What aspects of the company’s culture
or management policies contribute to or detract
from your ability to perform your job
responsibilities effectively? |
PRACTICAL TIPS TO
REMEMBER
| |
Don’t focus your
internal control tests
exclusively on activity-level
controls. You have to evaluate
and test the control
environment, too.
Establish a
benchmark, such as the
internal control reliability
model, that will be used to
gauge internal control
effectiveness. Use this model
to design your tests of the
control environment
Use several
different testing techniques
to gather information about
the control environment from a
broad range of entity
personnel.
| |
CONTROL ENVIRONMENT CHALLENGES
Sarbanes-Oxley section 404, which
requires management to assess and report on the
effectiveness of a company’s internal control over
financial reporting, has changed dramatically the
landscape of control assessment. The control
environment is an integral part of the internal
control system and therefore must be understood,
evaluated and tested, first by management, and
then by the external auditors. The
subjective, non-transaction-oriented nature of the
control environment will create many challenges,
none of which management can use as a rationale
for noncompliance. A good place for both
management and the auditor to begin is to develop
a model, such as the internal control reliability
model, that describes the characteristics of a
control environment at various levels of
reliability. Management can then design tests to
evaluate the presence or absence of each of those
characteristics and how effective the control
environment really is.
RESOURCES The
Institute answers individual questions
at the Sarbanes-Oxley Act hot line:
866-265-1977, and up-to-date compliance
information for CPAs is available at
Sarbanes-Oxley Act/PCAOB Implementation
Central, http://cpcaf.aicpa.org/Resources/
Sarbanes+Oxley/The+Changing+Regulatory+Landscape.htm
.
Publications
Consideration of
Internal Control in a Financial
Statement Audit, an AICPA Audit
and Accounting Guide (# 012451JA).
Financial Reporting Alert,
Internal Control
Reporting—Implementing Sarbanes-Oxley
Section 404 (# 029200JA).
Financial Reporting
Fraud: A Practical Guide to Detection
and Internal Control by Charles
R. Lundelius Jr. (# 029879JA).
Internal
Control—Integrated Framework,
COSO report (# 990012JA).
CPE
Internal Control Reporting
for Public Companies, a webcast
originally presented July 17, 2003, and
now available on CD-ROM (# 737132HSJA).
Internal Controls: Design
and Documentation, a self-study course
(# 731850JA).
SEC Reporting, a self-study
course (# 736771JA).
Conferences
National Advanced
Accounting and Auditing Technical
Symposium (NAAATS) July 22–23,
2004 Hilton La Jolla Torrey Pines,
La Jolla, California
Conference on Advanced
Litigation Services and Fraud
September 26–29, 2004 JW
Marriott Desert Ridge, Phoenix
For more information, to place an
order or to register, go to
www.cpa2biz.com or call the AICPA
at 888-777-7077. | |