AuditNet®



Complying with SOX 302 Reporting Requirements: The Practical Benefits of an Issue Reporting and Remediation Management System

by Bruce McCuaig CA, CCSA, CIA


 

Since August 2003 SOX 302 has required quarterly CEO/CFO certifications of “disclosure control effectiveness” and additional certification that all significant deficiencies and material weaknesses are being reported each quarter to audit committees and external auditors.

 

Accelerated filers have justifiably been focused on meeting their SOX 404 certification requirements. With that hurdle passed, these companies now need to integrate their quarterly review of disclosure controls with sub certification processes, remediation management and the preparation and review of quarterly disclosures.

 

Non-accelerated filers granted relief with the recent extension to SOX 404 to year ends after June 30 2006 should pay particular attention to SOX 302 and an issue reporting system as a means of developing a far more careful, cost effective SOX 404 implementation strategy.

 

Annual SOX 404 certifications are guided by PCAOB Standard No. 2, designed to provide both management and auditors with a basis for annual control effectiveness opinions. No guidance whatsoever exists to suggest what management should review to support their quarterly, unaudited SOX 302 certifications.

 

One practical strategy is to develop a framework for defining, monitoring and managing internal control incidents and issues from all possible sources and integrating the reporting and remediation of these issues with the quarterly disclosure process. Reported incidents should also drive control documentation and testing strategies for SOX 404 requirements.

 

For this discussion, incidents refer to actual events indicative of internal control effectiveness. An example would be an inventory adjustment related to a prior period. Issues are defined as potential gaps in the control framework. An example would be a vacant key position in the corporate consolidation group.

 

Simply put, if controls are operating effectively, management will be aware of issues and incidents that the control systems detect or prevent. The extent to which control systems prevent or detect exceptions is evidence of their effectiveness. High levels of reported incidents or issues should drive attention to areas of high and low performance and provide a basis for cost effective resource allocation.

 

The PCAOB definitions of significant deficiencies and material weaknesses provide only a threshold level of issues or incidents indicating real or potential failure in internal control over financial reporting. Companies need much more information about incidents or issues and they need it much sooner, before they reach a reportable threshold.

 

While the practice of defining and routinely identifying and reporting all incidents or issues may be new and even foreign to the auditing and accounting world, it is a standard practice in almost every other assurance profession and activity where high reliability is required.

 

Safety professionals routinely identify and track lost time injuries and near misses. Quality professionals identify and track instances of product failure. Environmental specialists track and report details such as minor spills of fluid caused by hydraulic failure in heavy equipment.

Getting Started: Defining the Problem

Under Sarbanes Oxley, companies are faced with the need to establish a new reporting culture. Operating activities, transaction processing and certification processes generate countless “incidents” or “issues”, constituting deviations from expectations or standards, all of which are handled in the normal course of events, but usually not analyzed for their impact on internal control effectiveness.

 

Management will need to begin to track and analyze them much more carefully. Here are some examples of routine incidents and issues that could indicate deficiencies:

·          Implementation of a new computerized accounts receivable system has resulted in customer invoices being delayed for three to four weeks accompanied by significant increases in customer complaints and product returns.

·          An expense account from a senior manager, one in a position of significant authority, containing an invalid expense claim is refused and returned.

·          Inventory counts at three major plants result in larger than normal book to physical adjustments and valuation adjustments.

·          Large sales booked at the end of a quarter were reversed in the next quarter with credit notes.

·          Anonymous allegations of wrongdoing are made through the whistle blower hot line facility.

·          Mathematical errors are made in spreadsheet calculations and resulting consolidating journal entries fail to eliminate intercompany accounts.

·          Internal auditors find a weakness in a key internal control and make a recommendation for improvement.

·          A key staff member involved in the corporate consolidation process goes on leave and is not replaced.

·          Tax authorities issue unexpected reassessments of prior years returns causing tax provisions to be adjusted.

·          The company has instituted a new Code of Conduct, complete with a certification procedure for key employees, but some employees refuse to sign their code of conduct certifications or note exceptions to their certification.

·          Managers refuse to sign quarterly financial or process certification letters or note exceptions to their required certification.

·          Budget to actual variance analyses reveal misallocations of cost to a business unit.

·          Managements self-test of a key internal control required for SOX indicates a failure of the control for a brief period.

·          Remediation of a significant deficiency in pension accounting has been completed in the quarter.

 

Most companies deal with issues such as these on an ad hoc basis every day. But each of these incidents is evidence of the design or operating effectiveness of controls. Material changes in the location, frequency or levels of these incidents or issues may be evidence of a material change in disclosure controls.

 

For example:

·          If the frequency and magnitude of inventory adjustments increases or decreases, it is reasonable to infer something has happened to change internal control.

·          If the number of vacancies in significant positions increases, or the experience or credentials of the incumbents in key positions declines, it is possible to conclude that the risk of a deficiency occurring has changed.

 

Some incidents and issues are specifically defined in the PCAOB Standards as strong indicators of possible deficiencies and internal reporting is mandatory. In some cases materiality is irrelevant to the classification of an event as a deficiency. In addition combinations of issues or incidents could cause, in aggregate, a cumulative effect and although insignificant individually, be a significant deficiency when considered in aggregate. For example, implementing a new financial reporting system while vacancies remain in key accounting positions could have a compound effect.

Companies must learn to identify, assess, classify, aggregate and report incidents and issues on a regular basis. Incidents and issues such as these are now potentially significant and must be considered carefully for their impact.

A Suggested Framework

1.      Create a reportable incident/issue policy

Define in clear terms what constitutes a reportable incident or issue. All of the examples mentioned above should be considered. Materiality must be considered. Normal variations should be determined and exception levels defined. This requires careful consideration of acceptable variances in inventory counts, accruals and other accounting matters. It requires setting performance standards in a number of areas. Specific consideration needs to be given to defining material changes in qualitative as well as quantitative terms. For example, inventory controls over crude oil feedstock at a refinery might be considered effective if monthly inventory variances are less that .5% of volumes.

2.      Define categories of reportable incidents

Regardless of materiality, suspected fraud by a person in a position of authority must be reported. This would include such things as false expense claims and accruals or other entries that are not supportable

with evidence. Code of conduct incidents may be given more weight than system errors, but classification by type is important. Reportable incidents can arise in a number of ways from a number of different processes. All must be identified and managed. Acceptable variations should be identified by account and location.

3.      Identify incident reporting processes.

Existing processes include budget reviews, account reconciliations, CSA Survey, internal audits, management self test results to name just a few. Each company has its own processes, both formal and informal. Any process capable of producing information on the level or reliability of control reporting or significant gaps in the control framework must be explicitly identified. Issues or incidents arising from identified processes must be reported. Quarterly reporting must include a review of each source of incident information.

4.      Define incident reporting standards

Specific information must be gathered for each incident or issue. Define the specific information required to classify, evaluate and identify the root problem of the deficiency. Minimum reporting standards must be developed. They would include the source of the information, the event description, the account, location and process impacted any relevant quantitative or qualitative information, and categorization of the COSO or other control element that failed or was missing.

5.      Create an incident management system

Create a system for reporting, tracking and managing incident information. Companies using sophisticated SOX tools such as relational databases and document managements systems will have a distinct advantage over those using spreadsheets. Reported issues and incidents can be linked to specific processes, locations and accounts and integrated with existing testing and process flow information.

6.      Define reporting and evaluation frequencies

SOX certifications under S 302 are made quarterly. Many companies will wish to review and analyze incidents much more frequently. Many of the processes capable of identifying issues or gaps work on a monthly basis. Other, such as surveys or code of conduct certifications may work only annually.

7.      Assigning accountability: Who must report

Under SOX, many companies have appointed process or account owners and in some cases location managers. These people must be formally assigned reporting responsibility for incidents. There must be consequences for withholding. Account owners may be required to report incidents arising from account reconciliations. Operating managers may be required to report operating issues or incidents, such as a decision to impair inventory, where the quality of internal control is a factor. Internal audit should play a role in ensuring the quality of the incident and issue reporting system.

8.      Establish aggregation and analysis standards

Companies must assess the identified events individually and in aggregate. Mechanisms must exist to view reported events or incidents at least at the account level and by their COSO category. In addition, any fraudulent or potentially fraudulent activity must be reported. The more detail gathered about issues and incidents, the more useful the analytical reports. It is critical to remember that reported issues and incidents can be as much evidence of an effective system of internal control as evidence of possible deficiencies.

9.      Assess against internal and external criteria

Incidents must be assessed against the definitions of significant deficiency and material weakness provided by SOX and the PCAOB as well as against internal standards and policies. Internal controls are not intended to prevent all errors. If inventory count adjustments are within established tolerances, they will be considered acceptable. But careful consideration is required in assigning cost effective ranges within which incidents and issues are acceptable.

10. Manage remediation

Management must be able to demonstrate that active and effective remediation is in place. Remediation measures must be managed and tracked through completion and process descriptions updated. Records of remediation activity must be retained.

 

Most companies have breathed a sigh of relief on completing their SOX 404 projects. But unless formal processes are in place to continuously assess and adjust internal control over financial reporting, quarterly certifications will be unsupported and each annual certification will be as painful as the first one.

 

For non-accelerated filers, granted an extension to their SOX 404 deadline, an incident reporting and remediation system may be a logical first step to assessing control effectiveness and designing a SOX 404 implementation strategy.

 

An analysis of incidents and issues is a practical, defensible measure of internal control trends. Material changes can be defined and reported as they occur.

 

Internal control is a constantly changing but manageable dimension of the business. Establishing an incident or issue reporting framework is a simple, cost effective and pragmatic way to meet ongoing reporting requirements of SOX 302.

Written by Bruce McCuaig CA, CCSA, CIA, Principal Consultant, Collaborative Assurance & Risk Design with Paisley Consulting, the Cokato Minnesota business accountability solutions provider. Contact: bruce.mccuaig@paisleyconsulting.com

The opinions, beliefs and viewpoints expressed by the various authors and forum participants on this web site do not necessarily reflect the opinions, beliefs and viewpoints of AuditNet®