what

job title, keywords

where

city, state, zip

Internal controls and the Sarbanes-Oxley Act

by Matthew Leitch
Author of "Dynamic Management"

	Web AuditNet

In case you've forgotten, the Sarbanes-Oxley Act 2002 includes some potentially tough requirements about internal controls in sections 302 and 404. Section 302 is the one with the famous certification that information issued to the market is correct ("My accounts are correct - well, as far as I know.") However, it also has requirements about evaluating "disclosure controls" (i.e. controls over the information being disclosed to the market) and being aware of changes that might have affected the performance of those controls since the evaluation was made.

 

Section 404 requires an annual evaluation of controls effectiveness and procedures for financial reporting specifically, but adds that this evaluation must be attested to by external auditors.

Section 302 is operating, but section 404 still has not been implemented by the SEC. The SEC have said the effective date of their proposed rules will be 15 September 2003 to give the Public Company Accounting Oversight Board (PCAOB) time to adopt relevant audit standards for the attestation.

Don't panic!

Section 302 came into operation so quickly that companies had little time to think. Faced with a need for more assurance on controls at very short notice, companies applied their familiar methods but more vigorously.

The conventional approach, typified by the recent white paper by PricewaterhouseCoopers and advice from KN&Co, is to document controls, list them against risks, consider gaps, test individual controls to see that they are operating, and consider the results of all that work to reach a conclusion about effectiveness.

Time to think again

Two factors mean this comfortingly familiar theory is in need of updating. Firstly, the sheer volume of evaluations needed now by large international companies - especially in more regulated industries like banking - is so great that we are now in new territory. Even if the conventional approach is done through Control Self Assessment it is burdensome when applied so often and across so much of an organisation. It is time to think about more continuous sources of evidence, embedded in normal operations.

Secondly, the Act says "effectiveness". It does not say "apparent effectiveness based on how convincing the design looks and the fact that the controls appear to be operating". What if we misjudge the design? Surely there are more direct ways to gather evidence on the effectiveness of controls?

Responding efficiently to s302 and s404

Here are some ideas for designing an efficient response to the internal control requirements of Sarbox:

• Use process control monitoring reports for direct evidence of controls effectiveness. Large scale business/accounting processes should always be managed as processes, with the help of statistics on process throughput, health, and systems support. The health statistics are mainly error rates and backlogs. Although they cannot show the rate of undetected error they can give a good picture of controls effectiveness. A process or accounts department that spends a lot of time correcting errors and cannot keep up with its workload is failing and its controls are not effective. If no statistics are available then the controls are inadequate for that reason at least.

   

  Clearly, this is only applicable to large scale processes, but that's where most of the assurance work is needed.

  This kind of process monitoring can also help you comply with the requirement to know when changes have happened that might affect the effectiveness of controls. Process control teams should look at forthcoming requirements and changes, monitor them, and ensure that processes and controls are modified in good time to meet new challenges.

• Document controls so the documentation is useful and compact. Some extra documentation is inevitable and a lot of time and paper can be saved by making the right choice of layout. This is one of those crucial details. If your layout does not automatically provide a list of controls (without duplication) that can be sorted by type and by owner then it is unlikely to be useful and compact. (Detailed guidance on this is beyond the scope of this article, but there's a link to more information below.)

• Design an integrated assurance approach. There are so many demands for assurance on large companies now that only an integrated programme designed to meet multiple demands, often from the same work, will be efficient.

• Anticipate likely control weaknesses and start remedial work. As Board members consider their evaluation of internal controls effectiveness the last thing they want is lots of nasty control weaknesses to think about. Weaknesses generate a huge amount of internal audit work too, as people try to get comfortable despite evidence that they should worry. Fortunately, the likely trouble spots are not hard to guess. In addition to any long standing issues specific to your company, how many of the following will be on your company's list?:
  • IT security (i.e. access restriction) - especially network connectivity
   
  • Business continuity
   
  • Basic financial controls in recently acquired businesses
   
  • Controls over disclosures like directors' remuneration, market risk, and other items that are not produced by a large scale system
   
  • Technical flaws in enterprise-wide risk management

  Intensifying internal audit work on these issues may not be as effective as bringing in people to solve the problems that have prevented the issues from being cleared before.

• Anticipate disclosures. Although a useful early step is to examine the disclosures your company makes and where the information is coming from, this needs to become a rolling programme of anticipation and assurance. Sometimes it may be necessary to carry out reviews even when it is not certain that they will be needed, but just to cover the risk that a disclosure may be needed.

• Look at what you are being asked to say. The rules so far do not say how companies should express their conclusions as to the effectiveness of their internal controls. Very subtle nuances of wording could have huge implications for the amount of work needed to support them. "Our controls are/are not effective" is a big challenge, but "Our controls are generally satisfactory, all things considered." is really saying very little. The SEC have not proposed anything specific in their proposed rules but perhaps the PCAOB will. PricewaterhouseCoopers, the world's biggest audit firm, have suggested a scale of maturity in internal controls to provide some basis for describing effectiveness.

More ideas

For more ideas on a number of the themes in this article visit the Dynamic Management website. Subjects covered include:

• Efficient compliance with s302 and s404 of the Sarbanes-Oxley Act
• Documenting control systems compactly
• Bringing external auditors' sales activity into the open
• Reviewing risk management processes for technical flaws (an online questionnaire that generates a draft report)

Matthew Leitch
Author of "Dynamic Management"
matthew-leitch@supanet.com