Working In Uncertainty
Controls design for efficient compliance with Sarbanes-Oxley's section 404: Implement internal control systems that are efficient and easier to audit
by Matthew Leitch, first appeared on www.irmi.com in October 2005.
Designing good, efficient, easily audited internal controls – as opposed to letting controls happen then auditing people into a stupor – has always been the smart way to comply with internal control regulations, including the infamous sections 302 and 404 of the Sarbanes-Oxley Act of 2002, and the UK's less demanding Turnbull report.
It's certainly better than letting your internal control system be dictated by the simplistic checklists of auditors and the sales literature of IT vendors.
Earlier this year, guidance issued by the Public Company Accounting Oversight Board (PCAOB), which sets standards for external audit against section 404, further underlined the potential impact of clever controls design. On the 16th May 2005 the Board issued two documents (in a coordinated release with the Securities Exchange Commission) that aimed to encourage companies and their auditors to implement the regulations more intelligently and in a less costly way. (Cynics would say the regulators sought to defend their own rules by slapping the wrists of the big 4 audit firms by contradicting several of the things they had been telling their clients over the preceding year and a half.)
Within the staff questions and answers document, at answer 47, they say:
‘... management might be able to determine that controls operate effectively through its direct and ongoing monitoring of the operation of controls. This determination might be accomplished through performing regular management and supervisory activities, monitoring adherence to policies and procedures, and performing other routine actions. For instance, a supervisor's review of a monthly account reconciliation prepared by one of his or her subordinates could be a monitoring control that also provides management with evidence supporting its assessment of internal control over financial reporting, if the results of the supervisor's review were evaluated and documented as part of management's assessment. To appropriately evaluate the adequacy of management's assessment as directed by the standard, the auditor needs to recognize these other types of procedures that are available to management as part of the basis for its assessment.’
Later, the PCAOB explains that if a control is tested by the person that performs it then this is self assessment and the external auditor cannot rely on it and reduce his/her work accordingly. However, if the test is performed by someone other than the person who performs the work then this is not self assessment and there is scope for external audit reliance.
In other words, companies that design the routine supervision aspect of internal controls appropriately might achieve a high proportion of compliance with no further effort. (Exactly how far this can be taken is not known.)
To set the scene for a detailed examination of the design of supervision let's first review some of the other ways that good internal controls design can help with internal controls compliance.
Lines of defence
A common beginner's mistake is to imagine that internal controls meet control objectives (or risks if you prefer) one by one.
The reality is quite different. Most controls address many risks, while most risks are met by several controls. I often think of layers of controls or lines of defence. Few controls are completely effective so multiple layers act like filters to cut down the risks in stages.
Audit documentation tends to understate this multi-layered nature so it is important in controls design work to document designs so that the full system is visible.
Automated ‘killer’ controls
Having said that control systems are multi-layered it still makes sense to pick out certain controls and try to make them the ones that get the most focus from auditors. These controls will usually be automated detective controls with a wide span that sit one top of lots of other controls and prove they worked.
Done correctly these controls make testing others virtually pointless and so cut audit costs.
For example, the PCAOB's auditing standard 2 describes auditors checking that compiled software files on a live system have the same dates and sizes as the software vendor says they should have. What a tedious test but surely one that can be scripted and done as often as anyone likes. It would provide evidence that a range of controls over software change has operated effectively.
If company security policies for servers have been defined in terms of the specific parameters to be set then these can be checked across many servers quickly and automatically.
Other examples include overall reconciliations between accounts, files, or databases, and automated comparisons of details between files or databases.
Dynamic anomaly and pattern recognition software can be used to filter for new forms of error. The software uses statistical learning to identify typical record values, and their combinations, then searches for unusual transactions.
Measurement for management
Every large scale, high volume business/accounting process should have an owning group that gets together regularly to study statistics about the health of the process, including its error rates, backlogs, volumes, speeds, IT support issues, and staffing.
Their role should include systematically analysing the causes of problems and taking actions to remove or reduce those causes.
This activity, and the supporting reports, improve control and provide easily accessed evidence that control checks have operated (otherwise numbers would be missing from the report) and that the control system is effective or not (which is what the numbers show).
A well designed process health report (what bankers call an operational risk KRI report) will show time series and use graphs to help people understand how things have unfolded over time.
Design for inherent reliability
In high volume, large scale business/accounting processes the efficient approach is almost always to stop errors from happening in the first place. This requires design for inherent reliability.
This is not quite the same as using ‘preventive’ controls. ‘Preventive’ traditionally means controls performed before data is entered into a computer system. Many so-called ‘preventive’ controls are checks for errors or fraud that have already occurred.
Increasing inherent reliability means making errors and fraud arise less frequently. Usually this is accomplished by good ergonomics, software bug removal, and control checks in supporting processes. People often omit ergonomic improvements but this is due to ignorance of ergonomics, not because the improvements are unimportant or hard to do.
Ultra low error rates that have been measured by high powered automated checks, reported and tracked, are extremely reassuring for everyone, including external auditors.
Looking to the future
Things change and controls get out of date unless they are adapted to meet new conditions and requirements. This process is itself a control to be designed, implemented, operated, assessed, and audited.
Faced with any form of planned or anticipated change or trend the process should identify the main types of control mechanism that are likely to need revision and direct the right kind of resources to do the work in adequate time.
Remedial work cannot be completely eliminated because no controls design is perfect first time and all need to be tuned in the light of experience. However, most companies today rely much too heavily on after-the-event audit work to tell them when controls work is needed.
Supervision and compliance
Let's return, now, to supervision. The main design constraints from the PCAOB are simple:
Let's imagine the underlying control is a set of five daily bank reconciliations performed by an accounts clerk. Currently paper copies of these are all initialled by the Assistant Head of Treasury and that's it.
From a control point of view this is disappointing because potential information from the control check is not being picked up or passed on. The opportunity to identify process and system flaws and remove them is being missed. We have no visibility of process health. We also have little idea how thorough the Assistant's review is before the initials are scribbled on the paper.
From a compliance point of view this is also a missed opportunity because the assurance goes no further than the Assistant. There is little alternative but for auditors to test the Assistant and the clerk in some detail.
What can we change? Here are some suggestions:
Now we have a pyramid of supervision helped by central capture of evidence, and suffused with process health information.
Treat people like people
Traditional internal control theory sees no problem in treating every employee as if they are work shy, dishonest, incompetent, or all three. While a very few employees are like this most are not and feel distrusted and insulted by their employer unless treated with more respect.
This is a fundamental problem for internal controls design and not one we can shrug off, saying ‘Well, we've just got to do this because it's the law.’
Some helpful tactics are as follows:
Well designed internal controls can lighten the regulatory burden, reduce errors and fraud, and still leave people feeling like people. The PCAOB has opened the door to more enlightened compliance and I urge all companies to take the opportunity offered.
Hundreds of people receive notification of new publications every month. They include company directors, heads of finance, of internal audit, of risk management, and of internal control, professors, and other influential authors and researchers.
Made in England
Words © 2005 Matthew Leitch.