SOX requires companies to document, test and retain evidence of the existence and effective operation of Internal Controls Over Financial Reporting (ICOFR). This obligation is onerous and is creating immense paperwork and manual effort to create and maintain an audit trail.
The benefits of a 'paperless’ office have thus far been negated by this regulation as far as 'manual’ controls are concerned and a majority of 'key’ and relied upon controls are manual.
In addition to the excessive design & implementation costs, it is a continuing obligation for the Management to monitor, test and certify the Existence and Effectiveness of Internal Controls over Financial Reporting.
Need is for dynamic, configurable control execution / monitoring / recording process amenable to audit and appropriate hierarchical access and change control. Further, control implementation/monitoring and necessary remediation needs to be 'paperless’, cost effective, non-intrusive, efficient, as well as secure, in addition to providing a valid audit trail.
I. Top-Down Approach
A top-down approach begins at the financial statement level and with the understanding of the overall risks to internal controls over financial reporting. The focus should begin with entity level controls and then work down to significant accounts and disclosures and their relevant assertions.
A. Risk factors relevant to the identification of significant accounts and disclosures and their relevant assertions include:
- Size and composition of the account;
- Susceptibility to misstatement due to errors or fraud;
- Volume of activity, complexity, and homogeneity of the individual transactions processed through the account or reflected in the disclosure;
- Nature of the account or disclosure;
- Accounting and reporting complexities associated with the account or disclosure;
- Exposure to losses in the account;
- Possibility of significant contingent liabilities arising from the activities reflected in the account or disclosure;
- Existence of related party transactions in the account; and
- Changes from the prior period in account or disclosure characteristics.
B. Fraud Risk Controls include:
- Controls over significant, unusual transactions, particularly those that result in late or unusual journal entries;
- Controls over journal entries and adjustments made in the period-end financial reporting process;
- Controls over related party transactions;
- Controls related to significant management estimates;
- Controls that mitigate incentives for, and pressures on, management to falsify or inappropriately manage financial results.
C. Entity-level controls may be designed to operate at the process, application, transaction or account-level and at a level of precision that would adequately prevent or detect a material misstatement and include:
- Controls related to the control environment;
- Controls over management override;
- The company’s risk assessment process
- Centralized processing and controls, including shared service environments;
- Controls to monitor results of operations;
- Controls to monitor other controls, including activities of the internal audit function, the audit committee, and self assessment programs;
- Controls over the period-end financial reporting process; and
- Policies that address significant business control and risk management practices.
D. Information Technology General Controls (ITGCs) alone ordinarily do not adequately address financial reporting risks, rather, the proper and consistent operation of automated controls or IT functionality depend upon effective ITGCs. Thus, the identification of risks and controls within IT should not be a separate evaluation but an integral part of the top-down risk based approach. ITGC areas would typically include:
- Program development;
- Program changes;
- Computer operations; and
- Access to programs and data.
E. Multiple Locations or Business Units to be covered are determined by:
- Significant accounts and disclosures and their relevant assertions should be identified based on the consolidated financial statements.
- Locations or business units that, individually or when aggregated with others, do not present a reasonable possibility of material misstatement to the company’s consolidated financial statements can be excluded.
- Appropriate entity level controls and controls to provide assurance that appropriate controls exist throughout the organization could eliminate direct testing at lower-risk locations or business units.
II. Testing
Design Effectiveness
- Controls should be operated by persons with the necessary authority and competence
- Should satisfy the company’s control objectives
- Be effective in preventing or detecting errors or frauds
Operating Effectiveness
- Testing should be an appropriate mix of
o inquiry of appropriate personnel, (inquiry alone does not provide sufficient evidence to support a conclusion of the effectiveness of a control, though might be sufficient for a roll forward procedure)
o observation of the company’s operations,
o inspection of relevant documentation, and
o re-performance of the control
- The evidence necessary to determine whether a control is effective depends upon the risk associated with the control – the higher the risk, the greater the evidence. The factors that affect the risk associated with a control include:
o Nature and materiality of misstatements that the control is intended to prevent or detect,
o Inherent risk (e.g. related party transactions, critical accounting policies and related critical accounting estimates) associated with the related account(s) and assertion(s)
o Whether there have been changes in the volume or nature of transactions that might adversely affect control design or operating effectiveness
o Whether the account has a history of errors
o Effectiveness of monitoring controls, if any.
o Nature of the control and the frequency with which it operates
o The degree to which the control relies on the effectiveness of other controls (e.g. ITGCs)
o Competence of personnel performing the control or employee turnover
o Manual or automated
o Complexity of the control and significance of the judgments that need to be made
- Benchmarking strategy for automated application controls can be used in subsequent years’ testing
III. Evaluating Identified Deficiencies
A. Severity, quantification and compensating controls
- The severity of a deficiency does not depend on whether a misstatement actually has occurred but rather on whether there is a reasonable possibility that the company’s controls will fail to prevent or detect a misstatement.
- The evaluation of whether a control deficiency presents a reasonable possibility of misstatement can be made without quantifying the probability or occurrence as a specific percentage or a range.
- To have a mitigating effect, a compensating control should operate at a level of precision that would prevent or detect a misstatement that could be material.
B. Indicators of Material Weaknesses
- Identification of fraud, whether or not material, on the part of senior management
- Restatement of previously issued financial statements to reflect the correction of a material misstatement
- Identification of a material misstatement in the current period by auditors in circumstances that indicate that the misstatement would not have been detected by the company’s internal control over financial reporting
- Ineffective oversight of the company’s external financial reporting and internal control over financial reporting by the company’s audit committee.
