Assessing company-level controls: another hurdle on the road to compliance.EXECUTIVE SUMMARY * THE ASSESSMENT OF COMPANY-LEVEL CONTROLS is a critical part of complying with section 404 of Sarbanes-Oxley. The PCAOB PCAOB Public Company Accounting Oversight Board says public companies must assess the design and operating effectiveness of these controls in addition to examining detailed process- and transactional-level control activities. * COMPANY-LEVEL CONTROLS ARE THOSE THAT PERMEATE permeate /per·me·ate/ (-at?) 1. to penetrate or pass through, as through a filter. 2. the constituents of a solution or suspension that pass through a filter. per·me·ate v. an organization and have a significant impact on how it achieves its financial reporting and disclosure objectives. These controls are exemplified by the control environment itself including the tone at the top, corporate codes of conduct and policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental . * CPAs CAN FOLLOW SIX STEPS TO HELP ENTITIES comply with company-level control requirements. These steps are defining the project plan and key milestones, building a structure to assess the controls, obtaining input on the design of company-level controls, documenting and assessing the controls, testing their effectiveness, and engaging in gap remediation and continuous improvement. * THESE STEPS ARE REQUIRED OF PUBLIC COMPANIES, but private companies and not-for-profit organizations also can benefit by looking at the process as a best practice that leads to stronger governance Governance makes decisions that define expectations, grant power, or verify performance. It consists either of a separate process or of a specific part of management or leadership processes. Sometimes people set up a government to administer these processes and systems. and better financial results. ********** What are company-level controls? How do CPAs go about evaluating their effectiveness? As the compliance deadline for section 404 of the Sarbanes-Oxley Act See SOX. approaches for some companies, many have yet to face a critical hurdle HURDLE, Eng. law. A species of sledge, used to draw traitors to execution. : the assessment of their company-level controls. The Public Company Accounting Oversight Board The Public Company Accounting Oversight Board (or PCAOB) (sometimes called "Peekaboo") is a private-sector, non-profit corporation created by the Sarbanes-Oxley Act, a 2002 United States federal law, to oversee the auditors of public companies. says public companies must assess the design and operating effectiveness of company-level controls in addition to examining detailed control activities at the process and transactional levels. This article provides a six-step process CPAs can use to meet this critical aspect of section 404 compliance. The steps are based in part on the author's experiences as director of finance for Campbell Soup Co. Although only public companies subject to section 404 are required to formally assess company-level controls, nonpublic companies and other types of organizations may wish to do similar evaluations as a best practice. CONTROLS ARE EVERYWHERE Company-level controls permeate an organization and have a significant impact on how it achieves its financial reporting and disclosure objectives. One example is the control environment itself, which includes the tone at the top, the corporate code of conduct, policies and procedures, the assignment of authority and responsibility, management's risk assessment processes, fraud-prevention efforts and other company-wide programs that apply to all locations and business units. Company-level controls also monitor the results of operations and the functionality of other controls, including self-assessment programs and internal audit reviews. Oversight
Oversight may refer to:
Section 404 says senior management at public companies must * State its responsibility for establishing and maintaining adequate internal control over financial reporting and disclosure. * Assess the effectiveness of the company's internal controls for the current fiscal year. * Identify the framework used to make this evaluation. To comply, many companies have adapted the COSO COSO Committee of Sponsoring Organizations of the Treadway Commission COSO Church of Spiral Oak COSO Corporate South COSO Class of Service Override COSO Combat Oriented Supply Operations (USAF) internal control framework and its five components-control environment, risk assessment, control activities, information and communication, and monitoring. The PCAOB says public companies must give adequate consideration to all five components, including detailed control activities at the process and transactional level as well as the other COSO components known collectively as company-level controls. In Auditing Standard no. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, the PCAOB says the external auditor The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. should evaluate whether management's documentation includes all five components of internal control over financial reporting when determining whether it provides reasonable support for management's overall assessment. Auditors should test and evaluate the design effectiveness of company-level controls first and adjust their approach for evaluating the other aspects of internal control over financial reporting accordingly. CPAs should consider ineffective company-level controls a deficiency that might affect the scope of work performed in an audit, particularly when a company has multiple locations or business units. STEPS TO COMPLIANCE As part of the internal process of ensuring compliance with the company-level control aspects of section 404, CPAs can recommend companies follow six steps. In general the steps include defining key milestones, building an assessment structure for company-level controls, documenting control design, testing control effectiveness and engaging in gap remediation and continuous improvement efforts. STEP ONE: Define project plan and key milestones. The first compliance step CPAs should take involves planning--outlining the project (including key activities and timelines This article or section contains self-references. For other uses of "Timeline", see Timeline (disambiguation). The following is an index of timelines found on Wikipedia. ) and identifying critical milestones. This helps assess the resources needed to complete the company-level controls effort in a timely manner and gauge the team's progress compared to expectations. In this instance the key activities in the project plan may represent overlapping tasks to be performed in parallel rather than in sequence. For example, management typically needs to determine the existence and nature of a process- or transactional-level control before collecting evidence to test its effectiveness. However, when it comes to company-level controls, evidence collection may occur at any point during the overall compliance effort. Some evidence (codes of conduct, corporate policies, organization charts and the like) may facilitate the building of a customized assessment structure or provide insight into the design of the organization's company-level controls and also represent evidence to support the effectiveness of these controls. For instance, when we reviewed the charter for Campbell's audit committee, it provided insight into the oversight activities this committee performed, in addition to offering evidence that such a document existed. STEP TWO: Build an assessment structure for company-level controls. To methodically me·thod·i·cal also me·thod·ic adj. 1. Arranged or proceeding in regular, systematic order. 2. Characterized by ordered and systematic habits or behavior. See Synonyms at orderly. evaluate these controls, companies need a formal structure within the context of the overall internal control framework adopted by management. To build this structure, CPAs should first review appropriate authoritative literature--including COSO's Internal Control--Integrated Framework, PCAOB Auditing Standard no. 2 and Sarbanes-Oxley itself--and solicit the input of the company's external auditors and any consultants providing subject matter expertise on the company's overall section 404 compliance efforts. CPAs also should talk to peers at other companies, attend seminars on company-level controls compliance and use other available tools (for example, KPMG's www.404institute.com Web site). A customized assessment structure likely will consist of 20 to 30 objectives across the four COSO components that relate specifically to company-level controls (excluding the control activities component). Because these objectives represent management's control expectations for complying with section 404 company-level controls, management will need to formally assess the design and operating effectiveness of each. If management can determine it meets each objective based on these assessments, it can conclude that the organization's company-level controls are adequate overall. (See page 66 for an example of company-level control objectives.) To facilitate management's assessment, CPAs should support each company-level control objective with underlying guidance, or points of focus, representing key considerations in examining each objective. For example, one of Campbell's objectives related to the COSO control environment component concerned whether management, through its attitudes and actions, demonstrated character, integrity and ethical values. This objective was supported by several points of focus: Management sets the appropriate "tone at the top"; maintains codes of conduct and other policies regarding acceptable behavior; follows ethical guidelines guidelines, n.pl a set of standards, criteria, or specifications to be used or followed in the performance of certain tasks. in dealing with employees, suppliers, customers and others; removes or reduces temptations that might cause staff to engage in unethical unethical said of conduct not conforming with professional ethics. acts; and responds in a timely and appropriate manner to violations of the company's code of conduct. When making their overall assessment of a given objective, CPAs should carefully consider each point of focus and the implications of any best-practice controls that seem to be missing. STEP THREE: Obtain input on the design of company-level controls. Gaining insight into the design of company-level controls is sometimes more challenging than assessing detailed process- or transactional-level control activities. Company-wide controls often are not readily apparent; management gave little consideration to them in the past with the result that nobody perceived them as formal controls, making them harder to identify. To solve this problem CPAs can leverage section 404 and other documentation already created to assess the organization's internal control activities. For example, section 404 documentation covering the safeguarding of cash, inventory and fixed assets fixed assets npl → activo sg fijo fixed assets npl → immobilisations fpl fixed assets fix npl → can support the company-level control objective that management's philosophy and operating style are consistent with a sound control environment. CPAs also can review corporate, accounting and human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. policies; employee standards of conduct; organization charts; internal communications  This article's grammar usage needs improvement. Please edit this article in accordance with Wikipedia's . ; board of director materials and other existing documentation, as well as interview appropriate subject-matter experts. Representatives from the corporate controlling, internal audit, IT, legal and HR functions can provide insight into high-level oversight and other company-level controls performed at, or dictated dic·tate v. dic·tat·ed, dic·tat·ing, dic·tates v.tr. 1. To say or read aloud to be recorded or written by another: dictate a letter. 2. a. by management at, the corporate level. Business unit experts can help CPAs understand how such controls are implemented at the local level, for example clarifying how the local team translates the entity-wide strategies and objectives into its plans and activities. Finally, senior executives can discuss how they set the tone at the top, provide oversight, assign accountability, perform risk assessment and in other ways directly influence the organization's company-level controls. At Campbell, for example, the corporate controller explained how the company established its corporate accounting policies, the interaction between corporate and local finance staff, the competency COMPETENCY, evidence. The legal fitness or ability of a witness to be heard on the trial of a cause. This term is also applied to written or other evidence which may be legally given on such trial, as, depositions, letters, account-books, and the like. 2. of financial talent and, most important, the activities performed by Campbell's disclosure committee. The corporate secretary and vice-president of audit helped us understand risk management, fraud reporting, management's response to reported improprieties, audit committee and overall board oversight activities, and the development of Campbell's annual internal audit plan. STEP FOUR: Document and assess company-level controls. The next step in the compliance process is to formally document and evaluate the design of company-level controls. CPAs should begin by detailing the company's control activities that support each objective in the assessment structure they built in step two. To get started with the evaluation process, review the insights you obtained from existing documentation and interviews with functional experts, business unit contacts and senior management. Then examine each point of focus for a given objective, considering the adequacy of existing company-level controls relative to best practices. In other words Adv. 1. in other words - otherwise stated; "in other words, we are broke" put differently , assess whether the design of the organization's current controls is adequate for each objective. Finally, to the extent you identify any gaps in the design of these controls, document and begin implementing appropriate remediation plans as soon as possible. STEP FIVE: Test the effectiveness of company-level controls. Traditional validation See validate. validation - The stage in the software life-cycle at the end of the development process where software is evaluated to ensure that it complies with the requirements. testing is typically used to assess the operating effectiveness of controls at the process and transactional levels; the type and frequency of a control activity drives the extent of testing CPAs perform. But few company-level controls lend themselves to selecting a sample size and then doing this traditional testing. Testing the operating effectiveness of an organization's company-level controls requires creativity. CPAs must use other techniques--observing disclosure committee meetings, interviewing members of the senior leadership team, reviewing board minutes, obtaining a copy of the organization's internal communications plan and evidence of its execution, selecting a sample of reported improprieties to assess how management responded or conducting an employee survey. An organization-wide survey in particular can provide solid evidence about the effectiveness of company-level controls, enabling CPAs to gauge employee awareness of the company's mission, vision and core strategies; adherence adherence /ad·her·ence/ (ad-her´ens) the act or condition of sticking to something. immune adherence to its code of conduct; and use of its whistleblower whis·tle·blow·er or whis·tle-blow·er or whistle blower n. One who reveals wrongdoing within an organization to the public or to those in positions of authority: "The Pentagon's most famous whistleblower is . . hotline. A survey also can provide a benchmark against which to measure improvement in controls over time. STEP SIX: Engage in gap remediation and continuous improvement. If you do identify gaps in the design of company-level controls while testing their operating effectiveness, you should initiate remediation efforts as soon as possible. For example, one control objective related to the COSO control environment component involves management demonstrating character, integrity and ethical values through its attitudes and actions. But, if management has not implemented an anonymous whistleblower hotline or established procedures for appropriately handling improprieties reported via the hotline, there likely is a gap in this company-level control. To remedy the problem CPAs should help management take appropriate actions, including setting up a hotline, improving the handling of complaints or establishing a timeline
Timeline may refer to:
In the spirit of improving overall corporate governance Corporate Governance The relationship between all the stakeholders in a company. This includes the shareholders, directors, and management of a company, as defined by the corporate charter, bylaws, formal policy, and rule of law. , CPAs need to recognize the difference between adequate and best-in-class company-level controls. CPAs should focus on continuous improvement, looking for Looking for In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with. ways to make the process of assessing company-level controls more efficient and the controls more effective. For example, although an organization's internal audit team may already use a comprehensive risk-assessment process to support the development of its annual audit plan, it may be able to enhance the process by using a detailed questionnaire on fraud risk factors. IMPROVED GOVERNANCE Documenting and assessing company-level controls are key to overall compliance with section 404. More important, CPAs who focus on such controls are likely to find ways to enhance them and ultimately improve the organization's overall governance. Stronger corporate governance for Campbell Soup and other public companies should translate into stronger business results and increased shareholder value. It could likewise mean greater value for owners of private companies and help nonprofit organizations Nonprofit Organization An association that is given tax-free status. Donations to a non-profit organization are often tax deductible as well. Notes: Examples of non-profit organizations are charities, hospitals and schools. fulfill ful·fill also ful·fil tr.v. ful·filled, ful·fill·ing, ful·fills also ful·fils 1. To bring into actuality; effect: fulfilled their promises. 2. their mission. The bottom line: Identifying and assessing company-level controls, performing gap remediation and maintaining a continuous-improvement mindset mind·set or mind-set n. 1. A fixed mental attitude or disposition that predetermines a person's responses to and interpretations of situations. 2. An inclination or a habit. benefit public companies, private companies, NPOs and other entities alike. A Role to Play In what areas of Sarbanes-Oxley compliance work was internal audit involved during 2004? [GRAPHIC OMITTED] Source: PricewaterhouseCoopers LLP LLP - Lower Layer Protocol , 2004 survey of 441 companies, www.pwc.com. Company-Level Control Objectives Control Environment * Through its attitudes and actions, management demonstrates character, integrity and ethical values. * Management's philosophy and operating style are consistent with a sound control environment. * Management assigns Individuals to whom property is, will, or may be transferred by conveyance, will, Descent and Distribution, or statute; assignees. The term assigns is often found in deeds; for example, "heirs, administrators, and assigns to denote the assignable nature of authority and responsibility. * Human resource policies and procedures are consistent with and reinforce the control environment. * The audit committee and overall board of directors are actively involved and have significant influence over the organization. Risk Assessment * Management has established practices for identifying, evaluating and appropriately mitigating mit·i·gate v. mit·i·gat·ed, mit·i·gat·ing, mit·i·gates v.tr. To moderate (a quality or condition) in force or intensity; alleviate. See Synonyms at relieve. v.intr. To become milder. risks. Information and Communication * Management gathers information from and disseminates information to the appropriate people on a timely basis. * Management has established an effective "whistleblower" program as it relates to financial reporting. Monitoring * Management has established effective ongoing monitoring activities. * Management performs separate evaluations of the organization's internal control environment to confirm its effectiveness. AICPA AICPA See American Institute of Certified Public Accountants (AICPA). RESOURCES CPE (Customer Premises Equipment) Communications equipment that resides on the customer's premises. CPE - Customer Premises Equipment * Internal Controls: Design and Documentation (text, # 731851JA). * Internal Controls: Design and Evaluation Under COSO and AS No. 2 (text, # 732512JA). * Implementing SOX (1) (Schema for Object-oriented XML) An XML schema developed by Veo Systems and Muzino Communications, which was submitted to the W3C. SOX is based on DTD, but adds data typing and reuse mechanisms. 404: An Advanced Analysis (webcast archived on CD-ROM CD-ROM: see compact disc. CD-ROM in full compact disc read-only memory Type of computer storage medium that is read optically (e.g., by a laser). , # 737177HSJA HSJA HoofBeats Show Jumping Association ). Publications * COSO Enterprise Risk Management: Integrated Framework (paperback, # 990015JA). * Internal Control--Integrated Framework (COSO Report: paperback, # 990012JA). * How to Comply with Sarbanes-Oxley Section 404: Assessing the Effectiveness of Internal Control (hardcover, # 029881JA). * Internal Control Reporting--Implementing Sarbanes Oxley Section 404 (paperback, # 029200JA). * PCAOB Auditing Standard No. 2: A Guide for Financial Managers (paperback, # 006619JA). For more information or to order, go to www.pa2biz biz n. Informal Business. biz Noun Informal business Noun 1. . or or call the Institute at 888-777-7077. PRACTICAL TIPS * When building a structure to assess company-level controls, solicit input from external auditors and any consultants who advised the company on its overall section 404 compliance. Talking to Noun 1. talking to - a lengthy rebuke; "a good lecture was my father's idea of discipline"; "the teacher gave him a talking to" lecture, speech rebuke, reprehension, reprimand, reproof, reproval - an act or expression of criticism and censure; "he had to peers at other companies also can provide useful feedback. * Talk with internal audit, IT, legal and human resources to gain insight into company-level controls performed at the corporate level, and to business unit managers about how they implemented them at the local level. * When testing company-level controls, use an organization-wide survey to gauge employee awareness of the company's mission, vision and core strategies, adherence to the code of conduct and comfort level with the whistleblower hotline. J. STEPHEN McNALLY, CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. , is director of finance of Campbell USA, a division of Campbell Soup Co. in Camden, N.J. His email address See Internet address. is j_stephen_mcnally@campbellsoup.com. This article is based on one the author wrote for the winter 2005 issue of the Pennsylvania CPA Journal. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion