Evaluate the control environment: documentation is only a start; now it's all about asking questions.

Beginning with the first yearend on or after November 15, 2004, many companies will have to comply with the internal control reporting requirements of the Sarbanes-Oxley Act See SOX. of 2002. The control environment is one of the key components of an entity's internal control; it sets the tone of an entity, influences the control consciousness of people within all organization and is the foundation for all other components of the internal control system. In this article management and independent auditors Independent Auditor

An external auditor with a certified public accounting designation that qualifies him or her to provide an auditor's report.

Notes:
These auditors aren't affiliated with the company being audited. will find some suggestions for addressing one of the most challenging requirements of assessing internal control: evaluating the effectiveness of the control environment.

Management has always been responsible for the design and maintenance of the company's internal control. Now, because of Sarbanes-Oxley, management has the added responsibility to annually evaluate, test and report on the entity's internal control over financial reporting. The external auditors The examples and perspective in this article or section may not represent a worldwide view of the subject.
Please [ improve this article] or discuss the issue on the talk page. are responsible for auditing management's assertion as to the effectiveness of this internal control and coming to their own, independent conclusions. They must evaluate management's assessment and perform their own, independent tests of controls, including the control environment. Thus, the suggestions provided in this article on testing the control environment may be helpful to management and auditors alike.

As opposed to an activity-level control (for example, checking the mathematical accuracy of a vendor invoice An itemized statement or written account of goods sent to a purchaser or consignee by a vendor that indicates the quantity and price of each piece of merchandise shipped.

A consular invoice is one used in foreign trade. ), which is limited to one processing stream, the control environment has a pervasive pervasive,
adj indicates that a condition permeates the entire development of the individual. structure that affects many business activities. It includes elements such as management's integrity and ethical values, operating philosophy and commitment to organizational competence.

Designing and performing tests at the control environment level will be a complex and challenging task--for example, a company may point to its code of conduct as documenting its ethical values. Ultimately though, the mere existence of the documentation of a control is not sufficient to support a conclusion about its operating effectiveness. Management and auditors must do more than demonstrate that a code exists; they must evaluate the effectiveness of the code's implementation. For example, the entity's implementation procedures may include training sessions for management and employees on the company's code and the establishment of formal channels for the confidential communication A form of Privileged Communication passed from one individual to another, intended to be heard only by the individual addressed.

A confidential communication is ordinarily between two people who are affiliated in a confidential relation, such as an attorney and of code violations to senior management.

To determine whether the code of conduct has been implemented effectively, these questions need to be asked:

* How is the code communicated?

* Do the entity's employees and management follow the code?

* How is compliance with the code monitored?

* Does compliance with the code improve the effectiveness of other control policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental ?

Adding to the difficulty of the testing requirement task is the fact that the control environment is not transaction-oriented. The tests of controls auditors are accustomed to performing, such as walk-throughs or the reperformance of the control for a sample of items, will not be possible.

DON'T NEGLECT THE CONTROL ENVIRONMENT

At this early stage of complying with section 404 requirements, most companies have focused on the documentation, evaluation and testing of activity-level controls. For example, bank reconciliations, the matching of shipping documents to invoices and computerized computerized

adapted for analysis, storage and retrieval on a computer.

computerized axial tomography
see computed tomography. checks of data entered into the accounting system all are examples of activity-level controls.

As defined by the Committee of Sponsoring Organizations of the Treadway Commission

For people named "Treadway", see Treadway (surname).

Committee of Sponsoring Organizations of the Treadway Commission (COSO), is a U.S. private-sector initiative, formed in 1985. (COSO COSO Committee of Sponsoring Organizations of the Treadway Commission
COSO Church of Spiral Oak
COSO Corporate South
COSO Class of Service Override
COSO Combat Oriented Supply Operations (USAF) ) framework, activity-level controls are just one component of internal control over financial reporting. In an evaluation of internal control, both management and the auditors need to consider all its components. If they focus exclusively on activity-level controls to draw a conclusion about all elements of internal control, they may reach inappropriate conclusions about interned in·tern also in·terne
n.
1.
a. A student or a recent graduate undergoing supervised practical training.

b. control taken as a whole.

For example, consider the entity that requires its board of directors to approve all significant decisions made by the CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. . Suppose, however, the philosophy of the CEO is that he or she alone knows what's best for the organization. Suppose, too, the CEO, through a committee he or she controls, is able to handpick hand·pick
tr.v. hand·picked, hand·pick·ing, hand·picks
1. To gather or pick by hand.

2. To select personally.

hand the majority of the board members. And because the primary criterion for advancement within the organization is personal loyalty to the CEO, the information that senior management presents to the board is tightly controlled and presented in a way that makes ratification The confirmation or adoption of an act that has already been performed.

A principal can, for example, ratify something that has been done on his or her behalf by another individual who assumed the authority to act in the capacity of an agent. of the CEO's agenda a foregone conclusion foregone conclusion
n.
1. An end or a result regarded as inevitable: The victory was a foregone conclusion. See Usage Note at foregone.

2. .

Focusing solely on the activity-level control is inappropriate. Read the minutes and you'll undoubtedly find the board approved all the transactions it should have. On the surface, internal control looks good. In reality it is not. Only by looking at the control environment directly--as in management's philosophy and operating style and its commitment to competence--does a true picture of the organization begin to emerge.

So how can we take a more direct approach to evaluating and testing the control environment? Here are some suggestions.

ESTABLISH A BENCHMARK

The COSO framework provides criteria and information on the control environment, but this guidance is at a fairly high level since the framework was tailored for all organizations. For example, COSO identifies integrity and ethical values as important pieces of the entity's control environment and makes a compelling argument for why this is so. But the purpose of COSO is not to explain how to measure or evaluate whether an ethical climate is "effective." Once management gathers in formation about the control and its design, it is left to them to decide how to determine and test its relative effectiveness.

Help in judging the relative effectiveness of a software development process came several years ago when a group of IT software professionals developed a "capabilities maturity model." This model was quickly adopted by the profession as part of its "control objectives for information and related technology" (COBIT (Control OBjectives for Information and related Technology) A business-oriented set of standards for guiding management in the sound use of information technology from the Information Systems Audit and Control Association (ISACA) (www.isaca.org). ) model for gauging IT-control effectiveness. Some of the larger accounting firms recently adapted the model for use in determining the relative effectiveness of internal control of their clients (see "Choose the Right Tools For Internal Control Reporting," JofA, Feb.04, page 34).

The model describes several different levels of reliability or maturity of an internal control system--for example, levels may range from "initial," the lowest level of reliability, to "optimized," the highest. The exhibit on page 75 summarizes a five level model based on the various characteristics used to gauge system reliability.

The internal control reliability model can be helpful in designing tests of a control environment's effectiveness. The overall reliability of the system depends on the characteristics that describe each level. Auditors should design the control environment tests to determine the relative reliability of each of these characteristics, as discussed below.

DESIGNING TESTS

In evaluating the design and operating effectiveness of the control environment, auditors' tests will consist of a combination of procedures, including

* A review of relevant documentation--for example, the company's code of conduct.

* Inquiries of management and employees, either verbally, in writing or both.

* Direct observation.

Here are some tips for designing these procedures:

* Start with a review of documentation relating to relating to relate prep → concernant

relating to relate prep → bezüglich +gen, mit Bezug auf +acc the control environment. The most likely sources of information include the company's

* Code of conduct.

* Personnel policies.

* Board of directors and audit committee charters.

* Disclosure committee charter.

* Other, informal communications from senior management about control environment matters such as ethics ethics, in philosophy, the study and evaluation of human conduct in the light of moral principles. Moral principles may be viewed either as the standard of conduct that individuals have constructed for themselves or as the body of obligations and duties that a or management philosophy.

* Remember that documentation is only a start--not the be-all and end-all be all and end all or be-all and end-all
n.
The quintessential or all-important element: "Not that the more spectacular athleticism is the be all and end all of free skating. Spins . . . . Ask management direct questions about the actions it took to assess how management or employees complied with, or violated vi·o·late
tr.v. vi·o·lat·ed, vi·o·lat·ing, vi·o·lates
1. To break or disregard (a law or promise, for example).

2. To assault (a person) sexually.

3. , stated management philosophies or standards of behavior. Examples of such questions include

* Have you observed unacceptable behavior on the job? If so, what did you observe?

* If you were to report unacceptable or unethical unethical

said of conduct not conforming with professional ethics. behavior to senior management, what action do you think management would take?

* Probe for employees' understanding and awareness. Do managers and other employees know the relevance and importance of their control-related activities? Do the board and the audit committee have a full appreciation of their oversight

For Oversight in Wikipedia, see Wikipedia:Oversight.

Oversight may refer to:

Government regulation — The role of an official authority in regulating a separate authority.

responsibilities?

* Try to understand the company's attitude toward internal control. Is it a "necessary evil," or is it viewed as an integral part of the company's management? Suppose you asked senior management and the board the following questions about the company's code of conduct.

* What was the main reason for developing the company's code of conduct?

* How often is the code reviewed and updated?

The answers to these questions may be revealing--for example, a manager who says the code was developed be cause the lawyers recommended it and that it has not been reviewed or updated in the last 10 years tells you a great deal about the attitude of senior management toward the value of an effective control environment.

* Ask for a self-assessment. Direct questions can be quite effective. Ask management or operations personnel about how various control environment elements work:

* Do you believe the company has established standards of behavior that create an overall appreciation for and compliance with its documented control policies and procedures?

* How would you describe management's operating style and philosophy?

* What aspects of the company's culture or management policies contribute to or detract from detract from
verb 1. lessen, reduce, diminish, lower, take away from, derogate, devaluate << OPPOSITE enhance

verb 2. your ability to perform your job responsibilities effectively?

CONTROL ENVIRONMENT CHALLENGES

Sarbanes-Oxley section 404, which requires management to assess and report on the effectiveness of a company's internal control over financial reporting, has changed dramatically the landscape of control assessment. The control environment is an integral part of the internal control system and therefore must be understood, evaluated and tested, first by management, and then by the external auditors.

The subjective, non-transaction-oriented nature of the control environment will create many challenges, none of which management can use as a rationale rationale (rash´

nal´),
n the fundamental reasons used as the basis for a decision or action. for noncompliance noncompliance

failure of the owner to follow instructions, particularly in administering medication as prescribed; a cause of a less than expected response to treatment.

noncompliance . A good place for both management and the auditor to begin is to develop a model, such as the internal control reliability model, that describes the characteristics of a control environment at various levels of reliability. Management can then design tests to evaluate the presence or absence of each of those characteristics and how effective the control environment really is.

EXECUTIVE SUMMARY

* MANAGEMENT IS RESPONSIBLE FOR EVALUATING and reporting on a company's controls. The external auditors are responsible for auditing management's assertion and independently coming to their own conclusions about the company's internal control effectiveness. They must evaluate management's assessment and also perform their own, independent tests in many areas, including the control environment.

* THE CONTROL ENVIRONMENT HAS A PERVASIVE structure that affects many business process activities. It includes elements such as management's integrity and ethical values, operating philosophy and commitment to organizational competence.

* ADDING TO THE DIFFICULTY OF THE TASK is the fact that the control environment is not transaction-oriented. Tests of controls that auditors are accustomed to performing, such as walk-throughs or the reperformance of the control for a sample of items, will not be possible. And focusing solely on activity-level controls is inappropriate.

* TESTS OF THE CONTROL ENVIRONMENT will consist of a combination of procedures, including a review of relevant documentation of the design, inquiries of management and employees and direct observation.

* AUDITORS WILL HAVE TO PROBE for understanding and awareness and try to understand the company's attitude toward internal control over financial reporting. They also should ask management for a self-assessment.

PRACTICAL TIPS TO REMEMBER

* Don't focus your internal control tests exclusively on activity-level controls. You have to evaluate and test the control environment, too.

* Establish a benchmark, such as the internal control reliability model, that will be used to gauge internal control effectiveness. Use this model to design your tests of the control environment.

* Use several different testing techniques to gather information about the control environment from a broad range of entity personnel.

Summary of Internal Control Reliability Model

Reliability                    Awareness and       Perceived
level         Documentation    understanding       value

Initial       Very limited     Basic awareness     Unformed

Informal      Sporadic,        Understanding       Controls are
              inconsistent     not communicated    separate from
                               beyond management   business operations

Systematic    Comprehensive    Formal              Controls integral
              and consistent   communication       to operations
                               and some training

Integrated    Comprehensive    Comprehensive       Control processes
              and consistent   training on         considered part
                               control-related     of strategy
                               matters

Optimized     Comprehensive    Comprehensive       Commitment
              and consistent   training on         to continuous
                               control-related     improvement
                               matters

Reliability   Control
level         procedures         Monitoring

Initial       Ad hoc, unlinked

Informal      Intuitive,
              repeatable

Systematic    Formal,
              standardized

Integrated    Formal,            Periodic
              standardized       monitoring
                                 begins

Optimized     Formal,            Real-time
              standardized       monitoring

Note: This table and a description of the model first appeared in
How to Comply with Sarbanes-Oxley Section 404: Assessing the
Effectiveness of Internal Control, by Michael Ramos, John Wiley &
Sons, 2004.

AICPA AICPA

See American Institute of Certified Public Accountants (AICPA). RESOURCES

The Institute answers individual questions at the Sarbanes-Oxley Act hot line: 866-265-1977, and up-to-date compliance information for CPAs is available at Sarbanes-Oxley Act/PCAOB Implementation Central, www.aicpa.org/sarbanes/index.asp.

Publications

* Consideration of Internal Control in a Financial Statement Audit, an AICPA Audit and Accounting Guide (# 012451JA).

* Financial Reporting Alert, Internal Control Reporting--Implementing Sarbanes-Oxley Section 404 (# 029200JA).

* Financial Reporting Fraud: A Practical Guide to Detection and Internal Control by Charles R. Lundelius Jr. (# 029879JA).

* Internal Control--Integrated Framework, COSO report (# 990012JA).

CPE (Customer Premises Equipment) Communications equipment that resides on the customer's premises.

CPE - Customer Premises Equipment

* Internal Control Reporting for Public Companies, a webcast originally presented July 17, 2003, and now available on CD-ROM CD-ROM: see compact disc.

CD-ROM
in full compact disc read-only memory

Type of computer storage medium that is read optically (e.g., by a laser). (# 737132HSJA HSJA HoofBeats Show Jumping Association ).

* Internal Controls: Design and Documentation, a self-study course (# 731850JA).

* SEC Reporting, a self-study course (# 736771JA).

Conferences

* National Advanced Accounting and Auditing Technical Symposium symposium

In ancient Greece, an aristocratic banquet at which men met to discuss philosophical and political issues and recite poetry. It began as a warrior feast. Rooms were designed specifically for the proceedings. (NAAATS) July 22-23, 2004 Hilton La Jolla La Jolla (lə hoi`yə), on the Pacific Ocean, S Calif., an uninc. district within the confines of San Diego; founded 1869. The beautiful ocean beaches, in particular La Jolla shores and Black's Beach, and sea-washed caves attract visitors and Torrey Pines Torrey Pines can refer to:

Torrey Pine, a broad, open-crowned pine.
Torrey Pines Golf Course, a municipal public golf course owned by the city of San Diego, California.
Torrey Pines High School, a high school in the North County Coastal area of San Diego, California.

, La Jolla, California

* Conference on Advanced Litigation An action brought in court to enforce a particular right. The act or process of bringing a lawsuit in and of itself; a judicial contest; any dispute.

When a person begins a civil lawsuit, the person enters into a process called litigation. Services and Fraud September 26-29, 2004 JW Marriott Desert Ridge, Phoenix

For more information, to place an order or to register, go to www.cpa2biz biz
n. Informal
Business.

biz
Noun

Informal business

Noun 1. .com or call the AICPA at 888-777-7077.

MICHAEL RAMOS, CPA, is the author of How to Comply with Sarbanes-Oxley Section 404: Assessing the Effectiveness of Internal Control John Wiley John Wiley may refer to:

John Wiley & Sons, publishing company
John C. Wiley, American ambassador
John D. Wiley, Chancellor of the University of Wisconsin-Madison
John M. Wiley (1846–1912), U.S.

& Sons, 2004. Other articles he has written on section 404 can be found on the AICPA Web site. "SOX (1) (Schema for Object-oriented XML) An XML schema developed by Veo Systems and Muzino Communications, which was submitted to the W3C. SOX is based on DTD, but adds data typing and reuse mechanisms. 404 Consuiting: Where to Begin" is available on the AICPA private companies practice section (PCPS PCPS Primary Care and Population Sciences
PCPS Partners for Child Passenger Safety
PCPS Pleasant Corners Public School (Canada)
PCPS Plymouth Counselling and Psychotherapy Service (UK) ) Web site at www.pcps.org. "SOX 404 Compliance: A Structured Approach" can be viewed at www.aicpa.org Mr. Ramos' e-mail address See Internet address.

e-mail address - electronic mail address is michaeljramos@mac.com.

COPYRIGHT 2004 American Institute of CPA's
No portion of this article can be reproduced without the express written permission from the copyright holder.

Reader Opinion

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:	Sarbanes-Oxley compliance
Author:	Ramos, Michael
Publication:	Journal of Accountancy
Date:	May 1, 2004
Words:	2282
Previous Article:	Creating a wealth management team.(Special Section: Wealth Management)
Next Article:	The case of the pilfering purchasing manager: one way to deter dishonest employees: make vacations mandatory.
Topics:	Internal auditing Management

Related Articles
Internal audit: active ingredient in reform mix. (Audit).
PCAOB issues internal control standards ED.(financial Reporting)(Brief Article)
Ask FERF (financial executives research foundation) about ... private company compliance with section 404.(resources)
Choose the right tools for internal control reporting: pick internal control software for changing business conditions.
Tips for the Sarbanes-Oxley learning curve: the act has brought more complexity to firm management; here's some broad-based help.
Section 404 opens a door: the requirement to evaluate a company's internal controls has created a service niche.(Sarbanes-Oxley Act of 2004)
Is software the solution for Sarbanes-Oxyley.(FinancialReporting)
Internal audit's new role: put together a top-notch department.
Jump-start success: how to set up a world-class internal audit function.(Cover Story)
The value proposition: there's more to Sarbanes-Oxley compliance than meets the eye.