Expertise Summary
Are you stressed out by incurring the time and costs to persuade your auditors that your internal controls are practically “effective” (as in SOX 404)?
Let me provide the solution based on my expertise of a thorough understanding of how the auditors are required to assess your controls under Auditing Standard No. 5 and experience since 2003 when SOX Act 2002 was put into practice.
Seasoned Big 4 CPA, with SEC SOX audit expertise, who can design and operate controls that are effective under SOX 404; thereby actualizing accurate internal as well as external financial reporting and enabling external auditor to rely on the controls.
Please refer to below: Material Weakness – The Nightmare Scenario for a practical example on how we can accomplish that.
Expertise Detail
I started my audit career in 2003 when Sarbanes Oxley Act 2002 (SOX) was implemented. Then, there was a criticism that audit fees would be exorbitant (which actually happened) because audit hours would increase on account of auditors’ extra work required by the Act (i.e., auditors’ attestation on their client’s internal control effectiveness particularly under SOX 404).
In response and to interpret the Act, PCAOB issued Auditing Standard No. 5 (AS 5) 2007, clarifying that auditor’s control attestation must not be an addition to their audit work but that it must have been incorporated in their work via assessing Control Risk as in the Combined Risk Assessment (CRA) formula to evaluate Audit Risk (= Inherent Risk x Control Risk x Detective Risk) for each Assertion.
What the CRA gives to auditors is, to simply put, “the higher the Control Risk, the higher the CRA (thus, more Audit Work, or specifically, more extensive, Substantive Procedure/Testing).”
In reality, however, there is no way for client company to discern how their external auditor has concluded their CRA.
The only way for the company (internal auditor) to figure out would be follow the same (internal control/SOX) audit methodology required for the external auditor by PCAOB/SEC’s AS 5.
That’s where I come into play and ensure that the company’s “Control Risk” (as in the CRA) is so adequately low that the external auditor can comfortably rely on the company’s financial controls.
Please see my “Blog” posts for more detail discussions on how process level controls should be assessed (for their “effectiveness” under SOX 404) as well as the conceptual background of the SOX Act.
The Practical Example of How to Design “Effective” (as in SOX 404) Financial Controls —
Material Weakness – The Nightmare Scenario
An SEC-listed company’s worst case scenario would be that, while management didn’t believe they had a material weakness (MW) (most likely because external auditor issued a clean opinion on the financial statements (F/S)), the auditor insists they did and that the MW should be reported by management in the 10-K.
NOTE: The case in point was that, the day before its 2022 annual report release in 2023, Credit Suisse was forced by SEC to report a MW against their will (because their external auditor insisted, saying they wouldn’t sign off on the F/S unless the MW was reported by management), which immediately led the bank to bankruptcy.
Audit ICFR As External Auditor Would (to Reach the Same Conclusion Based on the Same Evidence).
To avoid such a difference of opinion, I would audit company’s internal controls over financial reporting (ICFR) by requiring management to prepare the same audit evidence as external auditor would require in forming their opinion on the Company’s ICFR effectiveness.
NOTE: AS 5 (para. 3) states, “Because a company’s internal control cannot be considered effective if one or more material weaknesses exist, … for expressing an opinion, the auditor must … obtain appropriate evidence … about whether material weaknesses exist as of the date specified in management’s assessment”.
The Top-Down, Risk-Based Audit Approach (or the Top-Down Risk Assessment)
Specifically, I would adopt the top-down, risk-based/assessment approach that is required for the ICFR audit under AS 5, which states, “A top-down approach begins at the financial statement level …. … auditor then focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions …”
NOTE: The auditor “selects for testing … controls” as it is practically impossible to test every ICFR; however, Management should design and operate every ICFR effectively to mitigate every misstatement risk.
Auditors begin their (misstatement) risk assessment “at the financial statement (F/S) level” as they calculate their Overall Materiality as a certain percentage of a F/S caption: e.g., 5% of profit before tax, 1% of total assets, etc.
Management, on the other hand, does not need a Materiality (as they should mitigate every misstatement risk).
However, I would advise management to begin their (misstatement) risk assessment “at the F/S level” anyway in order to be aware of pervasive misstatement risks (on the F/S regardless of what accounts may be) such as those due to fraud, management override, etc., which can be mitigated by ensuring the COSO Framework (2013) components (or underlying Principles), or the entity level controls (ELCs), to be “present” (as in COSO guidance).
NOTE: COSO provides the Enterprise Risk Management (ERM) framework, which is, in nature, for ELCs, and COSO Framework 2013 specifically intends to provide the ELC framework for public company’s ICFR and sets forth the widely-adopted requisite “criteria” for the ICFR to be “effective” (in design).
NOTE: After mitigating the pervasive misstatement risks by ensuring the COSO ELCs to be present, the management’s (misstatement) risk assessment can “work down” to the Consolidated F/S (Reporting) level “accounts and disclosures and their relevant assertions” of the F/S Presentation and Footnote Disclosure; then, the misstatement risk should be sought (to mitigate) at a lower level or at each entity’s (i.e., Parent’s or subsidiary’s) general ledger (G/L) Closing level (highlighting the Valuation/Measurement assertion).
This process/procedure cycle is also know as the period-end Closing/Recording to Reporting (R2R) cycle.
The Policies and Procedures as Evidence (of Effective ELCs)
In preparing the audit evidence for the effective ELCs, I would help management establish Accounting/IT Policies and Procedures (authorized by the Board) in such a way as to evidence that each Principle under the components of COSO Framework 2013 is present, meaning that the requisite “criteria” for effective ICFR are evident.
The Risk for ICFR to Mitigate Is Misstatement Risk
However, even if all the Principles were present (at an entity level), an ICFR would be ineffective in design (i.e., a design gap) unless it mitigated associated misstatement risk inherent in the underlying process/transaction.
NOTE: The misstatement risk is Inherent Risk, which is inherent in the underlying process within a financial reporting cycle (e.g., Order to Cash (O2C), Procure to Pay (P2P), and the period-end Close to Report (C2R)) without considering any ICFR (whether effective or not), as opposed to the risk of ICFR being ineffective (a.k.a., Control Risk), which is not the risk for management (to mitigate) but for auditor (to accept as part of Audit Risk).
NOTE: At a transaction level, we can start writing the end-to-end Narrative (that describes step-by-step processes from O2C/P2P Initiation (i.e., Order/Procurement or prior, such as customer/vendor contract) to Process/Authorization steps), in which every misstatement risk can be defined at each critical data-path.
To design effective, preventive ICFR to adequately mitigate misstatement risks, I would support management to:
- identify every critical data-path, or Likely Source of Potential Misstatement (LSPM, as in AS 5), in the end-to-end (Transaction/)Process Narrative form for each of the cycles (of O2C, P2P, and R2R),
- define the misstatement risk inherent at every LSPM, clarifying F/S Assertions (i.e., Existence/Occurrence, Completeness, Valuation/Measurement, Rights/Obligations, Presentation/Disclosure) (as in para. 28 of AS 5), and
- design ICFR (at LSPM) to mitigate the misstatement risk with Control Design Attributes, which, if satisfied, would validate relevant Assertion(s).
The Policies and Procedures as Evidence (of Effective ICFR)
Being designed to mitigate related misstatement risk, the ICFR design will be effective if all Attributes are satisfied.
The Attribute satisfaction corresponds to the “criteria” (or Principles of COSO 2013) being “present”/evident, the evidence of which should be relevant Accounting/IT Policies and Procedures (including Roles and Responsibilities) and supporting forms and templates (authorized by the BoD) (and ITGC test results), as per the:
Control Activities component, “Deploys Control Activities Through Policies and Procedures” and “Selects and Develops General Controls Over Technology” Principles.
NOTE: To assess ICFR design (under Monitoring Activities), I would Walkthrough and advise management to prepare evidence (1) End-to-End Narratives and/or Flow-Charts, 2) LSPMs, misstatement risks, and ICFRs w/ Assertions/Attributes that may be summarized in Risk Control Matrices (RCM), and 3) relevant Policies and Procedures with supporting forms/templates and ITGC test results), which should be the same as what auditor require for their Walkthrough. (See my SaaS O2C Flow-Chart example: Apply the Top-Down, Risk-Based Approach to the Process Level Controls.)
NOTE: To remediate a design gap, I would advise control owners to think how to ensure accurate Assertions of asset Existence, sales Occurrence, liability Completeness, etc. in processing data/information/journal entries.
This means that the CEO/CFO, who must have been authorized on the responsibility (for establishing/maintaining internal controls), shall delegate the authority to the members of their management team, who are in turn accountable about the responsibility (for designing, establishing, and maintaining such internal controls).
The Illustration – the Closing ICFR
Let me take the Closing ICFR to illustrate the three (3) step practice (above) of the effective control design:
1) – The LSPM, at the period-end Closing procedure (in the R2R cycle), and 2) – the Inherent Risk would be:
LSPM: Accountant could fail to post proper journal entries (JEs) (per US GAAP) to close applicable G/L accounts.
Misstatement Risk: Valuation/Measurement (of Closing JEs for each relevant G/L account) is not compliant with GAAP.
3) – Now management can design a (preventive) ICFR (to mitigate the misstatement risk) such as:
Control: IT Automated Control -The G/L system automatically posts the Closing JEs manually prepared by Accountant in the system upon Manager’s clicking the Approval button (in the system) after her/his review (for the proper Valuation/Measurement), referring to and completing Closing Checklist.
Associated Control Attributes are as follows:
Attribute 1: The Control is authorized by the BoD in the Policies/Procedures that defines the Checklist, the check items of which are the G/L accounts to close: e.g., allowance for doubtful accounts, amortization, leases, etc.
Attribute 2: Manager’s review competence is authorized by the BoD as qualifications being enumerated in the Manager’s Roles and Responsibility, which should correspond to the job description of the Manager position.
Attribute 1 is satisfied if the Control is evidenced in the authorized Policies and Procedures, and
Attribute 2 is present if Manager’s competence is evidenced in Roles and Responsibility, as required under the:
Control Environment component, “Exercises Oversight Responsibility” (by the BoD),
“Establishes Structure, Authority, and Responsibility”, and “Demonstrates Commitment to Competence” Principles: (See my blog: Consider SOX 302 from the “Top-Down (Risk-Based) Approach” Perspectives on details per SOX 302.)
Attribute 3: Items to include in the Checklist are authorized by the Policies/Procedures that evidences the validity/relevancy of the Checklist and items therein, including the supporting data/information and templates (for Accountant to follow, step-by-step, to construct JEs), which, in effect, validates the Valuation/Measurement Assertion per applicable US GAAP: e.g., ASC 350-20 Goodwill Impairment, ASC 350-40 Internally Developed Software, ASC 810 Consolidation, etc.
NOTE: For example, an Operating Lease accounting template, with a roll-forward/amortization schedule (for each lease contract), may list a step-by-step procedure, per ASC 842. See: The Secret of Accounting Team’s Success.
NOTE: The Policies/Procedures should dictate management to prepare the template for every G/L account to close (as on Closing Checklist) so that every Closing manual JE can be completely reviewed and approved.
Attribute 3 (Information Relevancy and Standard/Regulation Compliance) is satisfied as long as the applicable Closing (Checklist) section of Policies/Procedures is present/evident, as required by the:
Information & Communication component, “Uses Relevant Information” Principle, and the
Risk Assessment component, “Specifies Objectives with Sufficient Clarity and Relating to Objectives” Principle.
Attribute 4: Segregation of Duties (SoD) is in place. – is satisfied if such fraud risks as Management Override and Collusion are prevented by (Policies/Procedures) disallowing control owner or review manager to delegate the control authority/accountability to the process owner or JE processor, as required under the:
Risk Assessment, “Assesses Fraud Risks” and “Identifies and Analyzes Significant Change” Principles and
Control Activities, “Selects and Develops Control Activities” Principle.
Attribute 5: ITGC is effective. – is satisfied if the four domains (i.e., 1) Access Controls, 2) Change Management, 3) Computer Operations, 4) Program Development) are assessed effective (evidenced by test results ) under the:
Risk Assessment, “Identifies and Analyzes Significant Change” Principle,
Control Activities, “Selects and Develops General Controls Over Technology” Principle, and
Monitoring Activities, “Conducts Ongoing and/or Separate Evaluations” Principle.
NOTE: 1) Access Controls and 2) Change Management are primarily concerned with SoD also under the:
Control Activities component, “Selects and Develops Control Activities” Principle.
Once applicable COSO Principles have become present as illustrated above, all the applicable Attributes will be satisfied, which means that the illustrated Control above will be effective in design.
NOTE: This is why COSO Framework (2013) is widely accepted as “criteria” (as in the Control and Procedure section of a typical 10-K).
Assuming that every Principle was present (evidenced by Policies/Procedures and ITGC test results), any control Attributes would be met; then, the design of every ICFR will be effective, predicated on that it mitigates the misstatement risk inherent in the underlying process within each financial reporting cycle of R2R, O2C, and P2P.
The Monitoring Activities Component Is Primarily the Internal(/SOX) Audit Team’s Accountability
For those ICFR designed effectively (as a result of the Walkthrough assessment and the design gap remediation as necessary), the operation effectiveness can be tested, the results of which should be summarized, coupled with the design assessment results, on the RCM form to share with stakeholders for reporting and further (operation deficiency) remediation purposes.
As a result, every misstatement risk now will be adequately mitigated by the effectively designed/operated ICFR that will have been properly certified by CEO/CFO (under SOX 302) and attested by external auditor (under SOX 404), meaning that the Company’s management will have concluded their ICFR being “effective” with no MW and preventing a material misstatement from being included either in the F/S presented or in the footnotes disclosed.
Please also refer to my blog posts for “Inherent (Misstatement) Risk to Mitigate (by Control) Must Be Defined at an Assertion Level.“,
“Why SOX?” or the summary of the SOX enactment background ,
and “What is SOX for?” or the conceptual background of the SOX Act.