Blog

In order to assess whether a process-level (as opposed to an entity-level) internal control over financial reporting (ICFR) is “effective” (as in SOX 404), associated misstatement risk must be defined by Assertion (e.g., existence/occurrence, completeness, valuation/measurement, presentation/disclosure) and NOT by Account Balance/Amount Accuracy.

The Accuracy Assertion, if you will, is not specific enough to be a control objective, meaning that it is practically impossible to mitigate the risk of a balance/amount (or data, information, etc.) being “inaccurate” or “misstated” unless the root-cause of the inaccuracy or misstatement was identified.

In other words, in order to mitigate the “misstatement” risk, you would need to know what could possibly cause a potential inaccuracy: e.g., a fictitious sale (Accounts Receivable and Revenue that did not exist/occur), an unaccounted liability (Expense and Accounts Payable being incomplete), a fraudulent valuation (non-GAAP-compliant Valuation/Measurement), etc.

Let me demonstrate how critical it is to define a misstatement risk, clarifying relevant Assertions, below with an example.

An Illustrative Example of management’s improper Risk definition:

Upon issuing a sales invoice, management could define the Risk such an improper way that:

Risk A: The journal entry (JE) of (Dr.) AR (Cr.) Revenue could be inaccurate. Or, even worse:

Risk B: Manager’s JE review is not properly in place.

Risk A is improper as it assumes that the Sale “Occurred” and the AR “Existed” and that the sales invoice was accurate; then, management would erroneously vouch to the invoice to validate the JE accuracy.

Risk B is wrong as it is a Control Risk, not a misstatement risk inherent in the underlying invoicing process.

The Control Design Attributes are the criteria for an internal control over financial reporting (ICFR) to be “effective” (as in SOX 404).

Common Attributes are:

The authority (approved by the Board) is properly delegated to the control owner (e.g., review manager, etc.). (Note that the authority should not delegated to a non-manager staff or a personnel who is not part of management.)

The control owner manager is adequately competent to operate his/her ICFR (so that s/he can fulfill their accountability delegated).

The ICFR mitigates relevant Inherent (misstatement) Risk defined at an Assertion (e.g., existence/occurrence, completeness, valuation/measurement, presentation/disclosure) level.

Segregation of Duties (SoD) is in place.

ITGC is effective (if an IT(/IT dependent manual) control).

Each Attribute is required by relevant COSO (2013) Principles and typically satisfied if related entity-level controls (ELCs) are “present” (as in COSO) and evidenced by applicable Policies and Procedures (and Roles and Responsibilities for the Competence Attribute) unless the Attribute is concerned with a specific process and the evidence needs to back up the process specifically: e.g., each risk remediation at an Assertion level, SoD.

Note that the above discussion is applicable to preventive ICFRs and NOT to detective ones, which are not designed at a critical data-path, or Likely Source of Potential Misstatement (LSPM as in Auditing Standard No. 5), but at a point in time whenever management sees fits.

First, I would like to remind ourselves that the SOX Act is to the benefit of (public company’s) auditors  .

After SOX, in case they are blamed for having been unable to detect a material misstatement in their audit of client’s financial statements (F/S), auditors effectively reserve the right to maintain that it’s management responsibility/accountability to prevent as well as detect the material misstatement (and not auditor’s).

Prior to SOX, an SEC-listed company’s auditor tended to get the blame for failing to detect a material misstatement as a result of their substantive testing (as part of audit procedures) to minimize Detective Risk as in the Combined Risk Assessment formula:

Inherent Risk x Control Risk x Detective Risk = Audit Risk;

i.e., The higher/lower the Control Risk, the higher/lower the Detective Risk (and the higher/lower the overall Audit Risk).

Note that Control Risk means the risk of controls being ineffective or the higher possibility of management failing to prevent misstatements from occurring, which is NOT a risk for the management BUT for the auditor (as part of Audit Risk) who has no option but to accept the risk as their audit assumption/reality, in response to which they have to plan the extent and timing of their substantive testing to “detect” misstatements.

In this regard, the detection through the (substantive) testing is not a CONTROL by definition, which is “to REDUCE the incidence or severity of” misstatements “especially to innocuous levels” (as in the Merriam-Webster’s definition of the transitive verb “control”), but rather a correction of (material) misstatements having already occurred.

Accordingly, when it is said, “it’s management … to prevent as well as detect … misstatement,” the detection should not be an internal control (although it tends to be considered a control in practice).

On the other hand, Inherent Risk is the misstatement risk (for internal controls over financial reporting (ICFR) to mitigate) that is “inherent” in the underlying process, which is part of a financial reporting cycle: e.g., Order to Cash (O2C), Procure to Pay (P2P), and the period-end financial reporting process of Record to Report (R2R).

To prevent material misstatements, therefore, management’s responsibility/accountability would be to:

1. identify every critical data-path, or Likely Source of Potential Misstatement (LSPM, as in Audit Standard No. 5 (AS 5)), in the end-to-end (Transaction/)Process Narrative form for each of the cycles,
2. define the misstatement risk inherent at every LSPM, clarifying F/S Assertions (i.e., Existence/Occurrence, Completeness, Valuation/Measurement, Presentation and Disclosure) (See para. 24 of AS 5 for Assertions.),
3. design ICFR (at LSPM) to mitigate the misstatement risk with control Design Attributes, which, if satisfied, would validate relevant Assertion(s) and, therefore, are considered to be prerequisites for the control effectiveness,
4. (have internal audit conduct Walkthrough to) assess whether ICFR are designed to adequately mitigate the inherent, misstatement risks so as to prevent misstatements by obtaining (from management/control owners) the evidence of the design effectiveness (and test operation effectiveness for the controls effectively designed),
5. summarize the design-assessment/test-results in Risk Control Matrices, and
6. remediate ineffectively designed/operated ICFR (i.e., design gap/operation deficiency) if any.

These steps are the best practice that an SEC-listed company should exercise to design effective ICFR.

When talking about Internal Controls over Financial Reporting (ICFR), there are too many accounting managers and SOX professionals, whether they are the 1st, 2nd, or 3rd line of defense, who are conceptually mistaken and keep trying to “control” processes to ultimately produce journal entries (JEs), instead of trying to control and mitigate misstatement risks inherent in the processes (to produce JEs).

Generally speaking, an ICFR is not supposed to make the financial statements (F/S) be absolutely accurate but is supposed to make the F/S be free from material statements per US GAAP.

Particularly at a (financial reporting/FR) process/transaction level, the ICFR is not supposed to control/design the underlying process (let alone a thought process) or the outcome thereof (i.e., journal entries (JEs)).

It is, instead, supposed to be designed to mitigate a misstatement risk (i.e., the root cause for a potential misstatement, or Likely Source of Potential Misstatement (LSPM) as in Audit Standard No.5 (AS 5) guided by SEC) inherent in the underlying process adequately: i.e., to a material extent.

Let’s take a material “estimate” (on the balance sheet) as an example.

Nowadays, auditors almost always identify their client’s material estimate as a Critical Audit Matter, the design effectiveness of the control over which is said to be evaluated, instead of being substantively tested and concluded that the estimate is materially accurate.

That needs to be the case because the (estimated) balance, or a JE, is “estimated,” or valued/measured, by the company management using the assumptions and underlying data that inevitably require the management Valuation/Measurement (as in the financial statement Assertions under AS 5) (to say “the current economy is booming or in recession, and interest rates will rise or decline by this much,” etc.).

As auditors cannot substantively test the accuracy of the estimate, all they can do is test/assess the design effectiveness of the management’s internal controls to mitigate the risks of miss-valuation/measurement of the assumptions and underlying data so as not to misstate the estimated balance.

(Note that auditors cannot conclude whether the assumptions or underlying data are accurate, either, because those are management’s “discretion”.)

As you can see here,

the management’s coming up the JE is NOT a control

but a “process,” or processing the underlying data under the assumptions (determined by the management using their discretion).

The controls’ design effectiveness that the auditors is supposed to assess is “whether it can mitigate the risk of misstating the Valuation/Measurement (assertion) of” each data assumption (e.g., a higher/lower interest rate under inflation/deflation, etc.), supporting the outcome JE, under applicable US GAAP.

In other words, the auditors can test the estimated balance for a material reasonableness by applying US GAAP (e.g., a level 3 fair market value using the Discounted Cash Flow method) only after they concluded the assumptions and underlying data being reasonable or not materially miss-valued/measured.

For example, the (misstatement) risk and the associated control, which the management needs to design and which the auditor can assess the effectiveness of, should be like;

The Risk: The (FMV) balance is overvalued.

(Note that the relevant assertion is Valuation and not “accuracy,” which should not be considered an assertion in any case as “asserting accuracy (of the financial statements)” is the whole point of CEO/CFO certifying under SOX 404a, and in order to support the overall accuracy, the management assertion (of each caption of, or each critical data-path in a process flow to, the financial statements) should be more specific or should assert “how accurate” in such terms/assertions as Existence/Occurrence, Completeness, Valuation/Measurement.)

The Control: Authorized Manager reviews and approves the fair market value (FMV) balance prepared by personnel in charge.

The associated Control Design Attributes should be;

Control Attribute 1: The review Manager’s competence is adequate, which is authorized by the BoD (in such a written form as Roles and Responsibilities as part of the company’s Policies and Procedures).

Control Attribute 2: The assumption used to calculate the FMV is determined in accordance with the company’s Policies/Procedures.

Control Attribute 3: The discount rate used for the FMV is determined in accordance with the Policies/Procedures.

Note that the Control example above is a manual, detective one and that, if there was an error/misstatement in the (processing of) assumptions and/or underlying data, the detected error/misstatement would repeat (in the subsequent periods) unless the root-cause of the error, in the process, was rectified.

So, it may be a good idea to automate the Control to prevent the (potential) misstatement.

Pay attention to the term “automatically” below, and note that, in order to design the IT Control that allows the system to “automatically” compute the FMV (in this example), the assumptions/underlying-data must have been already “reasonably valued/measured”.

The IT Control: The system “automatically” computes the FMV, by referring to the relevant assumptions and discount rates within the system.

This Control design will be effective, assuming that all the relevant control design attributes (as listed below, similar to the Control Design Attributes 1 to 3 above) are satisfied;

The IT Control Attribute 1: The company’s ITGC is effective.

The IT Control Attribute 2: The IT Control is authorized by the BoD explicitly in the company’s Policies and Procedures.

The IT Control Attribute 3: The assumption input in the system (used for the FMV) had been approved by the authorized Manager.

The IT Control Attribute 4: The discount rate in the system had been approved by the authorized Manager.

Again, do not try “control” a process of financial reporting (that flows ultimately into a JE);

Instead, design a control to mitigate a misstatement risk (with Assertions) inherent in the underlying (financial reporting) process.

Let me put what’s called the “top-down (risk-based) approach” into perspective at an entity level.

According to SOX 302,

A reporting company’s CEO/CFO shall certifies that;

a.4 “… the signing officers —

A) are responsible for establishing and maintaining internal controls;
B) have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared….”

Here, a listed company’s CEO/CFO are required to design internal controls in such a way that the company’s material information “is made known to” them “by others within those entities.”

This means that the CEO/CFO, who must have been authorized — by the Board of Directors — on the responsibility (for establishing/maintaining internal controls), shall delegate the authority to the members of their management team, who are in turn accountable about the responsibility (for designing, establishing, and maintaining such internal controls).

On Management Override –

Why do the signing officers (i.e., the CEO and CFO) need to delegate the authority to the members of management team?

The answer is;

in order to prevent “management override.”

meaning that;

As they are the “top” management/authority, who are authorized by the Board of Directors (BoD), the CEO/CFO would be technically able to abuse the power/authority, if retained or if not delegated to subordinate managers.

In other words;

The control authority/ownership shall be delegated by the signing officers to the “others,” or the management team, “within those organizations” in order to prevent the CEO/CFO’s “management override” of the internal controls, which would have been otherwise effectively designed and owned by the management team.

The accountability is the flip side of the authority (delegated “top-down”)

The authority/accountability relationship within in the consolidated entities is the key concept of the “top-down approach” at an entity level.

Under the COSO framework, which requires a proper oversight by the BoD, the authority (of the responsibility above) should be explicitly given by the BoD first to the CEO and then to CFO.

And the subsequent authority/accountability delegations (i.e., the “top-down”) should be clearly described in each group company’s Policies and Procedures, or more specifically, the Roles and Responsibilities that describes each manager’s roles and responsibilities.

Managers’ “Competence” to Own Internal Control Activities

The Roles and Responsibilities should be authorized by the BoD, which fulfills their proper oversight as dictated by the COSO framework.

And this (entity-level) “top-down” authority/accountability delegation is the backdrop of the top-down (control/SOX) audit approach at a process level as I explain here.

(Refer to para. 21 of AS 5 about the top-down approach from auditors’ perspectives.)

(Why also the risk-based approach at an entity level? Because, per COSO Principles, risk-assessment/control authorities must be delegated first from the oversight body (i.e., the BoD or the top) to management, and then further to junior manager levels, who in turn are accountable for the risk-assessment and THEN for controls to effectively “control” the risks (thus, the “risk-based”. Refer to the same post as above for more about risk-based approach at a process level.)

Remember that the context of SOX 302 requirements, a listed company’s management, as a team, shall make the CEO and CFO get known about how the material information of the company financial statements is ensured to be accurate.

In other words, under SOX 302, the company management shall organize the management team, under the COSO framework and the BoD’s proper oversight, in such a way that their internal controls are sure to mitigate associated misstatement risks (to a material extent) and shall be accountable, to the CEO/CFO, as to how they have designed, established, and maintained such “effective“ (as in SOX 404) internal controls.

And this is part of the reasons why one of the control attributes (or control objectives) of a management review control should always be;

The review manager’s review (or approval) “competence” is authorized by the BoD and is explicitly specified, in the Roles and Responsibilities, to be “effectively” sufficient for the competent review/approval. (See this blog post for an example of such an approval competence described as a control attribute.)

For further discussion, please refer to my blog post here.

Please also refer to my blog posts for “Why SOX?” or the summary of the SOX enactment background and “What is SOX for?” or the conceptual background of the SOX Act.

To start designing preventive controls over Lease Accounting under ASC 842, management would first need to identify an LSPM at the “OpEx. vs CapEx” determination process (i.e., whether a vendor invoice should be expensed or capitalized) in the three-way match controls.

An example of the LSPM would be such that;

LSPM 1″A (long-term) leased asset (as defined under ASC 842) could could be improperly expensed (without accounting for corresponding ROU (Right of Use) assets and lease liabilities).”

Then, an example of the control mitigating related risks (of the understatement of the assets and liabilities) would be;

Control 1“Upon a three-way match, or an AP journal entry, the system prevents the AP entry from being made, and alarms the flag being attached to the related contract if it has been indicated and flagged as a lease (under ASC 842).”

Control 1-2” Upon the three-way match of a lease/rent supplier invoice, which is flagged as a lease in the system, Authorized Manager makes a tentative, manual journal entry (of Dr. Expense / Cr. AP) and keeps the flag for their subsequent update per ASC 842 (at monthly closing as part of the Record to Report cycle).”

Then, at the month end, the JE (of Dr. Expense / Cr. AP) should be reversed as;

• (Dr.) ROU Assets xxx (Cr.) Lease Liabilities xxx
• (upon cash payment)
• (Dr.) AP xxx (Cr.) Cash xxx

Note that this Control 1-2 should be exercised using a proper template that lists required control attributes, per ASC 842, such as , among other things (in order to determine the balance of the ROU assets and lease liabilities);

• What is the lease term?
• What are the lease payments?
• What is the discount rate?/How is the rate is determined?
• What is the fair value (of the underlying asset)?

Naturally, prior to the control (and LSPM 1), another LSPM would need to be such that;

LSPM 0“A (long-term) lease/rent contract could fail to get identified as a lease (under ASC 842) when signed/authorized.”

An example control associated with LSPM 0 should look like;

Control 0“Authorized Manager determines whether or not each lease/rent contract entered into is a lease under the definition of ASC 842, and indicates as such, in the contract management system, by flagging .”

Similarly to Control 1, Control 0 should be exercised with a template to go over the items to identify a lease (as described in ASC 842) such as;

• There is a specifically identified asset.
• The supplier does NOT have a substantive substitution right.
• The company/management has the right to obtain substantially all of the economic benefits from use of the asset.
• The management has the right to direct the use of the asset.

Control 0 would properly set up the program, in the system, which lays the ground for Control 1, restricting that only Authorized Manager can post the lease asset/liability/expense journal entries as dictated by ASC 842.

To achieve robust, “effective” (as in SOX 404) internal controls and related best practices in light of COSO (2013), SOX, and US GAAP/IFRS, etc., I would employ the top-down, risk-based (audit) approach, as guided by SEC/PCAOB per Audit Standard No. 5 (AS 5) not only at an entity level but also at a process level.

Otherwise, external auditors would never be satisfied and keep finding control deficiencies (even if they issued their clean, unqualified opinion on company’s controls under SOX 404). They would do so unless management eliminated potential audit adjustments, or frankly, errors/misstatements.

To avoid such an error or misstatement, the company has to design preventive controls (as opposed to detective controls) at every critical data-path, or Likely Source of Potential Misstatement (LSPM as in AS 5) within each transaction cycle: i.e., (Vendor Management/)Procure to (Inventory/Fixed Assets/Payroll to Accounts Payable to) Pay (P2P), (Customer Credit Management/)Order to (Accounts Receivable to) Cash (O2C), and Record/Closing to Report (R2R).

Detective controls are, in nature, to detect errors/misstatements (which have already recorded in ERP through a critical data-path) to correct. Unless related preventive controls (which oftentimes can be automated) are in place to prevent any errors/misstatements, the errors are to recur (to be detected and corrected) every year.

To satisfy the auditor and ultimately the Audit Committee (AC)/Board of the Directors (BoD), the management needs to put preventive controls at each critical data-path so that it can eliminate the possibility of, or prevent, any potential (material) misstatements.

To mitigate their Audit Risk, the auditor would never take the control reliance approach unless management has adequately mitigated (or controlled) misstatement risks or prevented potential, material misstatements.

The trick is that neither the auditor nor the BoD, or the “oversight” body (as in COSO), would specifically advise/instruct the company management on how to design and operate preventive controls.

Design Preventive Controls in line with the Top-Down, Risk-Based (Audit) Approach

By employing the top-down, risk-based approach, at a process level (i.e., at the P2P/O2C/R2R transaction level), I would ultimately design preventive controls (to rectify/mitigate the root-cause of a potential misstatement) at every LSPM, so that the company can provide the auditor with good reasons to believe that management’s controls are in fact so “effective” (as in SOX 404) as to take the control reliance approach.

(Note that, complying with COSO Principles at an entity level, control authorities must be delegated to management by the oversight body, through authorized Policies and Procedures (and Roles and Responsibilities), and further to junior manager levels, who in turn are accountable for the effective controls to be adequately put in place. See this post for more details on this.)

At a process level, misstatement risks should be defined at each LSPM (hence the “risk-based”) first at the financial statement caption level (i.e., the top), and then the risks should be broken down to the general ledger (G/L) level, further to the sub-ledger level, and finally to the transaction initiation level (hence the “top-down”).)

(Refer to para. 21 of AS 5 about the top-down approach from auditors’ perspectives.)

The key here is for the company to identify all the critical data-paths (i.e., LSPM), not more or less than necessary, in each of the process cycles.

(For more common mistakes observed in practice of identifying LSPM’s, refer to my blog posts here and here.)

This is literally “critical” because redundant (or not critical) data-paths, if identified, would confuse and allow the company management to come up with redundant misstatement risks; thereby misleading them to design redundant internal controls (to attempt to mitigate the redundant risks).

For example, “setting up budgets” is not an LSPM because it will not affect the financial statements; i.e., regardless how much actual results divert from the budget, management must report the actual results.

For more common mistakes observed in practice concerning controls, refer to my blog post.

Next, take another LSPM example, which is not necessary redundant but pertains to a detective control, such as;

LSPM 0: “In preparing the AR Aging report, Accountant could overlook a customer account, whose AR outstanding balance has exceeded it’s credit limit authorized by the BoD, and fail to post a bad debt expense for the overage.”

Key Risk 0: an overstatement of (Dr.) AR (Cr.) Sales with assertions being Existence/Occurrence (or,

an understatement of (Dr.) Bad Debts (Cr.) Allowance For Doubtful Accounts with assertion being Completeness).

The hypothetical control to mitigate the Key Risk 0, as an example, may be such that;

Control 0: Detective, IT Dependent Manual –

“Accounting Manager reviews and approves the bad-debts/AFDA entries as of a balance sheet date.”

The Control Attributes (or Control Objectives) should be;

Attribute 1 – The Manager’s bad-debts/AFDA approval is authorized by the BoD in the Policies and Procedures and the Manager’s review competence is authorized (by the BoD) in the Roles and Responsibilities.

Attribute 2 – In his/her review (for the approval), the Manager validates the accuracy of the supporting data set: e.g., the credit limits/AR Aging, processed by the system/ERP as authorized, properly in the correct period.

In order to improve the Control 0 and replace it with a preventive, automated control, I would ask myself as to what misstatement risk needs to be mitigated.

The risk is clearly Key Risk 0 above.

Then, I would move on to clarify as to what the critical data-path (LSPM) will be when I want to automate to “prevent” the data error in the period-end bad-debts/AFDA entries.

The critical data-path would be the data-processing on the periodic bad-debts/AFDA entries at the balance sheet date, and the hypothetical LSPM 1 could be such that;

LSPM 1 “Upon fulfilling required “performance obligations (as in ASC 606)” (and issuing an invoice, which is configured to automatically post an AR/Sales entry, for the amounts of the agreed-upon price times incurred hours (in case of a service agreement) in the ERP), Revenue Accountant could input (in the ERP) the sales amounts (for a customer), which would marginally exceed the credit limit as a result of the reciprocal AR outstanding surpassing the limit.” (The corresponding misstatement risk is the same as the Key Risk 0.)

The LSPM1 specifically pertains to the “collectibility” element in the “identify the contract” step under ASC 606.

Accordingly, an example of key automated control at the LSPM 1 should be such that;

Control 1: Preventive, Automated “The sales ledger automatically;

1. refers to the customer database and verifies the invoice amounts not causing the AR outstanding (including the invoice) to exceed the customer’s (authorized) credit limit, and
2. if exceeded, the system/ERP posts a bad-debt/AFDA entry for the amount of the overage.”

Attribute 1 – ITGC (IT General Controls) is tested and concluded to be effective.

Attribute 2 – The automated bad-debts/AFDA approval (and the posting) is authorized in Policies and Procedures.

Attribute 3 – The system is properly configured to refer to the correct customer in the customer database.

Attribute 4 – In case of the overage, the system is properly configured to post the correct amounts and accounts.

As a result, I would make the (preventive, automated) Control 1 be the Key Control (for the Key Risk 0) and the (detective, (IT-dependent) manual) Control 0 be a Compensating Control (if necessary).

(Note that, in this example, the Control 1 focuses on the collectibility element and that there are other factors (e.g., pricing, quantity/hours definitions, the descriptions of performance obligations, etc.) in the “identify the contract” step to satisfy the ASC 606 revenue recognition requirements.)

As illustrated above, we should be able to design “effective,” preventive controls (to control “how to process” the data) by identifying the root-cause of a potential misstatement, or an LSPM, at every critical data-path within each cycle as opposed to detective controls (to directly/substantively “control” data), which simply correct misstatements.

Template, template, template.

Here, let me talk about auditor’s redundant work, which would cause an extra audit cost, outside their control audit, or about/inside their substantive audit.

Let’s say, your auditor wants to test your fixed assets, particularly the existence assertion of fixed assets. Then, they would request you to prepare a fixed asset rollfoward schedule, wouldn’t they?

What would you do, between the two options below, to respond to the request?

Option 1 – You prepare the rollforward schedule for yourself, or

Option 2 – You would have your auditor prepare the rollfoward schedule.

Either way, you would incur an extra time or cost to “prepare” the rollforward schedule……

UNLESS you already have your fixed asset rollforward schedule prepared.

The Best Practice

There you go. If you want to avoid extra time or cost for your auditor’s substantive audit (i.e., their auditing numbers substantively as opposed their auditing internal controls), you should have prepared the schedule for each significant general ledger (G/L) account when closing the G/L accounts.

This (best) practice must be given a special consideration as you wouldn’t typically need to prepare the fixed asset rollfoward schedule during your G/L account closing.

(Note that a fixed asset account, e.g., building (cost), etc., does not account for acquisitions or disposals separately; i.e., the building (cost) “G/L” account does not list every building under the G/L account code, unlike the fixed asset subledger.

(Therefore, in order for you to know what specific buildings were acquired, if any, or disposed, if any, during a certain period, you will need to look into the fixed asset subledger, and for your auditor to know the same information, they will need the rollforward schedule, which list the building cost G/L account by each category of the acquisitions and the disposals.

(And that’s why you would want to use your own fixed asset rollforward schedule, which will be shared with your auditor, when closing the fixed asset G/L account in order to ensure your closing the account is accurate and will not cause any audit adjustment.)

The Templates as an Effective Entity Level Control

When considering the best practice as an accounting team, it will be ideal if the schedule is in the form of template.

Also note that the practice for the accounting team to prepare the audit-ready templates would be considered a good, effective Entity Level Control.

That is because, as a team, team members are different from one another in competency of understanding what is really requested by auditors; accordingly, the template for each G/L account will be an effective and efficient enabler tool for every member can easily understand what’s necessary to ensure accurately closing all the G/L accounts, by simply populating each column, by following the thought process of the particular template, till complete the entire template.

As part of an accounting management team, whether you are Controller, Director, or Manager, you can share the template (as a practice of knowledge sharing) with your subordinates so that every team member can be on the same page during the periodical G/L closing while nobody does not need to spend extra time for internal and/or external audit purposes.

That is the secret of a successful accounting team.

The Operating Lease Accounting Template – Example

For example, an Operating Lease accounting template, with a roll-forward/amortization schedule (for each lease contract entered into), may list a step-by-step procedure, per ASC 842, in an Excel format as follows:

Recognize the Initial Lease Liability that is the present value of any future lease payments, excluding the first payment made (as it’s not a “future” payment).

Recognize the Initial Right-of-Use (ROU) Asset that is the sum of:

The Initial Lease Liability

Lease payments made before the start date of the lease

Initial direct costs

Less lease incentive received

Recognize the first payment made in Cash (at commencement)

(Accordingly, the initial JE above tends to be;

(Dr.) ROU Asset – Operating

(Cr.) (Prepaid) Cash

(Cr.) ST/LT Liabilities – Operating (the Present Value of all the remaining future payments))

Note that, as a rent is typically paid on the first day of each month (or lease term/period), the initial payment is usually considered to be prepaid (for the month);

Prepare an amortization schedule for each lease for the monthly JE’s to close the ROU asset and lease liabilities G/L accounts at each month end.

The calculated JE for an operating lease:

(Dr.) Amortization of the lease liability (for the current month), measured using the effective interest method = The lease payment (for the month) – the amount of interest accrued (for the month)

(Dr.) Monthly straight-line lease expense = The lease liability (on Day 1) / the number of months in the lease term

(Cr.) Change in accumulated amortization of the ROU asset = Monthly straight-line lease expense – the interest accrued (for the month)

(Cr.) Accounts Payable (for the following month’s lease payment)

By Accountant following the step-by-step procedures (as exemplified using the Operating Lease accounting per ASC 842 above), s/he should be able to calculate the amount for each asset/liability and present the calculation schedule on a spreadsheet, which enables Review Manager to verify the calculations and resulted JE’s being accurate (per relevant ASC’s) as s/he checks related check boxes on the Closing checklist.

From my professional experience, I have found quite a few companies prefer to prepare a certain kind of matrix, or a listing, of the Delegation of Authority/Accountability as part of the evidence that such Delegation of Authority/Accountability is in place across the organization for their internal control assessment/testing purposes.

However, such a matrix/listing would be redundant because the Delegation of Authority/Accountability itself is NOT a control but something that must be reflected in designing each internal control, often as part of each control owner’s competence.

In other words, each internal control must be designed to reflect the fact that proper Authority (and Accountability as the flip side of the Authority) is delegated to the control owner (and that the control owner is competent enough to be “delegated”).

Accordingly, the Delegation of Authority/Accountability factor of each internal control should be effectively and efficiently discussed on the Risk Control Matrix (RCM) (instead of the matrix/listing of the Delegation of Authority/Accountability).

For example, let’s say a company wrongly designs such an internal control as “Senior AP Accountant approves a wire cash disbursement batch (on the bank’s web-portal which lists the payments due input by AP Accountant).” (Note that the description of “the bank’s web-portal which lists the payments due input by AP Accountant” is a critical data-path or a LSPM (Likely Source of Potential Misstatement). See my blog post here.) And let’s further assume that the company included a related delegation of the approval authority (from AP Manager to Senior AP Accountant) on the Delegation of Authority(/Accountability) Matrix somehow.

The problem about the hypothetical control and the Matrix above is, first and foremost, the approval authority should not be delegated to a non-manager.

Oftentimes, however, people are somehow easily confused and wrongfully conclude that the control should be effective simply because, on the face of the Delegation of Authority Matrix, the approval authority appears to be delegated from AP Manager to Senior AP Accountant .

In this example, a correct control should be something like, “AP Manager approves a wire cash disbursement batch on the bank’s web-portal.”

Also, the company should clearly define the AP Manager’s (delegated) approval authority (and accountability) in their Roles and Responsibilities document, which must have been “authorized” by the Board of Directors (instead of such a Matrix as illustrated above).

Then, the Delegation of Authority/Accountability, or the part of the design, of the control is effective as the company’s AP Manager (i.e., the control owner) is adequately competent to such an extent that the proper approval authority has been delegated to him/her, which is evidenced by the Roles and Responsibilities.

The same is true about the Segregation of Duties (SoD).

Listing SoD’s by control would be redundant, or wouldn’t provide a meaningful piece of information; instead, the SoD should be factored in when designing each internal control.

Using the same example control mentioned above, it is clearly redundant to list the fact that the SoD is accomplished between AP Manager and AP Accountant, which must be assessed as part of the Test of Design, or Walkthrough, anyway.

If AP Manager input the payments due data and at the same time approved the data, the design of such an control would be ineffective and deficient due to breaching the SoD principle.

In other words, discussing the SoD by itself would not directly provide the conclusion as to whether a related internal control is effective or not; i.e., the SoD is just one of the control attributes that must be analyzed to assess the effectiveness of the control in question: e.g., “AP Manager approves a wire cash disbursement batch.”

That is why I said that listing SoD’s (by control) would lead us nowhere but redundancy.

People tend to think that there are so many complicated topics and issues to “control,” under accounting standards, to ensure that related accounting treatments are put in place and to achieve financial reporting compliance under those standards.

The reality is, however, we should not be overwhelmed with any of the complication related to any of the accounting standard topics/issues when it comes to the Record to Report cycle because there is only one critical data-path, or Likely Source of Potential Misstatements (LSPM) as in Auditing Standard No. 5 guided by PCAOB/SEC, within the RtR cycle; i.e., posting journal entries to the general ledger (G/L).

There are only two types of the journal entries posted to the G/L; i.e., either simply transferring the subledger journal entries to the G/L or manual journal entries directly posted to the G/L.

And a control over each of those two types (of journal entry posting the G/L) is:

1. ERP automatically posts the journal entries on the subledger to the G/L or
2. An authorized manager (whose duty should be segregated from the personnel who created/posted the journal entries to the G/L) reviews each manual journal entry for appropriateness under applicable accounting standards.

So, where do all those complicated factors for the accounting standard compliance go?

They are NOT controls but control attributes, or control objectives.

Let’s take Lease Accounting (ASC 842) for example.

Such a process as “G/L Accountant ensures that lease expense are adequately ‘measured’ (as in the Valuation/Measurement assertion) in light of the related accounting standard or ASC 842.” is NOT a control.

That is because

1. the G/L Accountant is not a manager; i.e., his/her competence has not been approved; thus, the control authority is not delegated to him/her and s/he cannot be the control owner, or accountable, and that
2. the competence to “ensure that lease accrual ….. are adequately valued (under) ASC 842″ is a control Design Attribute (and it’s not the control itself).

The control over the LSPM (say, “G/L Accountant could accrue for the lease expenses inadequately (assertion: Valuation/Measurement) under ASC 842 in creating related manual journal entries posted to the G/L as of the balance sheet date.”, etc.) should be simply;

“Accounting Manager reviews the lease expense for adequate measurement.”, etc.

The example control above satisfies that

1. the proper authority must have been delegated to the Accounting Manager (because s/he must be competent enough to review the adequacy of the lease expense measurement; thus, s/he is the manager and accountable; with her/his duty being segregated from the G/L Accountant) and that
2. the control should mitigate the Valuation/Measurement risk and prevent the potential misstatement that could have a non-compliance against ASC 842.

The key here is the competence.

The competence Attribute must be thoroughly considered in delegating the control authority to the control owner manager.

In this example, the control owner, the “Accounting Manager,” must be competent enough to conclude and defend the company’s position as to why not only the lease expense but also the lease liability (as well as the ROU (Right Of Use) asset) is deemed properly measured/valued under ASC 842.

The competency attribute must be tested as part of the control test of design (ToD), or Walkthrough, to conclude that the control Design Attribute of the competence is satisfied to such an extent that the Accounting Manager’s sign off, to approve the lease expense and accrual (e.g., deferred rent) journal entries, can sufficiently evidence (as properly authorized by Policies and Procedures) the compliance with ASC 842. (Note that, once the Design Attribute has been concluded to be satisfied through the Walkthrough (ToD), the test of operation effectiveness (TOE) on the review control would be to vouch to the Manager’s sign off.)

Here, such a comment as “The Accounting Manager has a CPA license and long history of being Lease Accounting Manager at the company.”, etc. would NOT suffice as such an “assessment” is too discretionary and does not assess the competence to specially address the subject matter: i.e., discussion points under ASC 842 such as

1) whether the lease is operating or finance, and

2) how much the ROU asset is (in addition to the lease liability on the balance sheet).

One (or more) of the testing method(s) can be a tester’s

• inquiry (of the Manager specifically about the accounting topic),
• observation (of the Manager’s review extent, criteria, etc.), and/or
• reperformance (of the Manager’s review to see if the tester can reach the same conclusion as the Manager’s, to approve the journal entries to be reasonable).

Typically, the Manager would use a kind of checklist, template, etc. to validate that the construction of the journal entries (e.g., to determine the balance of the ROU asset, etc.) was compliant with the relevant with GAAP (ASC 842):

1. What is the lease term?
2. What are the lease payments?
3. What is the discount rate?/How is the rate is determined?
4. What is the fair value (of the underlying asset)?

To reiterate,

“to ensure the compliance with an accounting standard” can NOT be a financial control but a control Design Attribute.

And the specific “attribute” must be “the control owner’s competence” which must be tested through Walkthrough (ToD) for the control design effectiveness.