Knowledgeable observers note that many early filers failed to apply a robust top-down, risk-based compliance process in their quest to comply with the CEO and CFO certification requirements. As a result, many of these organizations ended up producing too much documentation and testing an excessive number of internal controls. The result? The average cost of compliance for SEC accelerated filers soared into the millions of dollars.

This cost issue was top of mind in April 2005, when the SEC held a roundtable with various stakeholders to discuss the first year experience in adopting Section 404 of the Sarbanes-Oxley Act of 2002. Following these discussions, the Public Company Accounting Oversight Board (PCAOB) reaffirmed that its auditing standard continues to apply, but stressed that first year filers and their auditors may have misinterpreted the standard. In an effort to provide greater guidance, the SEC and PCAOB issued interpretive releases making it clear that companies and their auditors should adopt a top-down, risk-based approach to the CEO and CFO certification requirements, with the goal of identifying and increasing the focus on the more important internal controls and the areas of greatest risk.

As a result, many companies that failed to appropriately execute a risk-based approach in year one are searching for ways to complete their second year responsibilities more efficiently and effectively. Companies that have not yet had to comply are seeking to embed a proper top-down, risk-based approach from the start to avoid the pitfalls and more costly experiences of earlier filers.

A solution – control rationalization
Control rationalization is the continuous process of designing the most effective and efficient control framework necessary to address financial reporting risks. Control rationalization steps include, where possible: the elimination of redundant controls; the deployment of risk-based testing plans; optimization of the design of company-level and automated controls; and the strategic standardization and centralization of key controls. Control rationalization is a multi-year, continuous effort, which should be integrated into every company’s annual assessment of its control design. Rationalization of controls is critical as redundant and inefficient control structures drive up the cost of the testing required to assess operational effectiveness.

To date, CEO and CFO certification compliance has resulted in companies identifying, documenting and assessing controls such as:

• Process-level controls over routine transactional processing
  
• Controls over non-routine accounts and accounts with significant judgment
  
• Manual controls
  
• System-based automated controls
  
• Company level controls, which include items such as a company’s control environment, controls over financial reporting activities and anti-fraud controls
  
• General computer controls, which include areas such as user access administration and program change control

While companies typically addressed each of the above areas, the “mix” of controls selected in many cases was, on reflection, generally not optimal which resulted in inefficiency and greater costs. For example, many companies spent a disproportionate level of effort identifying, documenting and assessing process-level manual controls over routine transactions before completing an overall assessment of control risk.

Control rationalization is based on applying a top-down, risk-based approach to the strategic selection of key relevant controls; on increasing reliance on company-level controls; on increasing reliance on automated controls; on focusing appropriate effort on controls related to high-risk areas; and on reducing the reliance on manual process-level controls in lower risk areas involving routine transactional processing.

Rationalization along these lines should result in the identification of fewer “key” controls and in a requisite reduction in documentation and testing, thus lowering the cost of compliance. In order to successfully deploy this approach, companies must ensure that senior management is engaged in the process from the outset and that planning is completed early in the process by individuals with the appropriate risk, internal control and financial reporting skills. These individuals should be able to resist the urge of focusing on routine, process-based, manual controls in favour of the more complex and difficult to test company-level and automated controls. Recall the parable “a stitch in time saves nine”.

• Reduced control documentation requirements (e.g., narratives, flow diagrams, matrices) and associated change management efforts
  
• A reduction in the number of “key” controls
  
• Reduced testing as a result of the implementation of standardized control procedures in multi-location environments
  
• Reduced samples for testing as a result of an increase in the use of system-based controls and a corresponding reduction in manual controls
  

What is less understood, however, is that control rationalization can also yield significant business benefits beyond compliance through standardized, and perhaps centralized, practices. For example, a centralized accounts payable process will contribute to the above compliance benefits but may also yield significant business benefits through greater process efficiency and reduced operational costs.

By stepping back and reevaluating the approach to assessing internal control over financial reporting, company executives can ensure they are allocating key resources to the areas of greatest risk. In addition to reducing the documentation and assessment burden, adopting a top-down, risk-based approach should result in both internal and external cost savings, including the time spent on external auditor attestation. The key, then, is for corporations to gain access to the competent resources, leading practices, and enabling tools they require to quickly implement effective control rationalization processes capable of yielding cost savings for years to come.

A four-phased approach to control rationalization
While there are no prescriptive “rules” for companies to follow in implementing a top-down, risk-based control rationalization approach, we believe that a successful approach should encompass the following four primary phases:

• Phase 1: Apply a top-down, risk-based scoping approach
  The first step in the control rationalization process is the adoption of a risk-based scoping exercise to identify key financial reporting risks, relevant assertions, significant accounts, and major classes of transactions. This comprehensive scoping process is critical for organizations eager to confine their focus to higher level risks and reduce the costs associated with excessive documentation and testing. Qualitative risk factors such as the extent of judgment and account complexity should be incorporated in addition to the historical quantitative measures.

• Phase 2: Rationalize existing process level controls
  The main goal of this step is to identify relevant and key controls in the context of the company’s significant accounts, relevant assertions, major classes of transactions and underlying business processes. Control objectives should be risk-ranked. Potential controls should be identified and then assessed, favouring controls which single-handedly satisfy control objectives, contribute to more than one control objective or are automated. Furthermore, process-specific company-level controls should also be incorporated, where possible, due to their pervasiveness, importance and efficiency in assessment. Information technology (IT) general computer controls should also be rationalized to remove non-relevant IT applications and platforms, non-relevant control objectives and unnecessary controls. Once the suite of relevant and key internal controls is determined, the company should next develop a risk-based testing program that varies the nature, extent and timing of controls tests based on the amount of relative risk. What will result is a highly customized testing program that will likely take more time to develop but will yield exponential benefits through more efficient testing in year one and beyond. The testing program should be discussed in advance with the auditor so as to provide for the possibility of auditor reliance on the company’s testing where appropriate.

• Phase 3: Leverage automated controls and enabling technology
  The third step for reducing the costs associated with control rationalization is to emphasize the use of computer-assisted auditing techniques and to minimize reliance on people-based controls. As part of this approach, companies should consider enabling certain functionality in their IT applications or implementing new technology in order to minimize reliance on people-based controls. In addition to improving efficiency, leveraging automated controls can help decrease the cost of testing while improving its effectiveness through the introduction of continuous auditing tools and techniques.

• Phase 4: Standardize and centralize your control structure
  The final step in the control rationalization approach is to consider, where possible, standardization of processes across the company and potentially centralization. While this step is much more strategic and long-term in nature, it has the significant benefit of not only reducing compliance costs through reduced documentation and annual testing, but can yield significant operational benefits.

By focusing on rationalization and making an investment of senior resources up front, companies can avoid costly rework and the annuity of costs associated with the identification, documentation and testing of an inefficient control framework.