On some levels, complying with the Canadian Securities Administrator (CSA) guidelines and the U.S. Sarbanes-Oxley Act is like peeling an onion. Each time you strip away one layer, you discover a new layer underneath. This is particularly true as it relates to the requirements for CEOs and CFOs to certify the effectiveness of their company's disclosure controls and procedures and internal controls over financial reporting.
In addition to identifying and assessing the detailed process level activities, companies are realizing that there are many more, often less tangible, elements that have a significant impact on control within an organization. These controls, called entity-level controls, play a greater role than you may think.
Looking back on the various unfortunate events of corporate wrong-doing over the past few years, many of these situations arose from systemic deficiencies in entity-level controls. For example, a lack of appropriate control related to management override and questionable management "tone at the tone" were common themes in many of these companies.
Starting at the top
One of the key lessons learned from companies that have already complied with Section 404 of Sarbanes-Oxley Act is that, too often, the approach undertaken was not top-down and did not start with a proper risk assessment and focus on entity-level controls.
In fact, in May 2005, the Public Company Accounting Oversight Board (PCAOB) released additional interpretive guidance with respect to auditing internal control over financial reporting with clear direction for auditors, who will assess management's controls and assessment process, to "use a topdown approach that begins with company-level controls, to identify for further testing those accounts and processes that are, in fact, relevant to internal control over financial reporting".
Controls that exist at the company-level often have a pervasive impact on controls at the process, transaction, or application level and include the following:
Controls within the control environment, including the tone at the top, the assignment of authority and responsibility, policies and procedures development and communication, as well as organization-wide programs, such as codes of conduct and fraud prevention, that apply to all locations and business units
Management's risk assessment process
General computer controls (GCCs) that generally apply to many applications and define the environment within which more specific IT controls operate
Controls to monitor results of operations
Controls to monitor other controls, including activities of the internal audit function, the audit committee or its equivalent, and self-assessment programs
The period-end financial reporting process including controls to mitigate the risk of management override.
Importance of entity-level controls
While weaknesses in entity-level controls generally alone do not result in immediate deficiency errors in financial statements and related disclosures, they do have a significant influence on the likelihood of misstatements resulting at the business process control level because of their pervasive impact and influence on controls within business processes. For example, the "tone at the top" and management philosophy with respect to the importance of internal control impacts all business processes within a company.
A tone emanating from senior executives where controls are viewed as obstacles to performance and barriers to efficiency will have far-reaching negative impacts on the rigor with which controls are designed and operate within business processes and will significantly increase the risk of control deficiencies leading to financial reporting and disclosure misstatements.
External stakeholders also recognize the importance of entity-level controls. For example, the PCAOB deems an ineffective control environment to be a significant deficiency that would be a strong indicator of a material weakness and reinforces that the independent auditor must "necessarily test these pervasive controls".
In addition, Moody's Investor Services, Inc. wrote inOctober 2004,"We are less concerned about material weaknesses that relate to controls over specific accounts balances or transactions-level processes … assuming management takes corrective action to address the material weaknesses in a timely manner.
Other material weaknesses relate to company-level controls such as the control environment or the financial reporting close process. These material weaknesses, which we refer to as Category B material weaknesses, may result in us bringing a company to rating committee to determine whether a rating action is necessary."
Addressing entity-level controls
Addressing entity-level controls requires a well-planned approach aligned with the overall compliance approach undertaken by the organization. The assessment of entity-level controls should occur early in a company's compliance initiative as part of a risk-based approach to compliance, and should include the following key activities:
Step 1: Identification and Documentation
The first step is to identify and document key entity and company-level controls. The identification of centralized processes and shared service centres, for example, will have a direct result on the scoping of the initiative and the approach undertaken.
Documentation should utilize a format consistent with the overall documentation approach being used by the organization and may include narratives, flowcharts and control matrices. The nature and extent of documentation, however, will vary by area as certain elements are suitable for flowcharting (e.g., financial reporting close process) while other areas are not (e.g., management philosophy regarding the importance of control and management tone at the top).
In addition, the documentation should be responsive to the internal control framework implemented by management. For example, with respect to the COSO Internal Control Framework, documentation of entity-level controls should include the following areas:
Control environment including code of conduct, HR policies, tone at the top, board and audit committee effectiveness, antifraud program, etc.
Risk assessment including management's fraud and financial reporting risk assessment processes
Information and communication including management's process for identifying changes in accounting standards and communicating new policies and procedures within the organization
Monitoring including internal audit and self-assessment activities.
Step 2: Assessment
The next step in addressing entity-level controls is to assess both the design and operating effectiveness of key controls. This step also contemplates assessing the adequacy of management's documentation - including whether documented policies and procedures exist and have been adequately communicated and maintained.
In many cases, developing an appropriate test plan to assess entity-level controls requires creativity as traditional types of documentation may not exist to evidence effective operation. Typical test procedures include corroborative inquiry, observation and examination of documents.
In contrast to process-level controls, addressing entity-level controls may incorporate more observation assessment techniques such as observation of audit committee effectiveness and tone at the top. The evaluation of the results of entity-level assessments also often requires significantly more judgment.
Specific reference should be made to the publication A Framework for Evaluating Control Exceptions and Deficiencies for guidance in evaluating exceptions and deficiencies related to entity-level controls. This framework, developed principally by representatives of the major accounting and professional services firms, is intended to assist knowledgeable and experienced individuals in evaluating deficiencies in a consistent manner.
Furthermore, PCAOB Auditing Standard No. 2 specifically provides that control deficiencies in certain entity-level controls such as controls within the control environment should be viewed as at least a significant deficiency and a strong indicator that a material weakness in internal control over financial reporting exists.
Step 3: Remediation
When deficiencies are identified, it is important to commence remediation as soon as possible given the importance and pervasive nature of entity-level controls.
In addition, the process to remedy entity-level deficiencies can often be more difficult and may require a longer period of time due to the nature of these controls. For example, systemic issues with respect to the assignment of authority, the development and communication of policies and procedures or management's anti-fraud programs are not likely quick fixes and may take several weeks to months to address.
As with process-level controls, remedied controls must be in place and operating effectively for a reasonable period of time prior to asserting that the control is operating effectively. Entitylevel controls, therefore, should be addressed early on in a company's compliance initiative.
Many lessons have been learned from the early experiences of companies who have completed their first year of compliance with the CEO and CFO certification requirements. Take note of these learnings as you address entity-level controls in your certification journey:
Address entity-level controls early in the certification compliance process as part of a top-down approach to compliance
Senior management support is critical, especially because entity level control activities involve more senior levels within an organization
Use senior, experienced individuals to test the design and operation of the entity-level control activities due to their importance. Your team will interact with executive management and bard members
Engage the external auditors in open and frequent communication to help avoid missteps and surprises due to the inherent challenges in documenting and assessing important "soft" controls within the control environment
Leverage internal audit knowledge, experience and observations as an input into the entity-level controls activities
Consider and address activities conducted by the audit committee and others to mitigate the risk of management override
Increase your budget to address entity-level controls.
Other interesting articles and publications
Public Company Accounting Oversight Board (PCAOB), Auditing Standard No. 2,
An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements
PCAOB Policy Statement Regarding Implementation of Auditing Standard No. 2
Staff Questions and Answers,
Auditing Internal Control Over Financial Reporting
Canadian Institute of Chartered Accountants, Auditing Standard,
An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statement
A Framework for Evaluating Control Exceptions and Deficiencies, Version 3, December 20, 2004
American Institute of Certified Public Accountants (AICPA) Antifraud Programs and Controls Task Force, Management
Override of Internal Controls: The Achilles' Heel of Fraud Prevention-The Audit Committee and Oversight of Financial Reporting, 2005