Scoping internal controls over financial reporting
A conversation with Jeff Erdman, Firm Director, Enterprise Risk Services
Beginning in 2004 with Sarbanes-Oxley Section 404 for accelerated Securities and Exchange Commission registrants and in 2006 for registrants on Canadian exchanges who must comply with Canadian Multilateral Instrument 52-109 (MI 52-109), CEOs and CFOs are required to certify their internal control over financial reporting. The Canadian Securities Administrators is expected to amend MI 52-109 to include a requirement for CEOs and CFOs to certify that they have evaluated the effectiveness of internal control over financial reporting, effective for financial year-ends ending on or after December 31, 2007. Yet, before organizations can attest to the reliability of controls over their financial reports, they must first identify the internal controls to be documented and assessed. Jeff Erdman, a Firm Director based in Vancouver who specializes in Enterprise Risk Services, explains why this initial scoping exercise is so important.
What is the scoping of internal controls over financial reporting all about?
The exercise of scoping for the purposes of CEO/CFO certification is about understanding specifically which significant accounts — and which related significant processes — must be documented and assessed. The determination of significant accounts should incorporate both quantitative measures, such as materiality, and qualitative risk factors, such as the extent of judgment and complexity of the account. Once organizations identify those significant accounts, they can begin to understand the major classes of transactions flowing through them, and more accurately pinpoint the processes that generate those transactions.
|"Without documentation, CEOs and CFOs cannot demonstrate a clear understanding of the activities that are being undertaken to meet control objectives — which means they also don't know if there are control gaps."|
— Jeff Erdman
What are the key components of the scoping exercise?
In evaluating their internal control over financial reporting, many organizations rely on the Internal Control — Integrated Framework provided by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). According to COSO, internal controls must be evaluated at both the entity and process levels. So, the scoping exercise should take into consideration company-level controls — controls that work across the organization to, amongst other matters, monitor the business and its control structure. A comprehensive risk assessment should also be performed to help ensure that the organization's activities are scaled appropriately based on the extent of inherent financial reporting risk.
Other key components include: conducting awareness sessions at both the executive and management levels, developing plans around your disclosure processes and ultimately developing a project plan to guide the certification process.
How detailed should the scoping process be?
One of the potential pitfalls of the scoping process is failing to go into sufficient detail when assessing which accounts are most subject to risk. It's also important to take a hard look at significant risks and out-of-scope locations, and assess how much documentation, validation and testing are truly needed. The review of internal controls should include a "large portion" of your organization usually defined as at least 60 to 70 percent of a company's key financial measures.
How should organizations approach the scoping exercise?
Organizations should adopt a risk-based approach to identify where the risks lie within their reporting processes and accounts. That way, they can determine which risks are considered significant, and begin to group accounts and processes for similar risks.
Why is this whole scoping exercise so important?
Scoping is really the foundation of the CEO/CFO certification compliance project; in many ways, it is one of the most critical components. Ultimately, the scoping exercise sets where you need to go and what you need to look at, as well as the resources that may be required. Because scoping represents the first step of the process before you launch into the heavy lifting associated with the more detailed evaluation of your internal control over financial reporting, it's particularly important to get it right.
Our experience with companies that have already complied with Sarbanes-Oxley section 404 has shown that organizations often fall into the trap of doing too much work in areas they do not need to assess in detail. At the same time, companies want to ensure their approach is not unduly narrow. By effectively scoping the compliance initiative in advance, companies can avoid both of these pitfalls.
What challenges do organizations face when preparing to scope their internal controls?
Many organizations are concerned about the investment of resources and time this process requires, or are unsure about what methodology to adopt in determining what is and isn't in scope. A common challenge organizations face is underestimating the extent to which IT plays a role within this entire process. And organizations often miss the mark by underestimating the importance of company-level controls and disclosure controls and processes. The truth is many organizations seem eager to dive into the documentation of the more routine recurring processes first, and, as a result, tend to rush through the early phases of the process.
How can organizations overcome these challenges?
The best strategy is to take the time up-front to understand where you need to go. Although some of this work can be resourced internally, external consultants with prior experience often help organizations navigate common roadblocks and complete the evaluation process more efficiently. Either way, the end goal is to ensure that your organization is properly positioned to certify to internal control over financial reporting — not only today, but in the years to come.