Documenting internal control over financial reporting
A conversation with Simon O'Keefe, Enterprise Risk Services
When it comes to preparing for the certification of a company's internal control over financial reporting — as stipulated by both the Canadian Securities Administrators and the U.S. Securities and Exchange Commission (SEC) — documentation plays an integral part in the process. Simon O'Keefe, a member of the Enterprise Risk Services group in Southwestern Ontario, offers insight into some of the most commonly asked questions related to documenting internal control over financial reporting.
What role does documentation play in the CEO/CFO certification of internal control over financial reporting?
Documentation is important. It is a key element in a company's assertion that they have a system of internal control over financial reporting in place. It assists management in certifying on the design of internal controls. It also provides a foundation for the development of test plans which facilitate the assessment of operational effectiveness. Documentation also assists a company in evidencing that they have designed effective internal controls.
Without documentation, CEOs and CFOs cannot demonstrate a clear understanding of the activities that are being undertaken to meet control objectives — which means they also don't know if there are control gaps.
Is there a documentation process companies should follow?
The documentation process is most effectively executed through a combination of interviews and often a walk-through of key control activities to understand and confirm the design of internal controls. It is also important to understand whether there is existing documentation that can be leveraged, such as standard operating procedures (SOPs) or documentation already created by auditors. In terms of the format for documentation, most companies incorporate the following three documentation types: narratives, internal control matrices and flow charts.
A narrative acts as a high-level overview of the particular process being documented and should include, among other things, a description of the key controls, the individual responsible for executing the control, and key application and system controls.
The internal control matrix is a spreadsheet that, when completed, demonstrates specific control activities that a company has in place to meet control objectives and related financial statement assertions. It also includes conclusions with respect to design effectiveness and operating effectiveness as well as test plans and test results.
A flow chart or process map is a document that, at a high level, diagrammatically summarizes the process narrative, including key control points.
|"It starts with scoping to identify the specific processes and classes of transactions impacting significant financial statement accounts and the locations where these processes take place."|
— Simon O'Keefe
How time-intensive is the documentation process?
Documentation can be very time-consuming, depending on the extent to which a company already has documentation that can be leveraged. Many companies underestimate the effort required to properly complete the documentation phase. By taking a risk-based, top-down approach to the company's compliance initiative, organizations can help ensure they focus only on required areas and manage the extent of documentation required. Identifying only key controls rather than all controls can also help in managing documentation requirements. Consistency in the nature and extent of documentation is one of the most critical elements in successfully completing documentation. To help achieve consistency, companies often formalize a quality-control process within a central Project Management Office.
How much documentation is enough?
The experience of accelerated filers in the U.S. revealed that many companies developed excessive documentation — an exercise that was both costly and unnecessary. To avoid this pitfall, companies should take a risk-based approach to determine what needs to be documented. It starts with scoping to identify the specific processes and classes of transactions impacting significant financial statement accounts and the locations where these processes take place. Once the financial statement accounts of greatest risk and the processes that drive those accounts have been identified, companies should then document the key controls within these processes that address the related financial reporting risks.
What benefits can companies hope to realize by properly documenting their internal control over financial reporting?
With a solid base of documentation, companies can demonstrate that there are controls in place, facilitate the testing of those controls and, for SEC filers, can contribute to a more efficient external auditor attestation process. Documentation also gives companies a better understanding of their internal controls, which tends to improve operational effectiveness and reduce the potential for reporting errors. The documentation process also helps companies identify and eliminate redundant controls and improve the design of controls through more efficient practices. In addition, when employee turnover inevitably occurs, documentation often helps with the training of new personnel. Good documentation can also help support a due diligence defence to risks relating to the civil liability for continuous disclosure.