A growing number of public companies with complacent SOX programs are facing restatement and penalties from improper disclosures, improper revenue recognition and improper expense recognition. A fear of non-compliance with SOX and COSO 2013 has increased the risk that companies will adopt narrowly focused programs that attempt to mitigate the immediate regulatory compliance risks while failing to address the true intent of these regulations. It is a classic case of complying with the “letter of the law” and not its intent. The solution is for internal audit to lead through risk management assurance.
SOX compliance is now a routine process for most companies. How can we then explain the rapidly growing number of restatements and recognition complaints when companies certify they are in compliance?
I agree with Norman Marks, who believes that “complacency and denial” is being perpetuated by routine and checklist-like reviews. Norman recently wrote about his favorite role that internal audit (IA) plays in an organization. He describes that role as a fighter against “complacency and denial” that can be perpetuated by routine and checklist-like COSO [and SOX] reviews where it easy to utter “we have completed our quarterly review of the top risks and believe they are effectively managed.” He compares this delusional form of risk management to an “ostrich sticking his head in the sand while the battle rages around him and saying I looked up an hour ago.” Read Norman’s Blog on CAE Risk Intelligence.
It is easy to see how things have arrived at this point. Organizations needed help to rapidly design a SOX blueprint. Management was called upon to make prompt business unit risk determinations which have since been retired to a state of inertia. External auditors and IA, much like engineers, assisted organizations in turning the complex problem of SOX compliance into a quarterly routine of redundancy. During the honorable quest to bring swift order to regulatory chaos, a key to the assurance process suffered from neglect…risk management.
The result of this complacency and neglect is an increased risk of restatement. In October 2013, the PCAOB’s Staff Audit Practice Alert No. 11: Considerations For Audits Of Internal Control Over Financial Reporting stated that “… it appeared to the inspections staff that firms did not sufficiently understand the likely sources of potential misstatements related to significant accounts or disclosures as part of selecting controls to test.” To comply with COSO 2013, AS5 and SOX, the PCAOB (and the SEC) continue to expect and require that companies and their auditors follow a top-down risk approach.
“The high rate and severity of inspection deficiencies in critical aspects of the audit, and at some of the world’s largest companies, is a wake-up call to firms and regulators alike. More must be done to improve the reliability of audit work performed globally on behalf of investors,” said Lewis Ferguson of the Public Company Accounting Oversight Board, the body that polices auditors in the United States.
- Reuters’ “Audits around the world are riddled with problems – survey” April 10, 2014
What can companies do and how can IA help?
Inspection deficiencies in public company audits found at the six largest accounting firms should be viewed as a wake-up call to the C-Suite and as an opportunity for IA to play a more active and vigilant role. While management is ultimately responsible for determining risks, risk levels and risk management practices, IA should be the organization’s risk champion by providing risk management assurance.
To combat complacency, organizations should have a documented and comprehensive:
- Integrated governance, risk management and compliance (GRC) plan (promotes a holistic view of risks and combats against silos)
- Organizational risk assessment (formalizes the organization’s risk, risk levels and risk tolerance)
- Enterprise risk management (ERM) program (protects the organization from risk pitfalls)
- COSO 2013 readiness plan (safeguards against “checklist” compliance; promotes a top-down risk approach)
- Critical business activity contract review (i.e., sales and procurement contracts) (ensures that information is not missing from the general ledger and financials) [SOX testing and certification is limited to what exists in the general ledger.]
- Fraud risk assessment and anti-fraud program (assists in identifying fraud risks (i.e., FCPA, UKBA, cybersecurity violations, etc.)
Are these efforts robust and vigilant in your organization?
Can you quantify the risk of restatement to your organization?
The last word: complacency by the Board, management and auditors is a real threat to organizations. The CEO/CFO must certify that internal controls are adequate via SOX, but regular SOX testing is not enough to address the risks and controls of the organization. SOX is a compliance framework that should neither drive the company’s business nor its assurance activities. To combat complacency and help reduce the risk of restatement, IA must use risk management assurance (beyond SOX matrices) as part of a dynamic monitoring initiative to provide proper assurance to the Board. The Institute of Internal Auditors believes so strongly in this principle that it recently launched the CRMA (Certification in Risk Management Assurance).