This is an article reprint from the Governance Issues™ Newsletter, Volume 2015, Number 3, published on July 17, 2015.
Few words spark more angst in business circles than “controls.” No one wants to be controlled, yet controls are an integral part to any business. Unfortunately, many people equate the word to a costly compliance exercise, largely thanks to the Sarbanes-Oxley Act of 2002 (SOX). This is not an article on SOX, but rather a look at how and why controls should be understood and appreciated by all organizations, regardless of type, industry or size. Defining and assessing controls is simply a sound business exercise regardless of regulatory compliance considerations.
However, before we leave SOX, there is a common question I want to address. Private companies and nonprofit organizations often inquire if SOX makes sense for them. First of all, let’s put this in perspective. SOX contains 66 sections within 11 titles covering a wide range of governance, audit, business, regulatory and enforcement topics. By far, the most common section is 404 entitled Management Assessment of Internal Controls. So for simplicity of addressing this question, I will approach it from this single section. Section 404 requires an annual management assessment of the effectiveness of the Internal Controls over Financial Reporting (ICFR), as well as an external audit opinion on ICFR for public companies reaching certain size thresholds. The answer is a definite “yes” regarding periodic management assessments, as this is simply a prudent business practice. As it pertains to additional attestation work, this is likely not warranted for most organizations. Instead, companies should ask their auditor to point out areas for control improvements as they obtain an understanding of ICFR for planning their audit of the financial statements. This independent feedback can be a valuable piece of the audit value proposition.
Challenges and Solutions
The challenge in implementing Section 404, or any controls project, is turning it from a potential value destructive exercise (where costs are greater than benefits) to one of value creation (where benefits are greater than costs). Keep in mind that “controls” are simply policies, procedures and actions within a process to help reasonably ensure that Board and management objectives are carried out. The objectives can relate to any business facet. Three distinct but overlapping categories of objectives are defined by The Committee of Sponsoring Organizations of the Treadway Commission (COSO) in their publication entitled Internal Control – Integrated Framework, 2013:
- Operations objectives pertain to effectiveness and efficiency of the entity’s operation, including operational and financial performance goals and safeguarding assets against losses.
- Reporting objectives pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency or other terms set forth by regulators, standard setters or the entity’s policies.
- Compliance objectives pertain to adherence to laws and regulations to which the entity is subject.
Keep in mind that SOX 404 only addresses financial reporting controls pertaining to the audited financial statements. This is a relatively small sliver of scope when compared to a company’s entire array of objectives. For many organizations this is a lost opportunity, as they often restrict their control assessment focus to ICFR. Much value can be unleashed when applying control assessment practices to a wider scope of objectives.
Regardless of the scope of the implementation and assessment effort, the key to success is to understand the objectives and relating risks, and then focus on controls to mitigate those risks to best meet objectives. Never start with controls, as this is a recipe for disaster. Everyone involved with controls, starting with the Board of Directors down to control owners, needs to understand why controls exist through direct linkage to objectives and relating risks. If a control can not be traced to an objective, then it is likely not serving a cost-beneficial purpose.
Additional challenges and implementation considerations regarding control assessments include:
- Objectives and Risks: Objectives will come in many different varieties, from high-level strategic initiatives down to departmental, functional and project objectives. These should be clearly articulated, followed by a risk assessment in achieving the objectives. Only then should controls be considered to mitigate risks to acceptable levels. Once objectives are determined, the resources expended on controls should follow the higher levels of risks in terms of probability of occurrence and significance in achieving the objective. This is known as a risk-based approach.
- Factor in Changing Landscapes: Operating, marketplace, regulatory and competitive landscapes are frequently changing. Objectives and risks should not be viewed as static, but rather as constantly evolving. As a result, controls must also change to keep pace. Yet this is a common mistake, as organizations often opt to review their controls on an annual basis. Controls need to move in tandem with both internal and external changes. For example, changes will need to be made to the ICFR of companies on U.S. GAAP as a result of new accounting pronouncements, such as ASU 2014-09 – Revenue from Contracts with Customers. Cybersecurity objectives and risks is another common example, which can directly impact all three categories of objectives – operations, reporting and compliance.
- Scalability: The depth and rigor of any controls effort will vary greatly between companies as it is dependent on a host of variables. The larger and more complex the business, the more risks in terms of shareholders, regulators, creditors and other stakeholder groups. As a result, more resources are warranted for larger, more complex organizations toward ensuring that strong controls are present and functioning.
- Leverage a Framework: Control frameworks are an excellent tool for jump-starting a controls implementation or assessment project. A framework should be thought of as a starting point rather than an end-point, since a company’s controls are unique to them and should not blindly conform to the details of a framework. It is much easier and more cost efficient to leverage control efforts starting with a strong framework, such as COSO’s Internal Control – Integrated Framework, 2013.
- Focus on Substance over Form: Substance over form is a powerful dynamic typically in the middle of defining successful control efforts. The substance of any controls evaluation is simply ensuring that people (and systems) understand what needs to be done and ensuring that people and systems are acting accordingly. The first part of this previous sentence addresses the design of controls, while the second part deals with the operating effectiveness of controls. Both need to be evaluated for a successful controls assessment. Unfortunately, too many companies get overly caught up in the documentation element of a controls implementation effort, thus focusing on the form over the substance of controls. As a result, resources may be wasted with little benefit to show.
- A Dose of Independence: As with any assessment, it is beneficial to have people who are not involved with the control environment conduct the assessment. While management should clearly be supervising and monitoring controls under them, an independent assessment introduces objectivity and the opportunity to bring in fresh ideas. Utilizing an internal audit function or competent third-party resources are viable options.
- Take Action: Robust controls and assessments are akin to buying an insurance policy in that you can’t buy it retroactively after the damage is done. Strong controls need to be in place at all times. Taking ownership of objectives, risks and opportunities to preserve and maximize shareholder value is accomplished through controls. Organizations should be vigilant in educating their people on the importance of objectives, risks and controls. Management should take appropriate action to ensure that controls are properly designed and operating correctly.
In summary, controls should be viewed as your friend, not your enemy. Don’t be intimidated by the semantics of the word. Instead, realize that business controls should be leveraged to maximize shareholder value across all three areas of objectives – operations, reporting and compliance. Perhaps it is time to revisit your controls effort to ensure that the return on investment is positive.